Thousands of American consumers who rented computers from one of the nation's largest rent-to-own firms were subjected to grotesque and continuous invasions of privacy that secretly tracked their locations and captured their login credentials for credit card and other financial accounts, according to federal officials.
As troubling as that might be, it's not even the worst part. This is: The spyware that hundreds of Aaron's Inc. stores secretly inserted into those rented computers also activated webcams that regularly snapped and surreptitiously transmitted photos of anyone and anything within range of the computers.
Children. Pets. Possessions. And, yes, adults in various stages of undress and engaged in what federal officials delicately call "intimate activities."
This went on for at least three years, according to a complaint filed by the Federal Trade Commission. Aaron's corporate computers harvested more than 145,000 secretly transmitted emails containing consumers' private data and images, according to a separate class-action lawsuit filed on behalf of consumers.
This week, Aaron's agreed to settle federal charges that it played "a direct and vital role" in the installation of the software and the collection of the data by many of its 700 franchised stores. The Atlanta-based firm also operates 1,300 company-owned stores that were not directly implicated in the consumer spying scandal.
As is common in such settlements, Aaron's didn't admit that it did anything wrong, but it promised never to do it again.
"A spy camera in each customer's home," said Walter Dartland, a former deputy attorney general of Florida and executive director of the Consumer Federation of the Southeast, a nonprofit consumer advocacy group. "So much for responsible business practices."
'Please dress appropriately'
The takeaway for Aaron's customers? "Please dress appropriately when at home at all times," Dartland said.
The offenses were so provocative and egregious that federal officials who normally comment in carefully modulated terms could not contain themselves.
"Here's one that really takes the cake," Lisa Lake, an FTC consumer education specialist, said in an FTC blog entry about the case.
"We'll spare you from having to ask, but, yes, the cameras captured images of family interactions, people changing their clothes, and other activities intended to remain private," Lesley Fair, a senior attorney for the FTC's Bureau of Consumer Protection, said in a briefing for -- and a warning to -- other businesses. "The upshot: Consumers were injured by the unwarranted invasion into the peaceful enjoyment of their homes."
Asked for comment about the FTC complaint, the settlement and the shocking allegations, Garet Hayes, Aaron's director of public relations, offered only this: "At this time, we aren't able to provide further detail regarding this matter."
According to the FTC, the software that was secretly inserted into the rental computers carried the seemingly benign name of "PC Rental Agent," but it contained a particularly malignant feature called "Detective Mode."
Secret recording details
The hidden program could remotely disable a computer, presumably for lack of payment or if it were stolen. That's not so bad, but it also:
- Surreptitiously monitored the activities of computer users. It logged keystrokes, including user names and keywords for credit card and other financial websites, for email accounts, for social media websites, etc. It captured screenshots of credit card statements, other financial documents, medical records, applications containing Social Security numbers and pretty much everything else.
- Secretly gathered and transmitted consumers' personal information through the use of fake "software registration windows."
- Tracked the physical location of rented computers using Wi-Fi hotspot location data. Aaron's franchisees "used this illicitly gathered data to assist in collecting past due payments and recovering computers after default," according to the FTC complaint.
- Regularly snapped and transmitted photos, in some cases on a regular, every-two-minute schedule. "Webcams operating secretly inside computer users' homes took photographs of computer users and anyone else within view of the camera," the complaint reported. "These included images of minor children, as well as individuals not fully clothed and engaged in intimate conduct."
The agency said that these invasive activities, taken together, "generated an enormous volume of data," and consumers had no way of defeating the malware program.
"Anyone renting these computers was unable to detect, let alone uninstall, the software," Lake said.
Responding to a previous FTC complaint regarding the same software, Aaron's asserted that the abuses rested solely on the shoulders of its franchisees, but the most recent FTC complaint demolished that argument.
The federal agency said that Aaron's corporate staff and corporate computer network facilitated the franchisees' access to and use of the software. The company also provided installation tips and trouble-shooting advice regarding the software, the FTC said.
"If franchisees had problems installing the software, Aaron's was right there to lend a hand," Fair said.
Company kept the data
Corporate-provided email accounts were used for the transmission of Detective Mode data, according to the FTC complaint.
"Aaron's computer network was used to receive, store and access upwards of 100,000 Detective Mode messages, including messages containing private and confidential information about consumers who rented computers from Aaron's franchises," the agency said. "Aaron's has stored such messages on its computer network since at least 2009."
Moreover, and particularly damning, Aaron's corporate executives knew about the consumer spying operation and allowed it to remain in place from at least 2009 until the beginning of 2012, according to the FTC.
"Aaron's IT personnel were aware that company server space was being used to store Detective Mode emails and knew what data those emails contained," the complaint stated. "One IT employee who reviewed Detective Mode images sent to a franchisee described the program as 'very intrusive' in an email to Aaron's chief information officer."
FTC officials were particularly disturbed by that component of the scandal.
"Just because the technology can doesn't always mean that the business should," said Fair on behalf of the agency's Bureau of Consumer Protection. "Before a company employs technology that raises privacy concerns, shouldn't someone somewhere be asking the question, 'Do we really want to be secretly taking pictures of our customers in their homes, tracking them without consent or ... insert the next potentially invasive tech development here?' "
Aaron's must destroy data
Under the consent agreement, Aaron's no longer can use monitoring technology that captures keystrokes or screenshots or activates a camera or microphone in a consumer's computer, unless the consumer permits those activities during a technical support session. Any tracking program that is installed on a rental computer must be approved by the consumer.
In addition, Aaron's must delete and destroy all data it already has collected improperly and is prohibited from using any of that data in the collection of any consumer debt or default. Any franchisees who do not cooperate in these matters could lose their franchise agreements.
Though Aaron's also faces civil suits filed on behalf of some customers -- and potential damages related to those lawsuits -- some consumer advocates said the action taken by the FTC did not go far enough, largely because the agency's charter prohibits any stronger punishment.
"It's bad enough that Aaron's corporate policies facilitated franchisees in their installation of spyware, video spy cams and keystroke trackers on consumer-rented computers," said Ed Mierzwinski, consumer program director for U.S. PIRG, a Washington, D.C.-based federation of state public interest research groups.
"But it is absolutely disgraceful that Aaron's then ignored warnings of the practices, which weren't 'limited' to stealing passwords and medical information, but also included watching children's or intimate adult behavior," he said. "If the FTC could only impose civil penalties for a first offense, we'd have a lot less outrageous corporate behavior like this."
Dartland, the former deputy attorney general of Florida, agreed.
"The FTC response is not even a slap on the wrist," he said. "What it means is that businesses can continue such practices until they are caught and then know that there is no negative financial impact on their bottom line."
See related: Justin Bieber online fan site fined $1 million for privacy invasions , Banks' latest privacy invasion: retailer tracking