Thousands of American consumers who rented computers from one of
the nation's largest rent-to-own firms were subjected to grotesque
and continuous invasions of privacy that secretly tracked their
locations and captured their login credentials for credit card and
other financial accounts, according to federal officials.
As troubling as that might be, it's not even the worst part.
This is: The spyware that hundreds of Aaron's Inc. stores secretly
inserted into those rented computers also activated webcams that
regularly snapped and surreptitiously transmitted photos of anyone
and anything within range of the computers.
Children. Pets. Possessions. And, yes, adults in various stages
of undress and engaged in what federal officials delicately call
This went on for at least three years, according to a
filed by the Federal Trade Commission. Aaron's corporate computers
harvested more than 145,000 secretly transmitted emails containing
consumers' private data and images, according to a separate
class-action lawsuit filed on behalf of consumers.
, Aaron's agreed to
settle federal charges
that it played "a direct and vital role" in the installation of the
software and the collection of the data by many of its 700
franchised stores. The Atlanta-based firm also operates 1,300
company-owned stores that were not directly implicated in the
consumer spying scandal.
As is common in such settlements, Aaron's didn't admit that it
did anything wrong, but it promised never to do it again.
"A spy camera in each customer's home," said Walter Dartland, a
former deputy attorney general of Florida and executive director of
the Consumer Federation of the Southeast, a nonprofit consumer
advocacy group. "So much for responsible business practices."
'Please dress appropriately'
The takeaway for Aaron's customers? "Please dress appropriately
when at home at all times," Dartland said.
The offenses were so provocative and egregious that federal
officials who normally comment in carefully modulated terms could
not contain themselves.
"Here's one that really takes the cake," Lisa Lake, an FTC
consumer education specialist, said in an FTC blog entry about the
"We'll spare you from having to ask, but, yes, the cameras
captured images of family interactions, people changing their
clothes, and other activities intended to remain private," Lesley
Fair, a senior attorney for the FTC's Bureau of Consumer
Protection, said in a briefing for -- and a warning to -- other
businesses. "The upshot: Consumers were injured by the unwarranted
invasion into the peaceful enjoyment of their homes."
Asked for comment about the FTC complaint, the settlement and
the shocking allegations, Garet Hayes, Aaron's director of public
relations, offered only this: "At this time, we aren't able to
provide further detail regarding this matter."
According to the FTC, the software that was secretly inserted
into the rental computers carried the seemingly benign name of "PC
Rental Agent," but it contained a particularly malignant feature
called "Detective Mode."
Secret recording details
The hidden program could remotely disable a computer, presumably
for lack of payment or if it were stolen. That's not so bad, but it
- Surreptitiously monitored the activities of computer users.
It logged keystrokes, including user names and keywords for
credit card and other financial websites, for email accounts, for
social media websites, etc. It captured screenshots of credit
card statements, other financial documents, medical records,
applications containing Social Security numbers and pretty much
- Secretly gathered and transmitted consumers' personal
information through the use of fake "software registration
- Tracked the physical location of rented computers using Wi-Fi
hotspot location data. Aaron's franchisees "used this illicitly
gathered data to assist in collecting past due payments and
recovering computers after default," according to the FTC
- Regularly snapped and transmitted photos, in some cases on a
regular, every-two-minute schedule. "Webcams operating secretly
inside computer users' homes took photographs of computer users
and anyone else within view of the camera," the complaint
reported. "These included images of minor children, as well as
individuals not fully clothed and engaged in intimate
The agency said that these invasive activities, taken together,
"generated an enormous volume of data," and consumers had no way of
defeating the malware program.
"Anyone renting these computers was unable to detect, let alone
uninstall, the software," Lake said.
Responding to a previous FTC complaint regarding the same
software, Aaron's asserted that the abuses rested solely on the
shoulders of its franchisees, but the most recent FTC complaint
demolished that argument.
The federal agency said that Aaron's corporate staff and
corporate computer network facilitated the franchisees' access to
and use of the software. The company also provided installation
tips and trouble-shooting advice regarding the software, the FTC
"If franchisees had problems installing the software, Aaron's
was right there to lend a hand," Fair said.
Company kept the data
Corporate-provided email accounts were used for the transmission of
Detective Mode data, according to the FTC complaint.
"Aaron's computer network was used to receive, store and access
upwards of 100,000 Detective Mode messages, including messages
containing private and confidential information about consumers who
rented computers from Aaron's franchises," the agency said.
"Aaron's has stored such messages on its computer network since at
Moreover, and particularly damning, Aaron's corporate executives
knew about the consumer spying operation and allowed it to remain
in place from at least 2009 until the beginning of 2012, according
to the FTC.
"Aaron's IT personnel were aware that company server space was
being used to store Detective Mode emails and knew what data those
emails contained," the complaint stated. "One IT employee who
reviewed Detective Mode images sent to a franchisee described the
program as 'very intrusive' in an email to Aaron's chief
FTC officials were particularly disturbed by that component of
"Just because the technology can doesn't always mean that the
business should," said Fair on behalf of the agency's Bureau of
Consumer Protection. "Before a company employs technology that
raises privacy concerns, shouldn't someone somewhere be asking the
question, 'Do we really want to be secretly taking pictures of our
customers in their homes, tracking them without consent or ...
insert the next potentially invasive tech development here?' "
Aaron's must destroy data
Under the consent agreement, Aaron's no longer can use monitoring
technology that captures keystrokes or screenshots or activates a
camera or microphone in a consumer's computer, unless the consumer
permits those activities during a technical support session. Any
tracking program that is installed on a rental computer must be
approved by the consumer.
In addition, Aaron's must delete and destroy all data it already
has collected improperly and is prohibited from using any of that
data in the collection of any consumer debt or default. Any
franchisees who do not cooperate in these matters could lose their
Though Aaron's also faces civil suits filed on behalf of some
customers -- and potential damages related to those lawsuits --
some consumer advocates said the action taken by the FTC did not go
far enough, largely because the agency's charter prohibits any
"It's bad enough that Aaron's corporate policies facilitated
franchisees in their installation of spyware, video spy cams and
keystroke trackers on consumer-rented computers," said Ed
Mierzwinski, consumer program director for U.S. PIRG, a Washington,
D.C.-based federation of state public interest research groups.
"But it is absolutely disgraceful that Aaron's then ignored
warnings of the practices, which weren't 'limited' to stealing
passwords and medical information, but also included watching
children's or intimate adult behavior," he said. "If the FTC
could only impose civil penalties for a first offense, we'd have a
lot less outrageous corporate behavior like this."
Dartland, the former deputy attorney general of Florida,
"The FTC response is not even a slap on the wrist," he said.
"What it means is that businesses can continue such practices until
they are caught and then know that there is no negative financial
impact on their bottom line."
Justin Bieber online fan site fined $1 million for
Banks' latest privacy invasion: retailer