Rent-to-Spy Highlights Need for Diligence

Seal of the United States Federal Trade Commis...

(Photo Wikipedia)

Aaron’s Inc. a leading franchisee in the rent-to-own retail market has agreed to settle FTC complaints[1] that allowed Aaron’s franchisees to install and use software to spy on customers.

In announcing the proposed settlement, the FTC explained that “Aaron’s franchisees used the software, which surreptitiously tracked consumers’ locations, captured images through the computers’ webcams – including those of adults engaged in intimate activities – and activated keyloggers that captured users’ login credentials for email accounts and financial and social media sites.”

Aaron’s, Inc. is a leading rent-to-own retailer focusing on “residential furniture, consumer electronics, home appliances and accessories with more than 2,000 Company-operated and franchised stores in 48 states and Canada.” Aaron’s reports 1,190 Company-operated Aaron’s Sales and Lease Ownership stores, 717 Aaron’s Sales & Lease Ownership franchised stores, 78 HomeSmart stores, one franchised HomeSmart store, 17 Company-operated RIMCO stores, and six franchised RIMCO stores.

The allegations focus on the franchisees rather than Aaron’s own operations. Nonetheless, the complaint highlights that Aaron’s “allowed its franchisees to access and use the software, known as PC Rental Agent. In addition, Aaron’s stored data collected by the software for its franchisees and also transmitted messages from the software to its franchisees. In addition, Aaron’s provided franchisees with instructions on how to install and use the software.”

A proposed consent agreement with the FTC has been approved 4-0 by the Commission. Aaron’s will be prohibited from using monitoring technology that captures keystrokes or screenshots, or activates the camera or microphone on a consumer’s computer, except to provide technical support requested by the consumer.

Unfortunately the consent agreement still allows Aaron’s to install tracking technology, provided the customer gives consent. Given the history of such abuse, Aaron’s should be prohibited from using tracking software at all. Consent does little or nothing to affect consumer behavior; companies who have violated the public trust should be prohibited from seeking such illusory permission to continue to abuse their customers.

The risks of allowing opt-in consent are highlighted from another provision of the proposed consent decree:

The agreement will also prevent Aaron’s from using any information it obtained through improper means in connection with the collection of any debt, money or property as part of a rent-to-own transaction. The company must delete or destroy any information it has improperly collected and transmit in an encrypted format any location or tracking data it collects properly.

Under the agreement, Aaron’s will also be required to conduct annual monitoring and oversight of its franchisees and hold them to the requirements in the agreement that apply to Aaron’s and its corporate stores, and to terminate the franchise agreements of franchises that do not meet those requirements.

The proposed agreement will be subject to public comment through Nov. 21, 2013.[2] If opt-in consent is insufficient, the perhaps the Commission can be convinced.


[1] The Federal Trade Commission works for consumers to prevent fraudulent, deceptive, and unfair business practices and to provide information to help spot, stop, and avoid them. To file a complaint in English or Spanish, visit the FTC’s online Complaint Assistant or call 1-877-FTC-HELP (1-877-382-4357). The FTC enters complaints into Consumer Sentinel, a secure, online database available to more than 2,000 civil and criminal law enforcement agencies in the U.S. and abroad. The FTC’s website provides free information on a variety of consumer topics. Like the FTC on Facebook, follow us on Twitter, and subscribe to press releases for the latest FTC news and resources.

[2] Interested parties can submit written comments electronically or in paper form by following the instructions in the “Invitation To Comment” part of the “Supplementary Information” section. Comments in electronic form should be submitted online by following the instructions on the web-based form. Comments in paper form should be mailed or delivered to: Federal Trade Commission, Office of the Secretary, Room H-113 (Annex D), 600 Pennsylvania Avenue, N.W., Washington, DC 20580.

Advertisements

2013 NKU Security Symposium tomorrow, Friday, October 18, 2013

The NKU Chase Law + Informatics Institute, the Center for Applied Informatics, and our event sponsors look forward to the 2013 NKU Security Symposium tomorrow, Friday, October 18, 2013.

The program is free, but you must register. This is your last opportunity.

The Legal Issues in Privacy and Security (Legal Track) will be in Development B of the NKU METS Center in Erlanger, KY.

Legal Track Speakers:

  • John C. (Jack) Greiner, attorney, Graydon Head

  • Scot Ganow, attorney, Faruki Ireland & Cox P.L.L.

  • Jennifer Orr Mitchell, partner, Dinsmore & Shohl LLP

  • Michael G. Carr, JD, CISSP, CIPP, Chief Information Security Officer, University of Kentucky

Click here for the CLE Materials for the maximum of 4.0 general CLE credits approved by KY, OH & IN (new lawyer credits in IN).

  • Jon M. Garon, NKU Chase College of Law

Data Security: Breach Notification Law Issues [pdf]

  • Jennifer Orr Mitchell, Dinsmore & Shohl LLP

Attorneys and Other Contractors – HIPAA Business Associates in 2014 and Beyond [pdf]

For your convenience we have included directions below.

A detailed agenda can be found on the event website at http://cai.nku.edu/security2013/agenda.html

Directions to the NKU METS Center
From Downtown Cincinnati and Northern Kentucky:
I-71/75 South From the South: I-71/75 North … to I-275 West. Take first exit (Exit No. 2 – Mineola Pike). Left turn onto Mineola Pike crossing over I-275. Right turn at second light onto Olympic Blvd. Follow Olympic Blvd. into CIRCLEPORT Business Park past hotels to The METS Center. Parking is FREE in The METS Center’s large lot.

From Indiana:
I-74 to I-275 South into Kentucky. Stay on I-275, which curves East in Kentucky and go about 22 miles all the way past the Greater Cincinnati Airport until you get to Exit No. 2 – Mineola Pike. Right turn onto Mineola Pike. Then right turn at second light onto Olympic Blvd. Follow Olympic Blvd. into CIRCLEPORT Business Park past hotels to The METS Center. Parking is FREE in The METS Center’s large lot.

Special thanks to the sponsors of the legal track:  CincyIP and Frost Brown Todd. 

Industrial Internet reshapes the “Internet of Things”

In a term coined in 1999, the Internet of Things, relates to a world in which all objects are connected wirelessly to the Internet and therefore to each other. The model requires each device to have RFID or other near field communications technology to communicate, sharing information about the identity, status, activities, and other attributes of the device. Partnered with big data analytics, the information from these devices can paint a robust picture of how objects interact in the world and how people interact with them.

This week, the model was supercharged. According to a report in the New York Times, General Electric hopes to transform this model with what it terms the “Industrial Internet.”

The so-called Industrial Internet involves putting different kinds of sensors, sometimes by the thousands, in machines and the places they work, then remotely monitoring performance to maximize profitability. G.E., one of the world’s biggest makers of equipment for power generation, aviation, health care, and oil and gas extraction, has been one of its biggest promoters. … The executive in charge of the project for G.E. … said that by next year almost all equipment made by the company will have sensors and Big Data software.

Emerging technology allows devices to distribute usage and telemetry data, to receive instructions, to interact with other equipment, and to serve as the communications bridge extending network coverage so that the devices themselves expand the network on which the equipment communicates. The implications are quite interesting.

Perhaps the most important aspect of the development affects critical infrastructure – the fundamental systems operating our water, power, rail, and telecom infrastructure. Properly secured and interactive, the elements of our aging infrastructure could begin to trouble-spot and eventually provide small repairs without the need for 24-hour crews.

GE’s present equipment tends to be large devices, ranging from jet engines to MRI machines. But the concept could well extend to automobiles, bicycles, phones, cameras, and even clothing. Equipped automobiles, for example, could report mechanical efficiency for every system in the car. They could also share vehicle telemetry, providing a real-time map of how each car was driving in relation to every other car driving on the road. The information could be used to alert a driver to road hazards, to dangerous weather conditions, or to the driver’s weaving. The information could alert police to the same conditions and behaviors.

In the workplace, the Industrial Internet will improve atomization, which helps retain U.S. manufacturing but probably at the cost of fewer workers doing more specialized work. It should also be employed to improve worker safety but could easily be adapted to create a workplace in which every movement was tracked. With Industrial Internet name badges, doors would lock and unlock in response to the presence of authorized personnel, but the data analytics would also be able to see which employees spent the most time with which of their peers, and correlate such interactions with post-interaction productivity. Schools could similarly track student movements and behaviors, identifying which resources and faculty were actually utilized and which of those impacted learning outcomes – for better or worse.

Existing rules for workplace and education environments do not take the pervasive nature of the Industrial Internet into account. Assumptions that privacy is a zone around one’s home and person has little relevance to a cloud of data points broadcasting a picture of each person and how that person interacts.

The FTC has taken small steps to explore these issues and regulate obvious abuses, but legislators need to do much more. Absent legislation, current NSA practices will vacuum this data into its Orwellian data trove.

The Industrial Internet promises to translate the Internet of Things into very practical, valuable industrial improvements. Safer planes, smarter cars, more efficient homes all improve people’s lives. Proper regulation will encourage those uses while protecting civil liberties, privacy, and overreach. Perhaps we can craft the policies to avoid the outrage rather than in response to it.