Seven computer rental companies and a software developer have settled federal charges that they spied on customers. Developed by the now-defunct DesignerWare LLC, PC Rental Agent was installed on as many as 420,000 computers by more than 1,617 rent-to-own stores in the US, Canada and Australia to help track and recover computers if they were stolen, if the customer fell behind on payments or other such scenarios.
However, as the Federal Trade Commission (FTC) outlines in its complaint (PDF), the software stepped well beyond those boundaries. PC Rental Agent had a "Detective Mode" that could log the key strokes of users, capture screenshots and take pictures with the computer's webcam. Naturally, this resulted in the illegal collection of many private details -- details that weren't even relevant to the software's supposed purpose.
Detective Mode recorded data every two minutes then forwarded it to DesignerWare where it was passed on to licensees by unencrypted means. That list of personal information includes the usernames and passwords to email accounts, social media sites and financial institutions, medical records, social security numbers, as well as images of partially clothed individuals and folks engaged in sexual activity. The FTC also noted that the software illegally gathered geolocation data without users' consent.
In addition to harvesting data behind the scenes, Detective Mode could be used to trick people into providing their contact and address information with a bogus form. To unsuspecting users, the fake window would appear to be an official registration prompt from legitimate software such as Microsoft Windows, Internet Explorer or Yahoo Messenger and it requested information including the user's name, address, email address and phone number. Users couldn't close the window without completing the form.
For whatever it's worth, DesignerWare supposedly never viewed the data. The FTC's proposed settlement bans the software maker and rent-to-own companies from using invasive and deceptive means of gathering information about customers. Additionally, the stores involved in this case will be unable to use the data for debt collection and their records will be monitored by the FTC for the next 20 years. There is no mention of monetary penalties. The settlement is open to public comment until October 25.