Computers provided to consumers by Aaron’s rental chain have components that collect sensitive information and can secretly take webcam photos of customers who use the devices, according to a lawsuit filed by a Wyoming couple Tuesday against the Atlanta-based retailer.
In a statement, however, Aaron’s denied that any of its 1,140 corporate stores has used the component or done business with the company that produces it. The computer in question was leased from an independently owned and operated Aaron’s franchisee, the company said.
“Aaron’s respects its customers’ privacy and has not authorized any of its corporate stores to install software that can activate a customer’s webcam, capture screenshots or track keystrokes,” the company said in the statement.
Legal experts said Aaron’s would be within its rights to put a “kill-switch” into rented computers to shut them down if a customer failed to pay his or her bill, but the company has to notify consumers.
A consumer rights advocate told The Atlanta Journal-Constitution the allegations, if true, were “alarming.”
The suit contends an alleged cyber-snooping component called PC Rental Agent was soldered or otherwise installed inside a Dell laptop that Brad and Crystal Byrd of Casper, Wyo., leased last year. The device came to light only after the manager of an Aaron’s outlet in Casper came to the couple’s home last December to repossess the laptop.
The manager, who mistakenly believed the Byrds hadn’t paid off the computer, showed the couple a photo taken by the machine’s webcam of the husband using the computer at home, according to the suit that was filed in U.S. District Court in Erie, Pa.
The manager of the store later told the Byrds, according to the suit, that “he was not supposed to disclose that Aaron’s had the photograph.”
The spying component was allegedly manufactured by Pennsylvania firm Designerware LLC, which is also named in the suit, along with Aaron’s franchisee Aspen Way Enterprises.
Byrd said the store manager likely showed him the picture because he “was just trying to throw his weight around and get an easy repossession.” The Byrds contacted police, who have determined the image was shot with the help of spying software.
“It feels like we were pretty much invaded, like somebody else was in our house,” Byrd said. “It’s a weird feeling, I can’t really describe it. I had to sit down for a minute after he showed me that picture.”
Paul Stephens, director of policy and advocacy at San Diego-based Privacy Rights Clearinghouse, said the alleged “spy chip” and software are “among the most outrageous” breaches of consumer privacy he’s ever seen.
“Essentially they’ve installed spyware, but a very pernicious spyware,” Stephens said.
Two attorneys who are experts on computer privacy laws, the Electronic Communications Privacy Act and the Computer Fraud and Abuse Act, said it’s difficult to tell if either was broken, though both agree the alleged actions might have gone too far.
Peter Swire, an Ohio State University professor, said using a software “kill switch” is legal because companies can protect themselves from fraud and other crimes.
“But this action sounds like it’s stretching the self-defense exception pretty far,” Swire said, because the software “was gathering lots of data that isn’t needed for self-protection.”
Fred Cate, an information law professor at Indiana University, agreed that consent is required but said the real question might be: “Whose consent?”
Courts have allowed employers to record employee phone calls because the employers own the phones. Similar questions arise as digital technology becomes more omnipresent, Cate said.
“Should Google let you know they store your search terms? Should Apple let you know they store your location? Should your employer let you know ‘We store your e-mail?’” Cate said.
According to the company, 13 percent of the Aaron’s sales and leasing revenue in 2010 came from computers. The company had record profits of $44.4 million in this year’s first quarter.
The Byrds are seeking unspecified damages and attorneys’ fees. The privacy act allows for a penalty of $10,000 or $100 per day per violation, plus punitive damages and other costs, the lawsuit said.
The Associated Press contributed to this article.
About the Author
