What’s next – Four class-action lawsuits, involving thousands of plaintiffs, still have not been resolved.
The original version of this story mistated the terms of the settlement. This is a corrected version of the story.
Atlanta-based Aaron’s settled on Tuesday charges by the Federal Trade Commission that the rent-to-own giant’s computers contained software that allowed it to collect unauthorized information from customers.
The FTC said Aaron’s — one of the nation’s biggest rental businesses with 1,880 locations in 48 states — “knowingly played a direct and vital role in its franchisees’ installation and use of software” to secretly collect data from customers. The company also stored the captured data on its servers and shared collected information with franchisees.
In the settlement agreement, Aaron’s did not admit or deny the allegations.
The settlement comes as Aaron’s fights at least four class-action lawsuits over the spying, with plaintiffs numbering in the thousands. One of the biggest suits, Byrd vs. Aaron’s Inc., involves at least 900 plaintiffs and claims that hundreds of thousands of images, screen shots, logins, and computer serial numbers were illegally obtained between 2008 and 2011.
The FTC focused on Aaron’s after investigating Designerware LLC, a Pennsylvania company that provided Aaron’s software, called PC Rental Agent. The software was included on laptops and desktops so Aaron’s and its franchisees could recover unreturned computer equipment.
According to the FTC complaint, the software was turned on — regardless of customers’ rental status — and monitored keystrokes, captured screenshots and activated computer webcams. It also included “deceptive ‘software registration’ screens designed to get computer users to provide personal information.”
“The FTC settlement is promising news for consumers,” said Maury Herman, a lawyer in the Byrd case. “The government’s work confirms the troubling findings of our civil litigation. Too few consumers are aware of this type of spyware. We advocate further investigation, better consumer awareness and privacy reforms.”
In an email to The Atlanta Journal-Constitution, Aaron’s spokeswoman Garet Hayes said, “At this time, we aren’t able to provide further detail regarding this matter.”
But in July, the company referred to earlier statements that it disagreed with the claims and that it would vigorously defend itself.
“Aaron’s, Inc. respects our customers’ privacy, ” the statement said. “Not one of our 1,300-plus company-operated stores has used PC Rental Agent or any other product developed by Designerware LLC. The customers referenced in recent filings in the Byrd litigation are customers of certain independently owned and operated Aaron’s franchisees and are not customers of Aaron’s, Inc. The referenced Designerware emails were caused by actions taken by the certain franchisees, not Aaron’s, Inc.”
As part of the settlement, Aaron’s is prohibited from using monitoring technology except to provide technical support requested by a customer and has been ordered to delete or destroy information it improperly collected.
The agreement also prevents Aaron’s from using information it obtained for debt, money or property collection, and it requires the company to conduct annual monitoring and oversight of its franchisees, the FTC said. Lawsuits have alleged that the data collected included more than 180,000 pieces of customer information, such as passwords to emails, social media websites and financial institutions; medical records; and Social Security numbers. The suits also claim that pictures of children, partially clothed individuals and couples in intimate moments were also taken.
The ruling did not include any monetary damages, a FTC spokesman said. But violations following the settlement could cost the company up to $16,000 per infraction.
“Consumers have a right to rent computers free of cyberspying and to know when and how they are being tracked by a company,” Jessica Rich, director of the agency’s Bureau of Consumer Protection, said in a statement announcing the settlement. “By enabling their franchisees to use this invasive software, Aaron’s facilitated a violation of many consumers’ privacy.”
David Barton, the principal of the Atlanta-based cybersecurity firm UHY LLC, said the FTC made the right call. Aaron’s use of the software for its intended purpose — to recover unreturned computers — was proper. Beyond that, the company was crossing the line, he said.
“The consumers didn’t know the software was on the machines,” he said. “The way (the software) was used was not germane to the business purpose.”
While Aaron’s problems are isolated, Barton thinks it could be part of a bigger conversation on spying, especially as more and more companies lend equipment to employees that can be tracked. Employees have been terminated because they were carrying equipment such as cellphones that tracked them to places other than where they told supervisors they would be.
" It's a huge issue, and there hasn't been enough case law to sort this out," he said. "There is a lot of gray area about what should be done and what shouldn't be done."