Share this article

print logo

Rental business Aaron’s admits role in spying on customers

ATLANTA – After firmly denying that it used software on its rent-to-own computers to spy on customers – including capturing passwords, sensitive financial information and images of private intimate moments – Atlanta-based Aaron’s has owned up to the practice in a settlement with the Federal Trade Commission.

The agency last week said the company – one of the nation’s biggest rental businesses with 1,880 locations in 48 states – admitted that it “knowingly played a direct and vital role in its franchisees’ installation and use of software” to secretly collect data from customers. The company also stored the captured data on its servers and shared collected information with franchisees.

The revelation comes as Aaron’s fights at least four class- action lawsuits over the spying, with plaintiffs numbering in the thousands. One of the biggest suits, Byrd vs. Aaron’s Inc., involves at least 900 plaintiffs and claims that hundreds of thousands of images, screen shots, logins and computer serial numbers were illegally obtained between 2008 and 2011.

The FTC focused on Aaron’s after investigating Designerware LLC, a Pennsylvania company that provided Aaron’s software, called PC Rental Agent. The software was included on laptops and desktops so Aaron’s and its franchisees could recover unreturned computer equipment.

The software, however, was turned on – regardless of customers’ rental status – and monitored keystrokes, captured screenshots and activated computer webcams. It also included “deceptive ‘software registration’ screens designed to get computer users to provide personal information,” the FTC said.

“The FTC settlement is promising news for consumers,” said Maury Herman, a lawyer in the Byrd case. “The government’s work confirms the troubling findings of our civil litigation. Too few consumers are aware of this type of spyware. We advocate further investigation, better consumer awareness and privacy reforms.”

In an email, Aaron’s spokeswoman Garet Hayes said, “At this time, we aren’t able to provide further detail regarding this matter.”

But in July, the company referred to earlier statements that it disagreed with the claims and that it would vigorously defend itself.

“Aaron’s Inc. respects our customers’ privacy,” the statement said. “Not one of our 1,300-plus company-operated stores has used PC Rental Agent or any other product developed by Designerware LLC. The customers referenced in recent filings in the Byrd litigation are customers of certain independently owned and operated Aaron’s franchisees and are not customers of Aaron’s Inc. The referenced Designerware emails were caused by actions taken by the certain franchisees, not Aaron’s Inc.”

As part of the settlement, Aaron’s is prohibited from using monitoring technology except to provide technical support requested by a customer and has been ordered to delete or destroy information it improperly collected.

The agreement also prevents Aaron’s from using information it obtained for debt, money or property collection, and it requires the company to conduct annual monitoring and oversight of its franchisees, the FTC said. Lawsuits have alleged that the data collected included more than 180,000 pieces of customer information, such as passwords to emails, social media websites and financial institutions; medical records; and Social Security numbers.

The suits also claim that pictures of children, partially clothed individuals, and couples in intimate moments were also taken.

The ruling did not include any monetary damages, a FTC spokesman said. But violations following the settlement could cost the company up to $16,000 per infraction.

“Consumers have a right to rent computers free of cyberspying and to know when and how they are being tracked by a company,” Jessica Rich, director of the agency’s Bureau of Consumer Protection, said in a statement announcing the settlement. “By enabling their franchisees to use this invasive software, Aaron’s facilitated a violation of many consumers’ privacy.”

David Barton, the principal of the Atlanta-based cybersecurity firm UHY LLC, said the FTC made the right call. Aaron’s use of the software for its intended purpose – to recover unreturned computers – was proper. Beyond that, the company was crossing the line, he said.

“The consumers didn’t know the software was on the machines,” he said. “The way [the software] was used was not germane to the business purpose.”