from the this-again? dept
However, in a similar story, a Wisconsin couple has apparently sued Aaron's Inc. for spying on them. Aaron's is a giant "rent-to-own" retailer, offering furniture, electronics and computers on a rent-to-own basis. In this case, the couple had rented a Dell laptop from the company, and later discovered that it had sneaky monitoring software on it which they were unaware of... but which was used to turn on the laptop's webcam and take pictures of the family without them knowing about it.
The only way they found out was that a store manager came to take back the computer, incorrectly believing the couple had not paid their bill (they had). When he showed up, he showed them a photo he had, which was taken from the webcam, which (understandably) freaked out the couple. They asked him how he got the photo, and his response was that he wasn't supposed to show them the photo. Well, that's comforting. Apparently, the product that was used to do this monitoring was hardware based as well, meaning that it couldn't be detected or turned off via software.
The couple and their lawyers are seeking to turn this into a class action for all renters of computers from Aaron's that have this tracking technology. Also, the couple contacted the police, who apparently still have the computer, so I guess there's at least some review of whether or not this is a criminal matter. The AP article (linked in the paragraph above) has a short discussion on whether or not this effort violated either ECPA or the CFAA:
Two attorneys who are experts on the relevant computer privacy laws, the Electronic Communications Privacy Act and the Computer Fraud and Abuse Act, said it's difficult to tell if either was broken, though both agree the company went too far.It's no secret that both ECPA and CFAA have their problems, but it seems like this might be the type of case that those laws were more designed to cover -- though, that definitely depends on some of the details which haven't come out yet.
Peter Swire, an Ohio State professor, said using a software "kill switch" is legal because companies can protect themselves from fraud and other crimes.
"But this action sounds like it's stretching the self-defense exception pretty far," Swire said, because the software "was gathering lots of data that isn't needed for self-protection."
Further, Swire said the Computer Fraud and Abuse Act "prohibits unauthorized access to my computer over the Internet. The renter here didn't authorize this kind of access."
Fred Cate, an information law professor at Indiana University agrees that consent is required but said the real question might be: "Whose consent?"