Rent-to-own business uses spyware to covertly collect large amounts of sensitive personal information for recovery of missing laptops

PIPEDA Report of Findings # 2013-016

In early 2012, we learned that several rent-to-own companies in Canada were allegedly using a spyware application called “Detective Mode” to covertly trace missing laptop computers.

The software, supplied and supported by U.S.-based DesignerWare Inc., could be installed and remotely activated in leased laptops, where it was designed to surreptitiously collect keystrokes, contact information, screenshots, webcam photographs and other information. The data could be sent back to the rental company to aid in the recovery of laptops the company believed to be lost or stolen.

In consultation with the U.S. Federal Trade Commission, the Commissioner determined that she had reasonable grounds to initiate a complaint against a Canadian franchisee of the large, publicly traded rent-to-own company Aaron’s Inc. These grounds included credible evidence that the franchisee had requested the activation of Detective Mode on 30 occasions during a six-month period.

In our complaint, we alleged that a reasonable person would not consider that the recovery of missing computers justified the use of Detective Mode software. Moreover, we alleged that the indiscriminate nature of Detective Mode surveillance resulted in the collection of more information than necessary for the intended purpose.

Our investigation revealed that the franchisee in question was no longer using Detective Mode. However, it had done so in the past for the purposes of laptop computer recovery.

The franchisee claimed that its record-deletion practices made it impossible to determine the exact number of times Detective Mode was used. The franchisee did, however, confirm that it had requested at least five activations during a single week. The activations were prompted by the company’s belief that an individual had absconded with a leased laptop without making all the required payments.

The franchisee stated that four of the five activations were successful in tracing the missing goods.

We found that the four successful activations of Detective Mode resulted in the collection of hundreds of pages of records containing sensitive personal information. These included a webcam photograph of a user, as well as e-mail addresses, home addresses, phone numbers, and personal messages to family members and friends. There were also screen shots of social networking site pages that included pictures of children, as well as posted messages and other Internet content.

The data was surreptitiously collected using the laptop’s webcam, recordings of user keystrokes, and even a fictitious operating system registration page.

None of the names and other contact details collected in this manner corresponded with names of the individuals who allegedly disappeared with the leased laptops. It is not known how these laptop users came into possession of the devices.

We concluded that the company’s indiscriminate use of Detective Mode surveillance resulted in the collection of more personal information than required for the purposes of laptop recovery.

Our investigation also revealed, with some concern to us, that Detective Mode is fully capable of capturing an image of a child in her room, or the banking user ID and password of another innocent third party. When the software is activated, the franchisee has no way to predict what information it will collect.

While we understand the franchisee’s desire to protect its inventory through the use of Detective Mode, we found that the resulting loss of privacy was disproportionate to the rental company’s potential financial benefit. Indeed, it is difficult to imagine a business objective that could justify this kind of indiscriminate and surreptitious collection of personal information.

Presented with our findings, the franchisee promised to delete all remaining personal information from its records as soon as possible. It also undertook never to use this kind of spyware again.

Consequently, we determined our complaint to be well founded and resolved.

Following our investigation, we sent a copy of our Report of Findings to dozens of other rent-to-own companies that we had reason to believe may have also been using Detective Mode. We took this step to inform them of our Office’s position on the use of such spyware and to encourage them to take proactive measures to ensure compliance with PIPEDA.

We will continue to monitor the Canadian market for the use of software of this nature.

Report of Findings

Complaint under the Personal Information Protection and Electronic Documents Act (the “Act”)

1. On August 24, 2012, the Office of the Privacy Commissioner of Canada initiated a complaint, pursuant to subsection 11(2) of the Act, with respect to the organization doing business as Aaron’s Saskatoon, having reasonable grounds to believe that the company was collecting and using personal information in a manner contrary to the Act. The legal identity of the respondent has since been determined to be ACI Holdings, Inc. (the “respondent”).
2. Based on information gathered prior to our investigation, some of which was provided to our Office by the U.S. Federal Trade Commission (“FTC”) using its authority under the U.S. SAFE WEB Act, the Commissioner had reasonable grounds to believe that the respondent was using software called “Detective Mode” in order to:
   1. collect and use certain personal information for a purpose which a reasonable person would not consider to be appropriate, namely to recover stolen leased laptop computers, contrary to subsection 5(3) of the Act; and
   2. collect more personal information than necessary for the purposes of recovering stolen laptops, contrary to Principle 4.4 of Schedule 1 of the Act.
3. The two issues identified above were the focus of this investigation.

Background

4. The respondent is a privately held Canadian company, incorporated in Saskatchewan, which operates two Aaron’s, Inc. (“Aaron’s”) franchise stores: one in Saskatoon, Saskatchewan and another in Edmonton, Alberta. Through these rent-to-own stores, the respondent leases laptop computers, as well as other items.
5. Aaron’s is a publicly traded US-based company engaged in the lease of furniture and electronics through both company-owned and franchised stores located in the United States, Canada and other countries.
6. In the course of its rent-to-own business, the respondent employed software called “PC Rental Agent”. PC Rental Agent is software that allows a rent-to-own lessor such as the respondent to lock-down a computer in the event of a lessee’s breach of a lease agreement. PC Rental Agent also allows for the remote installation and activation of an add-on program called “Detective Mode”, which collects certain personal information to assist with the recovery of computers that the lessor believes to have been lost or stolen.
7. Detective Mode was, at all times relevant to this complaint and investigation, developed, supplied and supported by DesignerWare, Inc. (“DesignerWare”), a Pennsylvania-based company.
8. Detective Mode was designed to collect certain information from a lost or stolen laptop, and to forward that information via the Internet to the lessor to assist with laptop recovery. Detective Mode offered three levels of operation which could be chosen at the discretion of the lessor:
   1. “Level 1” collected a screen shot and key strokes (i.e. keyboard keys depressed by the laptop user) every two minutes for one hour;
   2. “Level 2” collected ‘Level 1’ information every two minutes, indefinitely, until the lessor directed the collection to stop; and
   3. “Level 3” collected ‘Level 2’ information and froze the computer, displaying a pop-up window indicating that,

“****** This copy of Windows is not activated ******

Your license information needs to be saved to activate Microsoft Windows. Microsoft Windows will verify your address and postal code against valid locations to ensure you are NOT a victim of Piracy.”

Upon submission by the user of his or her name, address, phone number(s) and email address, a webcam photograph was taken of the user and forwarded, along with all entered information, to the lessor.

9. Each Detective Mode client was required to designate a “Master Account Holder” who, by virtue of a password, would be able to request Detective Mode activation on behalf of the lessor and would be the person to receive information collected via Detective Mode.

Summary of Investigation

10. Our investigation revealed that the respondent was a customer of DesignerWare since May 2008, and we have evidence demonstrating that, between November 2010, and May 2011, the respondent requested Detective Mode activation on at least thirty of its leased and allegedly stolen laptops.
11. The respondent confirmed to our Office that it did use Detective Mode to assist with recovery of lost and stolen laptops, but that it ceased using the application sometime in May 2011.
12. According to the respondent, records generated by Detective Mode were generally deleted by it on an ongoing basis during the period that the software was being used, and most of the remaining records were purged within a short period of time after it ceased using the software. The respondent therefore claims that it cannot confirm the exact number of times it requested activation of Detective Mode between November 2010, and May 2011.
13. The respondent also claims, however, that it conducted a comprehensive search of computer and archived email records which identified that it requested activation of Detective Mode on at least five occasions during the specified six month period. More specifically, records indicate that these five confirmed activations were requested during a one week period between November 3^rd and November 9^th, 2010.
14. The respondent indicated to our Office that each of its five confirmed activation requests was initiated for the purpose of attempting to locate a customer and retrieve a laptop after the customer ceased payments. The respondent further claims that in each of these cases, Detective Mode was only employed after attempts to contact the customer by phone, mail, and visits to the last known address were unsuccessful, and Detective Mode activation was never requested for any other purpose.
15. Our investigation revealed that four of the respondent’s five confirmed Detective Mode activation requests resulted in the installation of Detective Mode on the missing laptop and the collection of personal information from the user(s) thereof. The respondent provided copies of what it represents to be all records collected as a result of these four activations (the “Detective Mode Records”). These records totalled 388 pages, including activation-related administrative notifications from DesignerWare to the Master Account Holder. Personal information collected from laptop users as a result of Detective Mode activations included:
    1. via webcam—a photo of the laptop user;
    2. via keystroke collection and collection through the activation of the imitation “Microsoft Registration” page—email addresses, home addresses, phone numbers, personal messages to family members and friends, etc.; and
    3. via screen shots—social networking site pages (i.e. including pictures of users and users’ children, friends and other family, as well as posted messages) and other internet content.
16. Based on information collected by Detective Mode (e.g. name and contact details), not one of the users from whom that information was collected appears to have been the actual laptop lessee. It is unknown how each of these users came into possession of an allegedly stolen laptop.
17. In each of the four confirmed cases in which Detective Mode was successfully activated, the laptop was ultimately recovered. The respondent indicates that it has no records that would allow it to explain: (i) how the laptops were recovered or (ii) what, if any, information collected using Detective Mode actually facilitated laptop recovery.
18. The respondent indicated that it ceased using Detective Mode in May 2011. The respondent further confirmed that since that date, it has not employed any software to recover lost or stolen laptops and has reverted to the use of conventional recovery measures (e.g. calls and visits to last known lessee phone number and address).
19. In response to our concerns, the respondent has undertaken not to use software like Detective Mode (i.e. software that surreptitiously collects key strokes, screen shots or webcam photos) in the future.
20. The respondent informed us that it is unable to delete all Detective Mode Records as such records are currently stored on Aaron’s servers in the United States, and are being retained by Aaron’s as a result of ongoing litigation. The respondent has, however, obtained written confirmation from Aaron’s that it:
    1. has severed the respondent’s access to all Detective Mode Records on its servers, and
    2. will delete all Detective Mode Records on its servers as soon as it is legally permitted to do so.

Application

21. In making our determinations, we applied subsection 5(3) and paragraph 7(1)(b) of the Act, as well as Principles 4.4, 4.4.1 and 4.4.2 of Schedule 1 of the Act.
22. Subsection 5(3) provides that an organization may collect, use or disclose personal information only for purposes that a reasonable person would consider appropriate under the circumstances.
23. Paragraph 7(1)(b) states that an organization may collect personal information without the knowledge or consent of the individual if the collection is reasonable for purposes related to investigating a breach of an agreement and it is reasonable to expect that collecting with the knowledge or consent of the individual would compromise the availability or accuracy of the information.
24. Principle 4.4 states that the collection of personal information shall be limited to that which is necessary for the purposes identified by the organization and that information shall be collected by fair and lawful means. More specifically, Principle 4.4.1 provides that organizations shall not collect personal information indiscriminately and that both the amount and type of information collected shall be limited to that which is necessary to fulfil the purposes identified. Principle 4.4.2 further requires that personal information be collected without misleading or deceiving individuals about the purpose for which information is being collected.

Analysis

Appropriateness of Purposes

25. In determining whether the respondent’s purposes for collecting and using personal information in the circumstances were reasonably appropriate under subsection 5(3) of the Act, our Office found it useful to apply the four-part test we have applied in other circumstances:
    1. Is the collection of personal information via the surveillance measures in question demonstrably necessary to meet a specific need?
    2. Is that collection likely to be effective in meeting that need?
    3. Is the loss of privacy proportional to the benefit gained?
    4. Is there a less privacy-invasive way of achieving the same end?
26. While the use of Detective Mode could be effective in addressing the respondent’s stated objective of recovering stolen laptops, it is not clear to us that the resulting covert collection of personal information is demonstrably necessary, or the least privacy-invasive way, to achieve this objective. In fact, the respondent has, as explained in paragraph 18, reverted to the use of more conventional, less privacy-invasive measures to recover laptops. Furthermore, the respondent, like many other rent-to-own companies, has engaged and continues to engage in the rental of furniture and equipment other than laptops without the benefit of covert surveillance software to aid in theft recovery.
27. In our view, it is clear that the loss of privacy resulting from the use of Detective Mode in this context is vastly disproportionate to the possible benefits to be gained. Each of the respondent’s four confirmed activations resulted in the covert collection and use of personal information from individuals other than the lessee who allegedly absconded with the laptop. The respondent collected not only location and other contact information from these laptop users but also pictures of the users, users’ children and other family members and friends, as well as excerpts of personal conversations, various websites visited and content viewed by the user. Furthermore, the records provided to our Office by the respondent represent collections resulting from only four activations during a single one-week period, which in our view, suggests that the total number of activations, and thus the amount of laptop users’ personal information collected by the respondent, greatly exceeded that which was confirmed by the respondent.
28. This is consistent with the results of an investigation by the FTC regarding similar issues arising in the United States. On September 25, 2012, the FTC publicized its issuance of draft complaints against several respondents, including DesignerWare, and its principals, and seven American rent-to-own stores (the “FTC Draft Complaints”). The FTC’s Draft Complaints alleged that respondents had violated U.S. law and focused upon the use of Detective Mode by the American rent-to-own stores. The FTC Draft Complaints alleged that the respondents had collected highly sensitive personal information “such as user names and passwords for email accounts, social media websites, and financial institutions; Social Security numbers; medical records; private emails to doctors; bank and credit card statements; and webcam pictures of children, partially undressed individuals, and intimate activities at home”.
29. Detective Mode allows for the indiscriminate and covert surveillance of users, often in their own homes, regardless of their age or relationship to the lessor. Our investigation revealed in this case that the use of Detective Mode resulted in the collection of vast amounts of sometimes highly sensitive personal information from individuals without their consent or even their knowledge. We therefore find that a reasonable person would not, pursuant to subsection 5(3), consider appropriate the purposes for which Detective Mode was employed by the respondent.
30. Given this conclusion, we have not considered whether the respondent may or may not have attempted to obtain consent for use of Detective Mode. Subsection 5(3) of PIPEDA provides for an objective standard against which all collection, use or disclosure of personal information is measured, independent of whether an individual consents to that collection, use or disclosure. Accordingly, even the collection of personal information with an individual’s consent may violate PIPEDA where it is done for a purpose deemed inappropriate pursuant to subsection 5(3).
31. For the same reasons, we have not considered whether the exception to the requirement for consent outlined under paragraph 7(1)(b) of the Act would apply.

Limiting Collection

32. Our investigation revealed that the respondent, like any lessor using Detective Mode, was unable to control the nature of, or persons from whom, information was collected. Detective Mode may have collected certain information useful to the respondent’s intended purpose but webcam photos, keystrokes and screenshots were collected even though they would expectedly and inevitably include personal information over and above that necessary for laptop recovery.
33. As noted above, in the circumstances of this complaint, the respondent collected not only location and other contact information from laptop users, but also pictures of children and other family members and friends, as well as excerpts of personal conversations, various websites visited and content viewed by the user.
34. Furthermore, the respondent was unable to determine from whom it would collect information when requesting Detective Mode activation. The user at the time of activation could have been the laptop lessee or a thief, but could just as easily have been a child or an uninformed purchaser. In fact, each of the respondent’s four confirmed activations resulted in collection of personal information from an individual other than the lessee who allegedly stole the laptop.
35. Based on the results of our investigation, we find that contrary to Principles 4.4 and 4.4.1 of Schedule 1 of the Act, the indiscriminate manner in which personal information was collected using Detective Mode resulted in the collection of more personal information than was necessary for the purposes of laptop recovery.
36. Furthermore, we are of the view that the personal information collected using the imitation “Microsoft Windows Registration” page was obtained under false pretenses. The information provided by users for the purposes of verifying Windows licensing was, in fact, forwarded to the lessor for use in assisting with laptop recovery. In our view, any personal information collected in this manner was obtained through deception, and as such, in contravention of Principle 4.4, as further clarified by Principle 4.4.2 of Schedule 1 of the Act.

Conclusion

37. Based on the results of our investigation and the above analysis, in respect of the respondent’s use of Detective Mode for the purposes of leased laptop recovery, we have determined that the respondent contravened the Act by: (i) collecting personal information for a purpose which a reasonable person would not consider appropriate under the circumstances, and (ii) collecting more information than necessary for its identified purpose. In response to our concerns, the respondent has undertaken not to use software similar to Detective Mode (i.e. software that surreptitiously collects key strokes, screen shots or webcam photos) in the future and has obtained confirmation from Aaron’s that it: (i) has severed the respondents access to all Detective Mode Records on its servers and (ii) will delete those records as soon as it is legally permitted to do so. As a result, we find this complaint to be well-founded and resolved.

Other

38. On September 25, 2012, subsequent to the commencement of this investigation, the FTC issued nine Proposed Consent Orders. The Proposed Consent Orders against DesignerWare would, in part, ban DesignerWare from using - as well as licensing, selling or otherwise providing domestic or international third parties with - monitoring technology, including Detective Mode, in connection with rent-to-own transactions. The Proposed Consent Orders against the rent to own companies included both a ban on the use of monitoring technology and a prohibition on using improperly collected information in connection with collections.