On the second-to-last Monday of 2010, Brian Byrd was playing video poker on his Dell Inspiron laptop when someone knocked on the door of his home in Casper, Wyoming. The visitor, who drove a truck from the local Aaron's rent-to-own store that furnished the PC five months earlier, said the 25-year-old Byrd was behind in his payments and demanded he pay up at once. He then brandished a picture that was about to cause a national privacy uproar.

The image showed Byrd on his home couch using the very laptop in question to play online poker. The employee was also privy to a screenshot of the website Byrd's PC was displaying the moment the photo was surreptitiously taken, along with keystrokes he was entering while visiting a website. When Byrd demanded an explanation, the employee, identified in a police report as 24-year-old Christopher Mendoza, said he wasn't supposed to answer. But he went on to disclose that the PC contained software that allowed Aaron's employees to track its physical location and remotely activate its webcam and capture screenshots and keystrokes. Mendoza, according to court records, left the premises after Byrd produced a copy of a receipt showing the laptop had been paid for in full on October 1.

After Byrd discussed the encounter with his wife Crystal, the couple recalled several recent occasions in which the computer had exhibited odd behavior. For the past three weeks or so, they told a police investigator, the laptop displayed a mysterious screen that prompted them for their name, address, phone number, and other details. More troubling was the light next to the webcam that was inexplicably illuminated even when neither of the Byrds was shooting video or photos. The couple soon realized that for more than a month, someone had been using the laptop to remotely spy on them. Nowhere in the terms of the rental agreement the Byrds signed was there any mention that the machine could be remotely monitored.

Adding to the couple's outrage was the recollection from two days earlier, on one of the occasions when Crystal saw the mysterious light. About to take a shower, she had been wearing just her underwear when she decided to quickly hop online to check her college course grades.

"The Byrd's were upset that their privacy had been intruded on and someone was likely looking at C. Byrd while she was undressed," a Casper Police officer identified as L. Starnes wrote in the report. "The Byrd's [sic] wanted to know why Aaron's was using software to look at them when the computer was paid off."

Rent to be pwned

Brian and Crystal Byrd weren't the only ones interested in the secret spy feature. In September, the US Federal Trade Commission secured an agreement that settled accusations that seven rent-to-own (RTO) stores and a software design firm surreptitiously captured end users' most intimate moments. The charges of unfair and deceptive gathering of consumers' personal information stemmed from the use of PC Rental Agent, a software package that is also the subject of a federal lawsuit accusing Pennsylvania-based DesignerWare, the rent-to-own stores, and their corporate parent of violating federal wiretap statutes.

As its name suggests, PC Rental Agent was designed to streamline the administration of computers offered by rent-to-own stores, which sell or rent furniture, appliances, and other merchandise to consumers, often in exchange for weekly payments until they are paid off. By default, the program includes functionality that allows store employees to wipe PC hard drives at the press of a key. The feature is used to permanently remove confidential data left by one customer before the machine is given to a new customer. PC Rental Agent also includes a "kill switch" that allows computers to be remotely disabled. Store managers can invoke the switch in the event that the machine is stolen or a customer fails to make payments as promised. Activating the feature makes the PCs unusable, in theory creating an incentive for delinquent end users to pay up.

As the Byrds learned first-hand, the program included yet another feature: a backdoor that allowed a store manager to remotely install a powerful spyware module that can surreptitiously track the location of the PC, collect pictures every two minutes of whoever was in front of the PC's built-in webcam, and capture keystrokes along with screenshots of whatever was being displayed on their monitors. When activated, this so-called "Detective Mode" operated at various levels. The first siphoned a screenshot and 30 characters worth of key strokes every two minutes for an hour. It then used DesignerWare servers to attach the data to e-mails that were sent to a designated manager—dubbed the "master account holder" in Designerware parlance—at the RTO store that issued the machine.

A second level collected a screenshot and keystrokes every two minutes until a command was issued for the collection to stop. A third level worked the same as Level 2, except that it snapped a picture of whoever happened to be in view of a PC's built-in webcam. It also displayed a fake software registration screen that prompted end users for personal information. Detective Mode had been updated in September, 2011 to make it possible to pinpoint a PC's geographic location by collecting the machine's IP address and the names of nearby wireless networks.

According to court records, a training manual DesignerWare provided its customers contained an admonition that said: "Caution, using Level#3 (prompting of the webcam) may alert the user because most webcams have a light that will flash briefly when activated. Also, prompting for information may make them suspicious. Therefore, it is best to try the less intrusive methods first (Level# 1 & 2)."

Nowhere in the manual is there any advice that the customers should be notified that PC Rental Agent can be augmented to surreptitiously spy on whoever is using the PC.

According to court documents, Detective Mode was surreptitiously loaded onto the Byrds' laptop no later than November 16, 2010. On 347 occasions on 11 different days between then and December 20, it collected webcam images, communications, and screenshots and zapped them by e-mail to a manager at an Aaron's Sales and Leasing store located just five miles from the Byrd's home. Within hours of the encounter with Mendoza, the Byrds reported the secret monitoring to the Casper Police Department. Five months later, they filed a civil complaint in federal court in the Western District of Pennsylvania that seeks class-action status, so other customers may also join the action.

No one claims to know how many PCs were monitored by PC Rental Agent. In the six months prior to the May 2011 filing of the complaint—which is all the data DesignerWare officials claim to have—the firm received requests to install Detective Mode on 650 computers leased by stores owned by Aaron's Inc. Sales and Leasing, according to sworn testimony provided in the case. That's about 0.6 percent of the 92,000 Aaron's PCs that used the software. The figures don't include PC Rental Agent-equipped machines leased by other companies or that used the software in the previous five-and-a-half years that it was available. In all, about 500 individual Aaron's stores in 48 states licensed the program.

In sworn testimony, DesignerWare cofounder Tim Kelly—who is also the software developer who wrote the code for PC Rental Agent and its Detective Mode module—said he never required licensees to disclose the Detective Mode capabilities to their customers. During the same May 2011 hearing, he went on to acknowledge the following response, posted to the DesignerWare website, to a question asking whether customers should be notified of PC Rental Agent:

That's up to you. Some rental dealers like to make renters aware thinking it will deter them from forcing them to activate the agent, others don't reveal it." But he went on to say he required customers in his stores to sign an addendum. It stated: "You also explicitly acknowledge, understand and agree that if the computer is reported as stolen, lost or missing or if your rental contract expires, _______________ may install a monitoring/tracking component on the computer which is intended to furnish photographic and other information concerning the location and user of the computer solely in an attempt to locate and recover the computer.

The allegations contained in the complaint quickly got the attention of officials at the FTC and touched off a national debate about computer privacy.

Listing image by Aurich Lawson