How Vicious Spyware Contaminated Australian Rental Computers

How Vicious Spyware Contaminated Australian Rental Computers

Between business leases and home office setups, hundreds of thousands of PCs are rented every year in Australia. And, it turns out, a huge chunk of them have absurdly invasive, incredibly dangerous spyware preinstalled — by the company that rents them.

Here are the main players: DesignerWare is a software company that provides a program called PC Rental Agent to rent-to-own computer stores. The main issue is a feature of that program called “Detective Mode” that allows administrators to spy on keystrokes and access basically every component of the computers, including the camera. It was installed and activated on every computer with PC Rental Agent — without disclosing it to the owner.

By the US Federal Trade Commission’s count, “as of August 2011, approximately 1617 rent-to-own stores in the United States, Canada and Australia have licensed PC Rental Agent. PC Rental Agent has been installed on approximately 420,000 computers worldwide.” That’s a lot of spyware. The FTC claims that, since at least 2007, DesignerWare has made Detective Mode available to every single one of them. Now, thankfully, DesignerWare and seven of the companies it supplied software to have agreed to settle with the FTC over multiple charges.

Sounds bad, right? Well it gets worse. According to the FTC, this is the next step for your gathered data:

DesignerWare’s servers send data captured by Detective Mode, unencrypted,

directly to the email accounts designated by its licensees.

Obviously, that represents a massive breach of privacy. And probably an illegal one. Keylogging tracks every single keystroke on your computer, so using software designed to pick out patterns, and especially with unencrypted data, anyone could just go through and find your credit card numbers and security codes, your email and passwords, your social security number, or anything else you’ve ever typed into your computer.

Nearly as disturbing as the granular level at which DesignerWare was spying on customers is the lengths its software went to fool people into thinking it was legitimate. For example, it used a “Software Instillation” popup box that was literally unclosable until a user entered contact information like phone number, home address, and email address, which was then transmitted back to the rental company. No software was ever installed — it was purely there to trick people into giving up their information. That soft of subterfuge goes beyond even the “our customers are basically criminals, and we should be allowed to treat them as such” thesis of the tracking software.

And all that would would be terrible enough. But then, in Semptember of last year, DesignerWare took the spying even further and began automatically logging the Wi-Fi login points of every computer with a login card. It then cross-referenced that with the location of those hotspots, and logged the physical location of every computer. It’s like the Locationgate scandal from last year — where mobile phone companies were accused of tracking your every move by triangulating your signal — just decidedly on purpose, and just five months after the original iSpy mess happened.

In retrospect, that was an especially aggressive move, because it came just months after DesignerWare had been fighting off class-action allegations over illegal practices. And not just a little illegal, but breaking “federal wiretapping, privacy and consumer protection laws” illegal.

On the surface, DesignerWare seems like maybe it’s old news. There have been plenty of other repair-man pervs who have installed spyware to peep at naked people. But this isn’t just some jerk with a script and a screwdriver. This is the institutionalisation of software that allows companies to install software without their customers’ knowledge that can peer directly into the deepest recesses of their online lives. And for a lot of us, that kind of local, not even account-bound knowledge of what we do on the internet is the worst fate of all.

So this case is important. If DesignerWare had been allowed to hold up its ostensible, flaccid argument about tracking down deadbeat renters, it would have been a farce. But the fact that it has been doing this for five years — DesignerWare had been in court as recently as May of last year — and is only just now being reigned in is still fairly nuts. So yes, this is a win for, well, sanity, but hopefully it’s also a good precedent for fast tracking this kind of obvious digital exploitation through a court system that still doesn’t totally understand it.