IT Security: Drive-by downloads? How about drive-home monitoring?

The Byrds rented (or leased - for some reason the terms are used interchangeably despite the clear legal differences between the two) a Dell laptop from a company called Aaron's Inc. The Byrds allege that the manager of a franchised outlet told them that it installs monitoring software on all of its rental computers so as to monitor the location and use of computers in the event of default. The Byrds say that the security software was not disclosed to them.

On the face of it, sympathy lies with the Byrds: after all, their privacy has undoubtedly been violated ( a word that is rarely appropriate despite being widely used in the US when "breached" would be a far more suitable term). When, according to Aaron's franchised outlet, the Byrds defaulted on their payments, the shop manager showed them a photograph of Bryan Byrd sitting (presumably dressed) on a settee playing on-line poker. The authorities have not yet, it seems, picked up on that little admission. The photo, it is alleged, was taken not automatically by the laptop and sent to Aaron's but by remote activation from Aaron's.

Aaron's is a franchised operation with some 1,500 shops across the USA and Canada. The Byrds have issued proceedings alleging the breach of the federal Electronic Communications Privacy Act by intercepting electronic communications.

That's a stretch: hired hardware has a tiny device called PC Rental Agent fitted to the motherboard on computers that - after all - Aaron's (or, more properly, its franchisee) owns when the device and its associated software is installed.

But the Byrds say that, under the agreement, they were required to make the final payment for the laptop in mid November but that, in fact, they paid it off early - on 1 October. But it was on 22 December that the Aaron's representative visited them, claimed they were in default, and produced the photo. The Byrds refused to hand over the laptop to Aaron's - but immediately called the police and gave it to them, asking them to investigate how the photograph came to be in the hands of an Aaron's employee.

There are a number of media reports of the case: one alleges that, once the system is remotely activated, it takes a photo, sends it to a clearing house and it is then distributed around all Aaron's outlets as part of an anti-fraud, anti-defaulter procedure. It's intended as a measure to protect the chain and its franchisees from those who order goods and then don't pay for them.

Much in this case will be determined on timing and on the fact as to when, if at all, the final payment was made and the computer became owned outright by the Byrds. Also of importance is the issue of whether, once a computer has passed into the ownership of the (former) hirer, Aaron's should notify them and / or disable the software. In fact, more may depend on business systems and practices than on the use of the system when the computer is first rented out.

Aaron's Inc. has not been slow to react: as soon as news outlets began to carry the story, it published the following on its website: "Concerning the recent allegations regarding customer privacy and Aaron’s, Robin Loudermilk, CEO and President of Aaron’s issued the following statement:"Aaron’s cares about our customers – this is the value we’ve built our business on for more than 55 years. Aaron’s customers can be assured that we’re taking this allegation very seriously. We are conducting a thorough investigation and diligently reaching out to our customers to address any of their concerns.""