Not everyone can afford to plunk down hundreds, or even thousands, of dollars on a laptop. And not everyone has to: There are rent-to-own computers, offered by rent-to-own outlets alongside refrigerators, televisions, and furniture. But unlike the couch or the mattress or the kitchen appliances, some of these laptops are loaded with remote kill switches that would disable the computer if renters were late with their payments.
In order to ensure recovery, the software company DesignerWare, LLC, added a little something extra to some of these computers—“Detective Mode,” an add-on to “PC Rental Agent,” which was, in 2011, already being used by 1,617 rent-to-own stores on 420,000 computers around in the world.
Detective Mode was spyware that captured keystrokes, screenshots, and even webcam pictures of unsuspecting users via the rented computers. On top of that, the laptops displayed fake software registration pop-ups that couldn’t be dismissed until users typed in their address, phone number, and e-mail—information that the store would use for collections later, if the renter fell behind.
In 2012, the Federal Trade Commission settled with seven companies over their undisclosed use of the Detective Mode software. “If the rent-to-own store wants more information, it can cause Detective Mode to record data every two minutes until prompted to stop doing so,” said the FTC complaint. “… In numerous instances, Detective Mode webcam activations have taken pictures of children, individuals not fully clothed, and couples engaged in sexual activities.”
Detective Mode was an extreme invasion of privacy, a mustache-twirling moment of villainy in the history of commercial surveillance. But the excesses of Detective Mode are just particularly unsavory examples of an increasingly prevalent trend in credit transactions—remote control of devices by lenders, that infringes on the privacy and security of the debtors.
While few lenders will go as far as to take naked pictures of their debtors, wherever there is an expensive device that can be easily absconded with, it makes sense for lenders to add both a kill switch and GPS. A New York Times story in 2014 looked at the increasing prevalence of starter interrupt devices—kill switches—in cars financed by subprime loans, reporting that the mechanisms had “reduced late payments to roughly 7 percent from nearly 29 percent.”
Lenders aren’t installing these devices because they’re interested in tracking their debtors’ every move; starter interrupt mechanisms are just an economical way to protect their investments. But even when lenders aren’t stooping to the kinds of skin-crawling extremes that warrant a FTC lawsuit, there’s something about these controls that feels dangerous and invasive. In the same 2014 report, the Times described how a woman in Austin, Texas, had fled her abusive husband, only to be tracked down by the subprime lender that had financed her car. By driving to the shelter, she had violated the loan agreement, which restricted her from driving outside of a four county radius. She was tracked down via GPS and her car was repossessed.
We owe this proliferation of lender kill switches to the convergence of two trends. One is the uptick in subprime lending, a phenomenon that received a great deal of attention during the 2008 home mortgage crisis, but less so when it came to movable property like cars and computers. And while subprime lending in the housing market has fallen off since the 2008 crisis, it has rebounded in other types of loans—auto loans, credit cards, personal loans.
Alongside this rise in subprime consumer lending, there has been a steady increase in the use of access controls in devices. What began with digital rights management for intellectual property has expanded into ever-stranger forms, like access controls for Keurig pods and self-cleaning cat litterboxes.
Mechanisms that prevent Keurig machines from using off-label coffee pods are annoying but relatively harmless. But the history of digital rights management (DRM) has always had a dark side. In 2005, security researchers found that the DRM protection on Sony BMG music CDs would install a rootkit if the CD were inserted into a user’s computer. A rootkit is malicious software that enables unauthorized access to a computer, while masking its own existence from the authorized user. It’s a tool for hackers, thieves, and nation-state adversaries. In the quest for perfect protection of Sony’s intellectual property, the company threw the privacy and security of their customers under the bus.
The Sony BMG rootkit incident was the first scandal of its kind, but it wouldn’t be the last. In 2014, several outlets reported that Adobe’s ebook reader was tracking readers’ habits and transmitting back unencrypted logs of those activities. It seemed as though wherever DRM went, privacy invasion followed.
DRM is intended to protect revenues from copyright infringement. But it doesn’t do just that, it transforms the relationship between consumers and software developers. Ebooks, video games, software, and other digital goods are increasingly distributed under licenses, rather than sold as outright property. (And although some files, like music, aren’t sold as licenses, they can’t be resold on a secondary market like regular property either.)
The law, working in tandem with DRM, shrank the very concept of ownership, allowing companies to force end-users into renter relationships. The average user owns very little of the digital world they inhabit. Today, companies like Adobe rent out their software on a monthly or annual basis—no exceptions.
These same patterns of ownership—or rather, non-ownership—in the digital world are creeping out into a physical world where home ownership is at a 30 year low, and where household and consumer debt has skyrocketed since 1980. People own less and owe more.
Access controls ensure that the possessions you lease or rent don’t belong to you, even as you bring them into the most intimate parts of your life. The controls make sure that the privacy and security of the debtor come second to the property rights of the lender.
Of course, when it comes to the enforcement of debt, the debtor’s dignity is always the first thing that comes under attack. Whether through repeated collection calls, or through a GPS tracking system, the creditor intrudes unapologetically into the debtor’s private sphere.
Technology may have merely made the creditor more powerful, but that power is nothing to sneeze at. Tracking systems—whether GPS-based, or otherwise—make sure that the property never truly leaves the creditor’s sight. And because it only takes the push of a button to deactivate a vehicle or a device whose leaser is in arrears, the property never really leaves the creditor’s grasp, either.
Surveillance has long been theorized as a way to control the surveilled—namely, by getting them to police themselves out of fear of being watched. But these technologies encode control directly alongside surveillance: a creditor can control their property even without controlling the debtor’s behavior. The kill switch pre-empts the Panopticon and renders it superfluous. And this groundbreaking improvement in social control is now installed in millions of automobiles across the country, waiting for a subprime lender to call for its assistance.