It seems that Sears, which sells just about everything under the sun, has decided to get into the spyware business too. The retail giant recently has come under fire from a researcher at CA who discovered that Sears’ Web site installs a nifty piece of tracking software developed by ComScore on the machines of some people who join the company’s My SHC community. The researcher, Benjamin Googins, describes in great detail on CA’s security blog exactly what the software does, how little notice Sears.com gives users about the program’s capabilities and how much data it collects.
Here is a summary of what the software does and how it is used. The proxy:
- 1. Monitors and transmits a copy of all Internet traffic going from and coming to the compromised system.
- 2. Monitors secure sessions (websites beginning with ‘https’), which may include shopping or banking sites.
- 3. Records and transmits “the pace and style with which you enter information online…”
- 4. Parses the header section of personal emails.
- 5. May combine any data intercepted with additional information like “select credit bureau information” and other sources like “consumer preference reporting companies or credit reporting agencies”.
In addition, My SHC Community requires a variety of personal information during registration – like name, email, address, city, state, and age. All of this information can be correlated with intercepted data to create a comprehensive profile.
Googins responded in turn by essentially taking apart Sears’ arguments piece by piece and showing screenshots of the signup process on the Web site and the consent notice, such as it is. Bad, right? It gets worse. The CA posting caught the attention of Benjamin Edelman, an assistant professor at Harvard Business School who specializes in spyware and its revenue models. He did his own analysis of the Sears software and installation process and came to the same conclusion that Googins did: “Sears’ claims of adequate notice are demonstrably false. The SHC/ComScore violation could hardly be simpler. The FTC requires that software makers and distributors provide clear, prominent, unavoidable notice of the key terms. SHC’s installation of ComScore did nothing of the kind.”
How this differs from the tactics that companies such as DirectRevenue and others have been using for years is unclear to me. This is not 1999 and it’s implausible for any company of the size and sophistication of Sears to claim that this is all a simple misunderstanding. Without clear notice of the software’s capabilities and disclosure of what the collected data will be used for, this is spyware, plain and simple.