Security Bytes

Jan 4 2008   1:05PM GMT

Why is Sears tracking users’ Internet activity?

David Schneier David Schneier Profile: David Schneier

It seems that Sears, which sells just about everything under the sun, has decided to get into the spyware business too. The retail giant recently has come under fire from a researcher at CA who discovered that Sears’ Web site installs a nifty piece of tracking software developed by ComScore on the machines of some people who join the company’s My SHC community. The researcher, Benjamin Googins, describes in great detail on CA’s security blog exactly what the software does, how little notice gives users about the program’s capabilities and how much data it collects.

Here is a summary of what the software does and how it is used. The proxy:

  • 1. Monitors and transmits a copy of all Internet traffic going from and coming to the compromised system.
  • 2. Monitors secure sessions (websites beginning with ‘https’), which may include shopping or banking sites.
  • 3. Records and transmits “the pace and style with which you enter information online…”
  • 4. Parses the header section of personal emails.
  • 5. May combine any data intercepted with additional information like “select credit bureau information” and other sources like “consumer preference reporting companies or credit reporting agencies”.

In addition, My SHC Community requires a variety of personal information during registration – like name, email, address, city, state, and age. All of this information can be correlated with intercepted data to create a comprehensive profile.

Sounds a whole lot like spyware, no? Googins thought so, and even details which portions of CA’s Anti-Spyware Scorecard the software violates. A company VP responded to Googins by saying that the software is part of an initiative at Sears “to improve our customers’ Internet experience and help guide the future development of Community.” Users must be invited to participate in the program and, the Sears spokesman argues, “My SHC Community goes to great lengths to describe the tracking aspect for those members who receive an invitation. Clear notice appears in the invitation. It also appears on the first signup page, in the privacy policy and user licensing agreement.”

Googins responded in turn by essentially taking apart Sears’ arguments piece by piece and showing screenshots of the signup process on the Web site and the consent notice, such as it is. Bad, right? It gets worse. The CA posting caught the attention of Benjamin Edelman, an assistant professor at Harvard Business School who specializes in spyware and its revenue models. He did his own analysis of the Sears software and installation process and came to the same conclusion that Googins did: “Sears’ claims of adequate notice are demonstrably false. The SHC/ComScore violation could hardly be simpler. The FTC requires that software makers and distributors provide clear, prominent, unavoidable notice of the key terms. SHC’s installation of ComScore did nothing of the kind.”

How this differs from the tactics that companies such as DirectRevenue and others have been using for years is unclear to me. This is not 1999 and it’s implausible for any company of the size and sophistication of Sears to claim that this is all a simple misunderstanding. Without clear notice of the software’s capabilities and disclosure of what the collected data will be used for, this is spyware, plain and simple.

2  Comments on this Post

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.
  • R Burns
    OMG! Only from the company that uses the solgan, and also used by Tye Pennington from Home Makeover "That America Trusts!" I have shopped with them all my life and it continues to get worse there every year. Now that KMart owns them what else can happen... Also remember that for years KMart ones one of the leaders in the industry when it comes to data with their Teradata systems. Not that they ever really used it very effectively......
    0 pointsBadges:
  • Stop Flashplayer Cookies
    Why focus on SEARS? Where is any discussion of Adobe/Macromedia's secret Flashplayer cookies that are TOTALLY INVASIVE and SECRET?? Let's see some pressure put onto Adobe/Macromedia to put a stop to their Flashplayer cookie snooping. If you don't know about Flash cookies, do a search on your hard drive for *.sol and prepare to be surprised and maybe PI$$#D !! Then contact Adobe and tell them they need to issue a patch for the Flashplayer that puts TOTAL CONTROL of COOKIES into the hands of the end-user instead of (1) hiding their snoop-mechanisms & (2) once end-users discover them, forcing us to go over to and change settings through some interface ON the site! Enough is enough. People need to start growing a backbone where PRIVACY and SECURITY are concerned.
    0 pointsBadges:

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

Share this item with your network: