Researcher Accuses Sears of Spreading Spyware
A Harvard researcher is criticizing Sears of failing to meet FTC guidelines with marketing software it installs on users' PCs.

PC World
Wednesday, January 2, 2008 10:19 AM

Sears and Kmart customers who sign up for a new marketing program may be giving up more private information than they'd bargained for, a prominent anti-spyware researcher claims.

According to Harvard Business School Assistant Professor Ben Edelman, Sears Holdings' My SHC Community program falls short of U.S. Federal Trade Commission (FTC) standards by failing to notify users exactly what happens when they download the company's marketing software.

And given the invasive nature of the product, Sears has an obligation to make its behavior clearer to users. "The software is not something you'd want on your computer or the computer of anyone you care about," Edelman said in an interview. "It tracks every site you go to, every search you make, every product you buy, and every product you look at but don't buy. It's just spooky."

Edelman has posted ananalysisof Sears's software describing its operation and his concerns.

Problems with the retailer's My SHC Community program were first brought to light in late December, when CA senior engineer Benjamin Googinswrote a blog entrycriticizing the software, which was written byVoiceFive, a subsidiary of Internet measurement firmComScore.

Sears launched the My SHC Community in March, intending it to be a vehicle for customers who want a voice in the company's direction. "It's still kind of in its early days," said Rob Harles, vice president of MY SHC Community, in an interview conducted prior to Edelman's post. "It's mainly used right now for research, but what we want to do is open it up so it's creating dialogue with our customers."

Sears Holdings, the owner of the Sears Roebuck and Kmart department stores is the third-largest retailer in the U.S.

Sears offers members $10, and a chance to win one of several sweepstakes as an extra incentive to join the program.

But in return, a small percentage of members must install extremely invasive software.

According to Googins, the product monitors not only all of the user's Web traffic, but also keeps track of secure sessions such as visits to bank sites, sniffs through email headers, and then sends that information to a ComScore.

While Googins called the software "a significant threat to privacy," Harles doesn't see it that way. First off, he said that members can join the community with or without the tracking software and that less than 10 percent of the members have signed up for the tracking program.

And those who get the tracking software installed have all personally identifying information scrubbed by ComScore, and are informed of exactly what's going on, he added.

Harles sent Googlins a detailed rebuttal to his claims, which the CA researcher haspublished on his blog.

Edelman said Monday the Sears executive is simply wrong. "The comments from... Rob Harles are remarkable," he said via e-mail. "Exactly contrary to actual facts, as best I can tell."

Sears does disclose that it is installing tracking software, but doesn't do enough to make sure that users have seen these disclosures before they download the program, Edelman said in his analysis.

"The FTC requires that software makers and distributors provide clear, prominent, unavoidable notice of the key terms," he wrote. "SHC's installation of ComScore did nothing of the kind."  

In an interview, Harles said that Sears had no immediate plans to change its disclosure policies, but he did say that My SHC Community would undoubtedly evolve in some ways.

This isn't the first time ComScore's software has been in the news. In June, Edelman documented how they company's tracking software was being installed on some PCs without consent.

"Why so many problems for ComScore?" Edelman wrote in his latest blog posting. "The basic challenge is that users don't want ComScore software. ComScore offers users nothing sufficiently valuable to compensate them for the serious privacy invasion ComScore's software entails. There's no good reason why users should share information about their browsing, purchasing, and other online activities. So time and time again, ComScore and its partners resort to trickery (or worse) to get their software onto users' PCs."

© 2008 PC World Communications, Inc. All rights reserved