Sears found to be using spyware to track visitors

mjh

Platinum Member
Oct 10, 2005
2,442
0
0
Security researchers are criticizing retailer Sears for not adequately describing its efforts to track the behaviors of those who provide the company with their contact information.

The process begins after the customer provides Sears.com with an e-mail address. An e-mail will appear in the customer's inbox inviting them to join a program called "My SHC Community."

Sears says participating in the program is on the customer's terms, and discloses in the e-mail that it will ask the user to download software from its partner VoiceFive. Terms in the software say that the company will confidentially track users' browsing habits.

However, what Sears' e-mail doesn't disclose is that it not only tracks browsing behavior on Sears.com, but all data on where participants go on the Web. Disclosure of this does not appear until a user scrolls through a large portion of the privacy statement and user license agreement.

There, what Sears says it will track may be troubling to some: The software "monitors all of the Internet behavior that occurs on the computer on which you install the application, including ... filling a shopping basket, completing an application form, or checking your ... personal financial or health information."

The VoiceFive software comes from TMRG, which is not mentioned in any of the literature provided by Sears. Packet sniffing led researchers to believe that the software uses comScore technology to track user habits.

With the convoluted method in which Sears discloses the behavior of its software, it may actually run afoul of FTC regulations regarding spyware disclosure. The agency requires any tracking software to be clearly explained, which the retailer does not do, researchers argue.

"The Sears SHC installation of ComScore falls far short of these rules. The limited SHC disclosure provided by email lacks the required specificity as to the nature, purpose, and effects of the ComScore software," spyware expert Benjamin Edelman wrote on his blog Tuesday.

"Nor is that disclosure 'unavoidable,' in that the key text appears midway through a paragraph, without a heading or even a topic sentence to alert users to the important (albeit vague) information that follows."

To its defense, Sears said it "goes to great lengths" to disclose the nature of its program, a claim that Edelman "emphatically" disagreed with.
I don't appreciate when companies do this, but I have spoken with people who said they really don't mind.

What do you think?
 

MixMasterTang

Diamond Member
Jul 23, 2001
3,167
176
106
I think it needs to be clearly explained to the user, and then if the user agrees and at least somewhat understands what all it is going to monitor then it would be fine. I also think that they should be required to mention that the program will always be running in the background of their computer and will be taking away from memory and CPU resources.

With all that being said I don't know anyone in their right mind who would agree. ;)
 

Fern

Elite Member
Sep 30, 2003
26,907
173
106
To each his own.

Personally, I don't like this stuff at ALL. I'm more concerned ith corprate America's spying program than the Patriot Act.

I really really doubt that anyone who understands what this program does would agree to it.

And if not adequately explained, I'm for penalties against the company (Sears in this case) and damages for the individuals for the invasion of their privacy.

Fern
 

Vic

Elite Member
Jun 12, 2001
50,422
14,337
136
Sounds like they're in blatant non-compliance with federal privacy rules, which include tracking software and cookies installed on computers, disclosure of which must be prominent and can't just be buried in a EULA or TOS, and for which a customer opt-out must be available.
So no, I'm not okay with it. If this is true, Sears and/or its partners are breaking the law.
 

Rainsford

Lifer
Apr 25, 2001
17,515
0
0
Originally posted by: Vic
Sounds like they're in blatant non-compliance with federal privacy rules, which include tracking software and cookies installed on computers, disclosure of which must be prominent and can't just be buried in a EULA or TOS, and for which a customer opt-out must be available.
So no, I'm not okay with it. If this is true, Sears and/or its partners are breaking the law.

And how many people think ANYONE at Sears is going to jail over this? Hell, I'm willing to bet they don't even get fined in the long run. It's like all that Sony rootkit bullshit...nobody really cares. And it's easy to blame companies or the government, but the real problem is that nobody is going to stop shopping at Sears, just like nobody stopped buying Sony products...and you can be damned sure that nobody is going to vote against politicians who support corporate immunity.
 

jackschmittusa

Diamond Member
Apr 16, 2003
5,972
1
0
I am one who has boycotted Sony since since the rootkit fiasco. I emailed them to tell them. I occasionally send an update, telling them of all of the products that I have bought that are not their brand. But yes, I do feel like a voice in the wilderness.

Depending on how Sears handles this, they may be next.
 

JD50

Lifer
Sep 4, 2005
11,807
2,515
136
Originally posted by: Rainsford
Originally posted by: Vic
Sounds like they're in blatant non-compliance with federal privacy rules, which include tracking software and cookies installed on computers, disclosure of which must be prominent and can't just be buried in a EULA or TOS, and for which a customer opt-out must be available.
So no, I'm not okay with it. If this is true, Sears and/or its partners are breaking the law.

And how many people think ANYONE at Sears is going to jail over this? Hell, I'm willing to bet they don't even get fined in the long run. It's like all that Sony rootkit bullshit...nobody really cares. And it's easy to blame companies or the government, but the real problem is that nobody is going to stop shopping at Sears, just like nobody stopped buying Sony products...and you can be damned sure that nobody is going to vote against politicians who support corporate immunity.

sad but true.
 

Kadarin

Lifer
Nov 23, 2001
44,296
16
81
Originally posted by: JD50
Originally posted by: Rainsford
Originally posted by: Vic
Sounds like they're in blatant non-compliance with federal privacy rules, which include tracking software and cookies installed on computers, disclosure of which must be prominent and can't just be buried in a EULA or TOS, and for which a customer opt-out must be available.
So no, I'm not okay with it. If this is true, Sears and/or its partners are breaking the law.

And how many people think ANYONE at Sears is going to jail over this? Hell, I'm willing to bet they don't even get fined in the long run. It's like all that Sony rootkit bullshit...nobody really cares. And it's easy to blame companies or the government, but the real problem is that nobody is going to stop shopping at Sears, just like nobody stopped buying Sony products...and you can be damned sure that nobody is going to vote against politicians who support corporate immunity.

sad but true.

Agreed. Corporate accountability seems to be a dead concept these days.
 

1EZduzit

Lifer
Feb 4, 2002
11,833
1
0
http://www.pcworld.com/article...0918-pg,1/article.html

Another one:

Sears: Come see the softer side of spyware

.
.
.
The story goes like this: late last year, Sears.com and Kmart.com began asking users if they wanted to participate in a "community" online (presumably a community made up of Sears and Kmart aficionados). In late December, security researcher Benjamin Googins at Computer Associates noticed, however, that the "community" actually installed software from comScore, a market research firm, in order to track the web activities of the sites' visitors.

Googins stated on his company's blog that Sears had installed spyware which transmitted everything?"including banking logins, email, and all other forms of Internet usage"?to comScore for analysis. This was all allegedly done with no notice that anything was being installed, and it ran contrary to documentation about the community that said any data collected would stay within Sears' hands at all times.

But wait, there's more! In an update to his original post, Googins noted that Sears actually offers a slightly different privacy policy?via the same URL?to compromised computers versus those that have yet to install the software. "If you access that URL with a machine compromised by the Sears proxy software, you will get the policy with direct language (like 'monitors all Internet behavior'). If you access the policy using an uncompromised system, you will get the toned-down version (like 'provide superior service')," he wrote.

Surprisingly, Sears VP Rob Harles responded to Googins' original post, stating that the company "goes to great lengths to describe the tracking aspect." He claims that "clear notice" is provided to users multiple times throughout the sign-up process. The "community" continued on.
.
.
.
 

RightIsWrong

Diamond Member
Apr 29, 2005
5,649
0
0
What a farse. This is why you use something like BlackIce Defender so that you know when you are sending anything out that you are not aware of.

Stupid spyware creators should all be rounded up and forced to listen to Celine Dion, Michael Bolton and Cher on an infinite loop for 6 month intervals.

Damn it....there goes my protesting torture stance. Ah phuck it....those asshat truly deserve it.
 

blackangst1

Lifer
Feb 23, 2005
22,902
2,359
126
I agree with everyone that this is a bad bad thing.

Being a PC security buff myself, I know it could never/would never be installed on mine or any of my friend's family's PC...but it seems alot of people use an AV, many have a firewall, and although not enough, many use anti rootkit/spyware scanners. So, my question is this: how will Sears cooerce ALL these companies to exclude this rootkit in search or protection results? Seems to me the only poeple who this could affect are those naive enough to not surf without protection.

Just my POV.