- The Washington Times - Monday, January 7, 2008

Sears Holdings Corp., the largest U.S. department store company, with both the Sears and Kmart nameplates, is under fire for installing what critics say is spyware on customers’ computers when they join its online community.

Privacy advocates say the program violates federal trade regulations.

The software installed on users’ computers tracks every Web site visit, search, purchase or other transaction, including e-mail, and submits details to an online market research company.

The company said it goes to “great lengths” to disclose the nature of the program.

Ben Edelman, a privacy specialist and Harvard Business School assistant professor, said Sears’ program, called “My SHC Community,” falls short of Federal Trade Commission standards required for disclosure of such software.

“The FTC requires that, before any such tracking programs are installed, consumers give ‘express consent,’ ” Mr. Edelman said, quoting from a recent commission settlement with two spyware vendors.

“That means [Sears has] to ‘clearly and prominently disclose’ anything ‘material’ about the program. … That disclosure has to be ‘unavoidable” and take place ‘prior to … and separate from,’ any final licensing agreement,” he added.

“Sears clearly is falling short of those requirements,” Mr. Edelman said, calling the failure “remarkable” and “very brazen.”

Spyware researcher Benjamin Googins, of Islandia, N.Y.-based CA Inc., who first blogged about the issue, pointed out that the software sends data about consumers’ Internet activity not to Sears’ Web site, but to a site registered to ComScore Inc., a Reston-based online market-research firm.

He called it a violation of the promise in the SHC Community’s privacy policy that the information is transmitted to “our servers.”

Mr. Googins said that the coding in the ComScore software package Sears was installing was “directly” and “genetically” related to coding used by other spyware programs CA had identified.

“This software is all related and shows signs that it was created by the same group,” he said.

No one from Sears could be reached yesterday for comment, but the vice president of My SHC Community responded last week to online critics, saying that only a small number of those who joined the community had their Internet activity tracked in the fashion that Mr. Googins and Mr. Edelman described, and that the company “goes to great lengths to describe the tracking aspect for those members” subject to it.

“Any potential tracked member is given very clear explanations throughout the registration process concerning the purpose of the community, what “tracking” means, what software will be downloaded, [and] what will be done with the data,” Rob Harles said in a statement e-mailed to Mr. Googins and posted on Mr. Googins’ blog.

He added that the community’s privacy policy “clearly discloses that data may be shared with service providers. ComScore is simply a service provider to Sears Holdings.”

Mr. Edelman said potential users are informed about the tracking software in two instances, neither of which meets FTC standards.

“The only really clear notice is in the e-mail [that those expressing an interest receive from the community.] It lacks the required specificity — and it is not ‘unavoidable,’ as the FTC requires because it appears midway through a paragraph, without a heading.”



Click to Read More

Click to Hide