Sears has been caught installing spyware that silently tracks all Internet usage – including banking logins, e-mail, and all web sites visited – in the name of a nonexistent online “community,” with virtually no disclosure of the invasive nature of the software. In fact, most people would not be aware that any software had been installed. Be careful out there!
Sears.com and KMart.com have been offering a chance to sign up for “My SHC Community,” ostensibly for a chance to give feedback to the retailers in a “dynamic and highly interactive on-line community.” After harvesting your personal information – name, e-mail, address, city, state, and age – software is silently installed with no indication onscreen that it has been installed or is continuously running. The “community” then disappears with no followup – no e-mail, no online forums, no popups, nothing – apparently in the hope that most people will forget about it.
The software is actually intercepting all Internet traffic from that computer and filtering it through a proxy server. According to one researcher, the proxy:
- 1. Monitors and transmits a copy of all Internet traffic going from and coming to the compromised system.
- 2. Monitors secure sessions (websites beginning with �https’), which may include shopping or banking sites.
- 3. Records and transmits “the pace and style with which you enter information online…”
- 4. Parses the header section of personal emails.
- 5. May combine any data intercepted with additional information like “select credit bureau information” and other sources like “consumer preference reporting companies or credit reporting agencies”.
The “privacy policy” supplied by Sears says:
“The personal information that you give myshccommunity.com when you register as well as any personal information that you give during the completion of a communication is stored in a confidential database owned by myshccommunity.com and is never delivered to a client. myshccommunity.com never sells your personal information to any company for any reason.”
In fact, all information is sent to ComScore, a well-known sleazy third-party marketing research firm.
Noted spyware researcher Ben Edelman goes through the details of the Sears privacy policy and disclosures. They’re completely inadequate and can only have been designed to conceal the true purpose of the “community.” The disclosures, such as they are, are buried in 2,971 words of text in a small scroll box requiring 54 on-screen pages to view in full. (In fact, this researcher noticed that the privacy policy had been rewritten after his first look to make it even more vague.) The names of the third parties – ComScore and others – are concealed. There’s no “Cancel” button once the installation starts.
Bad stuff. Sears is currently still trying to defend itself, although there’s enough of a fuss that I think you’ll see it step back and change the program to “clarify” things, or perhaps just kill it and walk away before things get worse.
It doesn’t help that Mr. Edelman discovered a massive security hole in another Sears database, allowing you to obtain information about all the purchases made by anyone from Sears just by entering their name, street address and phone number. A complete violation of Sears’ privacy policy, of course, and a pretty stupid blunder for a major retailer. The hole has been closed now but it should never have existed in the first place.
We all have to be alert when we’re online, although an incident like this doesn’t mean we should be suspicious of all retailers, just Sears in particular. Although, come to think of it, I haven’t trusted Sears for a long time.
