Friday, January 18, 2008

Come see the spyware side at Sears

The news late last year about a community Web site from Sears hasn't been good, and should be a sobering lesson for any would-be eCommerce merchant. Security researchers uncovered issues with the site, MySHCcommunity.com (Sears Holdings Company is what the buried acronym stands for). Users can "optionally" install some very pernicious spyware on their computers that will track their browsing history and purchases.Harvard B-school professor Ben Edelman's blog describes the installation process in copious detail here.

Sears' documentation for what exact information is being tracked by the software is buried inside a license agreement that few will read, and even fewer will understand if they do. It is also, according to Edelman and others, misleading and potentially illegal. Ever wondered why companies that produce this spyware use different names? It is so consumers can't easily figure out what is being delivered to their PC. The MySHC software goes under different names, such as VoiceFive and TMRG, Inc. yet seems to be similar to ComScore's RelevantKnowledge affiliate marketing software.So what can we all learn from this debacle?

First, protect your customer's privacy or you won't have any customers to worry about. Australia is just one of many places around the world that is beefing up its privacy laws this year to protect unintended data collections and breaches. IT managers need to be involved in the creation of new applications that touch customers and vet these things properly. They also need to understand the regulatory and compliance implications of collecting all this customer data, and where this information is stored both inside the corporation and how it is shared with any partners or consultants, too.Second, any corporation should by now have a clearly worded privacy policy that is brief, to the point, and not written in legalese.

Security researcher Benjamin Googins from CA talks about how users will see one of two different privacy policies, depending on whether or not the spyware is installed on their PC by MySHC.

Finally, call a spade a spade. If you are going to conduct research on consumer buying trends, then do so in a way that doesn't monitor their computers: Sony found this out the hard way a few years ago. Since the blogosphere pounced on MySHC, Sears execs have defended the practice, claiming that few users actually go through the process of installing the software. That is a lame excuse, and time for some straight talk and to retool the site and remove the software.It shouldn't take a Harvard professor and an engineer with a packet analyzer to make Sears come clean about its privacy policies.

1 comment:

zee said...

Thank you for voicing your concern about RelevantKnowledge. Please be assured that comScore, the parent company of RelevantKnowledge, is strongly committed to protecting its users' privacy online. For years, comScore has been recognized as a leader in online privacy by organizations such as the Online Trust Alliance. Recently, comScore's ScorecardResearch service earned the highest possible rating of 50 out of 50 for its online privacy practices by PrivacyChoice. If you have further questions about RelevantKnowledge, we encourage you to visit our website: http://www.relevantknowledge.com/faq.aspx
Thank you,
RelevantKnowledge Customer Support Team

About Me

My photo
David Strom has looked at hundreds of computer products over a more than 20 year career in IT and computer journalism. He was the founding editor-in-chief of Network Computing magazine, and now writes for Baseline, Information Security, Tom's Hardware, and the New York Times.