Errata: Sears.com

Sears.com: Join the Community - Get Spyware

12/20/2007

CA Security Advisor Research Blog

http://community.ca.com/blogs/securityadvisor/archive/2007/12/20/sears-com-join-the-community-get-spyware.aspx

Visiting Sears.com (and Kmart.com) a few weeks ago, I was offered a chance to join My SHC Community, for free, but what I received was, from a privacy perspective, very costly. Sears.com is distributing spyware that tracks all your Internet usage - including banking logins, email, and all other forms of Internet usage - all in the name of "community participation." Every website visitor that joins the Sears community installs software that acts as a proxy to every web transaction made on the compromised computer. In other words, if you have installed Sears software ("the proxy") on your system, all data transmitted to and from your system will be intercepted. This extreme level of user tracking is done with little and inconspicuous notice about the true nature of the software. In fact, while registering to join the "community," very little mention is made of software or tracking. Furthermore, after the software is installed, there is no indication on the desktop that the proxy exists on the system, so users are tracked silently. An interesting note, the spyware Sears distributes is "genetically" related to software CA Anti-Spyware has detected for a few years by the name of MarketScore (and other aliases) and distributed by other websites.

A Significant Threat to Privacy

Here is a summary of what the software does and how it is used. The proxy:

1. Monitors and transmits a copy of all Internet traffic going from and coming to the compromised system.
2. Monitors secure sessions (websites beginning with 'https'), which may include shopping or banking sites.
3. Records and transmits "the pace and style with which you enter information online..."
4. Parses the header section of personal emails.
5. May combine any data intercepted with additional information like "select credit bureau information" and other sources like "consumer preference reporting companies or credit reporting agencies".

In addition, My SHC Community requires a variety of personal information during registration - like name, email, address, city, state, and age. All of this information can be correlated with intercepted data to create a comprehensive profile.

A Look at Network Traffic

When I analyzed my network traffic, knowing my machine was compromised, I expected to see data being sent to a domain registered by Sears. Not the case. All of my data was actually transmitted to the domain oss-content.securestudies.com (IP address: 209.247.230.166). If you look at the figure below of data captured using Wireshark, you will see a simple web transaction I made via Google. After the Google page was requested and loaded, a duplicate copy was sent to oss-content.securestudies.com.

The current registrant of the domain securestudies.com, is not Sears, but comScore. comScore is a market research company, and my data is being sent to comScore without any mention of this in the Sears privacy policy. Both companies are yet to respond to an email I wrote asking how they use the data they receive from the Sears proxy. I had sent a previous email to Sears asking some general questions about the "Community" and they responded promptly, but I am still waiting for either to respond to my inquiry on how comScore uses my data. I am concerned.

A Blatant Lie or Misinformed?

Sears makes the following statement: "The personal information that you give myshccommunity.com when you register as well as any personal information that you give during the completion of a communication is stored in a confidential database owned by myshccommunity.com and is never delivered to a client. myshccommunity.com never sells your personal information to any company for any reason." When I registered I looked over my network traffic, and all form data (name, address, etc), is sent to 66.119.41.87. This IP address is registered to comScore. This is almost laughable (in a scary privacy violation sort of way). I enter data on a page branded Sears, saying my data is stored on a secure database owned by Sears, but when I submit the data it is sent to comScore, a third party market research company.

Lack of Prominent Notice and Informed Consent

The problem with the installation process is that it does not prominently emphasize that by completing the registration process, the user's computer will be intensely tracked. Here are the basic steps of the registration (installation):

1) I visited Sears.com (a repeat test of Kmart test produced a similar popup) and was presented with a sliding toast popup (see image, below). The popup covered the Sears.com homepage and required that I find the hidden (in this case, the micro X in the upper right) exit button. The popup asked me to join the Sears community and enter my email address. On this page, there is no mention of tracking software, only the "community".

2) I received an email and clicked 'join today'. In the 7 or 8 paragraphs describing the "community" on this page, Sears buries its mention of 'tracking' in the third sentence of the fourth paragraph.

3) I was taken to a Sears landing page. I clicked 'join today'. There was absolutely no mention of "software" or "tracking" on this page, but plenty of bullet points telling me about the joys of being a member and how my 'voice counts'.

4) A page opened asking me to fill in personal information. There is no prominent mention that I am agreeing to install tracking software on my computer. One sentence mentions that the information entered on the page will be used to "assist SHC in providing you the most relevant information, communication, and content customized to your needs." Also, at the bottom of the page is a small scroll box with the privacy policy.

5) After filling out the forms, the software download started. After the proxy software installed, there was nothing to indicate that it was actually installed. Since installation, I have not received any follow-up emails from the "community" or any other form of communication reminding me of my "membership." All data continues to be logged - luckily the research is being conducted on a test machine. Today I went to Sears.com and did not receive the sliding popup mentioned above, but clicked a link titled 'join My SHC Community'. Following this link, I was never presented with the minimal notice listed in step 3 above. Furthermore, because the proxy tracks silently, anyone else who uses a compromised system will have their web usage tracked. There are no technological controls in place to control inadvertent tracking.

The Privacy Policy

When I originally did the research for this post a few weeks ago, Sears had put together a privacy policy that did a reasonable job of explaining clearly how the proxy operates. Suspiciously, when I looked at the privacy policy today, all of the direct, clear language has been removed and replaced with vague legal terms. To give you an idea of what I am talking about, the original privacy policy mentioned the word "software" 11 times - in the policy published today, it is not mentioned even once. In the old policy, "tracking" was mentioned 3 times - in today's version it is not mentioned even once. The word "application" - from 32 mentions to none. Why did they pull out all the descriptive language and replace it with vague legal language? Some sections that have been totally removed from the Privacy Policy:

'Once you install our application, it monitors all of the Internet behavior that occurs on the computer'
'software application also tracks the pace and style with which you enter information online'
'Our application may collect certain basic hardware, software, computer configuration and application usage information about the computer'

The direct language above has been replaced with a Privacy Policy with mushy language like:

'myshccommunity.com gathers information about its members to provide superior service, communicate offers on merchandise and services'
'We use this information to customize your experience on our website and to provide you with the most relevant products and services.
'we make commercially viable efforts to automatically filter confidential personally identifiable information such as UserID, password, credit card numbers, and account numbers'

Unresolved Questions

Why didn't Sears disclose that my data, that related to registration and data sent by the proxy, is actually sent to comScore?
Why won't comScore answer my questions about how they use my data?
Why has Sears removed all the clear language from the Privacy Policy and replaced it with vague legal language?
Why isn't the registration process clear that the user is actually signing up to install tracking software?

Conclusions

Sears.com is pushing software with extensive user tracking capabilities and doing a very poor job of obtaining informed consent - if at all. After the proxy software is installed on the user's system there is nothing on the user's desktop to indicate their every move on the Internet is being collected and sent to a third party market research company, comScore.