Join the Community - Get Spyware


CA Security Advisor Research Blog

Visiting (and a few weeks ago, I was offered a chance to join My SHC Community, for free, but what I received was, from a privacy perspective, very costly. is distributing spyware that tracks all your Internet usage - including banking logins, email, and all other forms of Internet usage - all in the name of "community participation." Every website visitor that joins the Sears community installs software that acts as a proxy to every web transaction made on the compromised computer.  In other words, if you have installed Sears software ("the proxy") on your system, all data transmitted to and from your system will be intercepted. This extreme level of user tracking is done with little and inconspicuous notice about the true nature of the software.  In fact, while registering to join the "community," very little mention is made of software or tracking.  Furthermore, after the software is installed, there is no indication on the desktop that the proxy exists on the system, so users are tracked silently.  An interesting note, the spyware Sears distributes is "genetically" related to software CA Anti-Spyware has detected for a few years by the name of MarketScore (and other aliases) and distributed by other websites.


A Significant Threat to Privacy

Here is a summary of what the software does and how it is used. The proxy:


In addition, My SHC Community requires a variety of personal information during registration - like name, email, address, city, state, and age.  All of this information can be correlated with intercepted data to create a comprehensive profile.


A Look at Network Traffic

When I analyzed my network traffic, knowing my machine was compromised, I expected to see data being sent to a domain registered by Sears.  Not the case.  All of my data was actually transmitted to the domain (IP address:  If you look at the figure below of data captured using Wireshark, you will see a simple web transaction I made via Google.  After the Google page was requested and loaded, a duplicate copy was sent to 


The current registrant of the domain, is not Sears, but comScore.  comScore is a market research company, and my data is being sent to comScore without any mention of this in the Sears privacy policy. Both companies are yet to respond to an email I wrote asking how they use the data they receive from the Sears proxy.  I had sent a previous email to Sears asking some general questions about the "Community" and they responded promptly, but I am still waiting for either to respond to my inquiry on how comScore uses my data.  I am concerned.    


A Blatant Lie or Misinformed?

Sears makes the following statement: "The personal information that you give when you register as well as any personal information that you give during the completion of a communication is stored in a confidential database owned by and is never delivered to a client. never sells your personal information to any company for any reason."  When I registered I looked over my network traffic, and all form data (name, address, etc), is sent to  This IP address is registered to comScore.  This is almost laughable (in a scary privacy violation sort of way).  I enter data on a page branded Sears, saying my data is stored on a secure database owned by Sears, but when I submit the data it is sent to comScore, a third party market research company.    


Lack of Prominent Notice and Informed Consent

The problem with the installation process is that it does not prominently emphasize that by completing the registration process, the user's computer will be intensely tracked.   Here are the basic steps of the registration (installation):

1) I visited (a repeat test of Kmart test produced a similar popup) and was presented with a sliding toast popup (see image, below).  The popup covered the homepage and required that I find the hidden (in this case, the micro X in the upper right) exit button. The popup asked me to join the Sears community and enter my email address.  On this page, there is no mention of tracking software, only the "community".

2)      I received an email and clicked 'join today'.  In the 7 or 8 paragraphs describing the "community" on this page, Sears buries its mention of 'tracking' in the third sentence of the fourth paragraph.

3)      I was taken to a Sears landing page.  I clicked 'join today'.  There was absolutely no mention of "software" or "tracking" on this page, but plenty of bullet points telling me about the joys of being a member and how my 'voice counts'. 

4)      A page opened asking me to fill in personal information.  There is no prominent mention that I am agreeing to install tracking software on my computer.  One sentence mentions that the information entered on the page will be used to "assist SHC in providing you the most relevant information, communication, and content customized to your needs."  Also, at the bottom of the page is a small scroll box with the privacy policy. 

5)      After filling out the forms, the software download started.  After the proxy software installed, there was nothing to indicate that it was actually installed.  Since installation, I have not received any follow-up emails from the "community" or any other form of communication reminding me of my "membership."  All data continues to be logged - luckily the research is being conducted on a test machine.  Today I went to and did not receive the sliding popup mentioned above, but clicked a link titled 'join My SHC Community'. Following this link, I was never presented with the minimal notice listed in step 3 above.  Furthermore, because the proxy tracks silently, anyone else who uses a compromised system will have their web usage tracked. There are no technological controls in place to control inadvertent tracking.  


The Privacy Policy

When I originally did the research for this post a few weeks ago, Sears had put together a privacy policy that did a reasonable job of explaining clearly how the proxy operates.  Suspiciously, when I looked at the privacy policy today, all of the direct, clear language has been removed and replaced with vague legal terms.  To give you an idea of what I am talking about, the original privacy policy mentioned the word "software" 11 times - in the policy published today, it is not mentioned even once.  In the old policy, "tracking" was mentioned 3 times - in today's version it is not mentioned even once.   The word "application" - from 32 mentions to none.  Why did they pull out all the descriptive language and replace it with vague legal language?  Some sections that have been totally removed from the Privacy Policy:  The direct language above has been replaced with a Privacy Policy with mushy language like:


Unresolved Questions  Conclusions is pushing software with extensive user tracking capabilities and doing a very poor job of obtaining informed consent - if at all.  After the proxy software is installed on the user's system there is nothing on the user's desktop to indicate their every move on the Internet is being collected and sent to a third party market research company, comScore.

main page ATTRITION feedback