Visiting Sears.com (and Kmart.com) a few weeks ago, I was offered a chance to join My SHC Community, for free, but what I received was, from a privacy perspective, very costly. Sears.com is distributing spyware that tracks all your Internet usage - including banking logins, email, and all other forms of Internet usage - all in the name of "community participation." Every website visitor that joins the Sears community installs software that acts as a proxy to every web transaction made on the compromised computer. In other words, if you have installed Sears software ("the proxy") on your system, all data transmitted to and from your system will be intercepted. This extreme level of user tracking is done with little and inconspicuous notice about the true nature of the software. In fact, while registering to join the "community," very little mention is made of software or tracking. Furthermore, after the software is installed, there is no indication on the desktop that the proxy exists on the system, so users are tracked silently. An interesting note, the spyware Sears distributes is "genetically" related to software CA Anti-Spyware has detected for a few years by the name of MarketScore (and other aliases) and distributed by other websites.
A Significant Threat to Privacy
Here is a summary of what the software does and how it is used. The proxy:
In addition, My SHC Community requires a variety of personal information during registration - like name, email, address, city, state, and age. All of this information can be correlated with intercepted data to create a comprehensive profile.
A Look at Network Traffic
When I analyzed my network traffic, knowing my machine was compromised, I expected to see data being sent to a domain registered by Sears. Not the case. All of my data was actually transmitted to the domain oss-content.securestudies.com (IP address: 209.247.230.166). If you look at the figure below of data captured using Wireshark, you will see a simple web transaction I made via Google. After the Google page was requested and loaded, a duplicate copy was sent to oss-content.securestudies.com.
The current registrant of the domain securestudies.com, is not Sears, but comScore. comScore is a market research company, and my data is being sent to comScore without any mention of this in the Sears privacy policy. Both companies are yet to respond to an email I wrote asking how they use the data they receive from the Sears proxy. I had sent a previous email to Sears asking some general questions about the "Community" and they responded promptly, but I am still waiting for either to respond to my inquiry on how comScore uses my data. I am concerned.
A Blatant Lie or Misinformed?
Sears makes the following statement: "The personal information that you give myshccommunity.com when you register as well as any personal information that you give during the completion of a communication is stored in a confidential database owned by myshccommunity.com and is never delivered to a client. myshccommunity.com never sells your personal information to any company for any reason." When I registered I looked over my network traffic, and all form data (name, address, etc), is sent to 66.119.41.87. This IP address is registered to comScore. This is almost laughable (in a scary privacy violation sort of way). I enter data on a page branded Sears, saying my data is stored on a secure database owned by Sears, but when I submit the data it is sent to comScore, a third party market research company.
Lack of Prominent Notice and Informed Consent
The problem with the installation process is that it does not prominently emphasize that by completing the registration process, the user's computer will be intensely tracked. Here are the basic steps of the registration (installation):
1) I visited Sears.com (a repeat test of Kmart test produced a similar popup) and was presented with a sliding toast popup (see image, below). The popup covered the Sears.com homepage and required that I find the hidden (in this case, the micro X in the upper right) exit button. The popup asked me to join the Sears community and enter my email address. On this page, there is no mention of tracking software, only the "community".
2) I received an email and clicked 'join today'. In the 7 or 8 paragraphs describing the "community" on this page, Sears buries its mention of 'tracking' in the third sentence of the fourth paragraph. 3) I was taken to a Sears landing page. I clicked 'join today'. There was absolutely no mention of "software" or "tracking" on this page, but plenty of bullet points telling me about the joys of being a member and how my 'voice counts'. 4) A page opened asking me to fill in personal information. There is no prominent mention that I am agreeing to install tracking software on my computer. One sentence mentions that the information entered on the page will be used to "assist SHC in providing you the most relevant information, communication, and content customized to your needs." Also, at the bottom of the page is a small scroll box with the privacy policy. The Privacy Policy Sears.com is pushing software with extensive user tracking capabilities and doing a very poor job of obtaining informed consent - if at all. After the proxy software is installed on the user's system there is nothing on the user's desktop to indicate their every move on the Internet is being collected and sent to a third party market research company, comScore.
The direct language above has been replaced with a Privacy Policy with mushy language like:
Conclusions