Come see the spyware side at Sears

Posted on by

The news late last year about a community Web site from Sears hasn’t been good, and should be a sobering lesson for any would-be eCommerce merchant. Security researchers uncovered issues with the site, MySHCcommunity.com (Sears Holdings Company is what the buried acronym stands for). Users can “optionally” install some very pernicious spyware on their computers that will track their browsing history and purchases.Harvard B-school professor Ben Edelman’s blog describes the installation process in copious detail here.

Sears’ documentation for what exact information is being tracked by the software is buried inside a license agreement that few will read, and even fewer will understand if they do. It is also, according to Edelman and others, misleading and potentially illegal. Ever wondered why companies that produce this spyware use different names? It is so consumers can’t easily figure out what is being delivered to their PC. The MySHC software goes under different names, such as VoiceFive and TMRG, Inc. yet seems to be similar to ComScore’s RelevantKnowledge affiliate marketing software.So what can we all learn from this debacle?

First, protect your customer’s privacy or you won’t have any customers to worry about. Australia is just one of many places around the world that is beefing up its privacy laws this year to protect unintended data collections and breaches. IT managers need to be involved in the creation of new applications that touch customers and vet these things properly. They also need to understand the regulatory and compliance implications of collecting all this customer data, and where this information is stored both inside the corporation and how it is shared with any partners or consultants, too.Second, any corporation should by now have a clearly worded privacy policy that is brief, to the point, and not written in legalese.

Security researcher Benjamin Googins from CA talks about how users will see one of two different privacy policies, depending on whether or not the spyware is installed on their PC by MySHC.

Finally, call a spade a spade. If you are going to conduct research on consumer buying trends, then do so in a way that doesn’t monitor their computers: Sony found this out the hard way a few years ago. Since the blogosphere pounced on MySHC, Sears execs have defended the practice, claiming that few users actually go through the process of installing the software. That is a lame excuse, and time for some straight talk and to retool the site and remove the software.It shouldn’t take a Harvard professor and an engineer with a packet analyzer to make Sears come clean about its privacy policies.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.