WEBINAR: Live Event Date: September 20, 2017 @ 1:00 p.m. ET / 10:00 a.m. PT
Designing a Proactive Approach to Information Security with Cyber Threat Hunting REGISTER >
Plenty of businesses are trying to build an online community of loyal users around their brands. But the one in place by Sears Holding Company (SHC), called "My SHC Community," is building some opposition, too.
The site offers members discounts, products previews and interactive services, such as a budget planner. The only catch is, membership can also plant spyware on your computer that tracks your browsing activity in all corners of the Web, according to security researchers.
Ben Edelman, an assistant professor at Harvard Business School, recently posted on his blog a sweeping indictment of the My SHC Community for failing to adequately inform members of how their information would be used. He claims that Sears' informed consent falls well short of Federal Trade Commission regulations.
It works like this: Shortly after people provide Sears.com with an e-mail address, SHC sends an invitation e-mail describing the community with a large "Join Today" button placed at the bottom.
Clicking the button initiates the Web-based installation process, during which the user is prompted to enter profile information, accept a statement on privacy and an end-user license agreement before accepting the download of the SHC Community software, which triggers an Active X prompt that, once accepted, begins the installation of the tracking software.
The spyware that Sears is installing on its users' computers comes from the online metrics firm comScore, Googins and Edelman reported.
The problem is not that Sears failed completely to inform its users that their Internet activities would be tracked, but that it failed to do so in a clear and obvious way, as the FTC required in settlements earlier this year concerning tracking software and informed consent, Edelman said.
"The SHC/ComScore violation could hardly be simpler," he wrote. "The FTC requires that software makers and distributors provide clear, prominent, unavoidable notice of the key terms," he wrote.
"SHC's installation of ComScore did nothing of the kind."
Sears has defended the way that it handled the placement of the tracking software. Responding to Googins' post, SHC Community Vice President Rob Harles said that the tracking software is only installed on a small, invitation-only "subset" of community members, and that all information is completely anonymous. He also defended the site's disclosure of the software.
"My SHC Community goes to great lengths to describe the tracking aspect for those members who receive an invitation," Harles wrote in response to Googins' research.
Harles refers to the second paragraph of the initial letter introducing the community, which explains that users will be asked to download software during the registration process: "This research software will confidentially track your online browsing."
Then, in the third paragraph, the letter states that users will be asked to record their shopping and purchasing activities. "We'll also collect information about your Internet usage."
Edelman said that, even with those sentences, Sears could still run afoul of the FTC.