Plenty of businesses are trying to build an online community of loyal users around their brands. But the one in place by Sears Holding Company (SHC), called “My SHC Community,” is building some opposition, too.
The site offers members discounts, products previews and interactive services, such as a budget planner. The only catch is, membership can also plant spyware on your computer that tracks your browsing activity in all corners of the Web, according to security researchers.
Ben Edelman, an assistant professor at Harvard Business School, recently posted on his blog a sweeping indictment of the My SHC Community for failing to adequately inform members of how their information would be used. He claims that Sears’ informed consent falls well short of Federal Trade Commission regulations.
Edelman’s findings support and build on the analysis posted by CA Senior Researcher Benjamin Googins in December over how Sears gets software installed on users’ computers.
It works like this: Shortly after people provide Sears.com with an e-mail address, SHC sends an invitation e-mail describing the community with a large “Join Today” button placed at the bottom.
Clicking the button initiates the Web-based installation process, during which the user is prompted to enter profile information, accept a statement on privacy and an end-user license agreement before accepting the download of the SHC Community software, which triggers an Active X prompt that, once accepted, begins the installation of the tracking software.
The spyware that Sears is installing on its users’ computers comes from the online metrics firm comScore, Googins and Edelman reported.
The problem is not that Sears failed completely to inform its users that their Internet activities would be tracked, but that it failed to do so in a clear and obvious way, as the FTC required in settlements earlier this year concerning tracking software and informed consent, Edelman said.
“The SHC/ComScore violation could hardly be simpler,” he wrote. “The FTC requires that software makers and distributors provide clear, prominent, unavoidable notice of the key terms,” he wrote.
“SHC’s installation of ComScore did nothing of the kind.”
Sears has defended the way that it handled the placement of the tracking software. Responding to Googins’ post, SHC Community Vice President Rob Harles said that the tracking software is only installed on a small, invitation-only “subset” of community members, and that all information is completely anonymous. He also defended the site’s disclosure of the software.
“My SHC Community goes to great lengths to describe the tracking aspect for those members who receive an invitation,” Harles wrote in response to Googins’ research.
Harles refers to the second paragraph of the initial letter introducing the community, which explains that users will be asked to download software during the registration process: “This research software will confidentially track your online browsing.”
Then, in the third paragraph, the letter states that users will be asked to record their shopping and purchasing activities. “We’ll also collect information about your Internet usage.”
Edelman said that, even with those sentences, Sears could still run afoul of the FTC.
“I don’t think the language in the introductory email is an effective disclosure, given the requirements in the FTC rules,” he wrote in an e-mail to InternetNews.com. “The FTC requires a disclosure that is ‘prominent’ and ‘unavoidable.’ The disclosure you quote occurs midway through a paragraph — very easy to miss, especially because the paragraph is one in a series, and because the paragraph’s topic sentence gives no suggestion of what comes next.”
A more explicit description of the extent of the tracking software can be found in the licensing agreement, but Edelman said that, appearing well into the 2,971 word agreement, the disclosure is intentionally buried.
That too falls short of the mark, Edleman said, citing the FTC requirement that specific notification of any tracking software appear outside of a licensing agreement and be “unavoidable.”
“The only disclosure on this page occurs within the license agreement — exactly contrary to FTC instructions,” he wrote.
“Furthermore, users can easily overlook text on page ten of a lengthy license agreement. Such text is the opposite of “‘unavoidable.'”
In further demonstration of the lack of transparency, Edelman claimed that Sears used varying terminologies to obscure the nature and origin of the software. For instance, the first e-mail a customer receives, inviting him to join the community, says that the software is powered by VoiceFive, while Edeleman’s packet sniffer confirmed that it is in fact powered by comScore.
Subsequent mentions of the software in the license agreement refer to it as “our application” or “this application,” and there is no product name given at the ActiveX dialog. “These conflicting names prevent users from figuring out what software they are asked to accept,” Edelman wrote, characterizing the tactic as one common to “spyware vendors.”
Neither Sears nor comScore responded to requests for comment by press time.