Original URL: http://www.theregister.co.uk/2009/06/04/sears_settles_spyware_charges/
US mega retailer settles spyware charges
Sears promises to spy no more
By Dan Goodin in San Francisco
One of the biggest US retailers has agreed to settle charges brought by federal authorities that it snuck privacy-stealing software from ComScore onto customers' machines.
Sears Holding Corporation, owner of Sears, Roebuck and Co. and Kmart, has agreed to delete all the information harvested by the software, which pried into customers' most intimate web habits. The company also agreed to be more upfront about any information it may collect in the future. The agreement by Sears came in a settlement with the Federal Trade Commission in which the company didn't admit it violated any laws.
As privacy advocates documented early last year (http://www.theregister.co.uk/2008/01/03/sears_snoopware_disclosure/), Sears sent emails to people shortly after they provided their address at Sears.com inviting them to join an "exciting online community." In fact, it was a pitch to install software from web research outfit ComScore that monitored their every online move.
No, we're not exaggerating. According to the FTC complaint, information collected included "not only information about websites consumers visited and links that they clicked, but also the text of secure pages, such as online banking statements, video rental transactions, library borrowing histories, online drug prescription records, and select header fields that could show the sender, recipient, subject, and size of web-based email messages." The software recorded in real-time "certain non-internet-related activities taking place on those computers" as well.
And as we've pointed out before (http://www.theregister.co.uk/2008/05/12/inside_comscore/), the ComScore snoopware goes as far as monitoring a user's precise mouse movements and keystrokes in an attempt to identify different people using the same monitored machine.
Privacy advocates and, eventually, the FTC took Sears to task because it didn't bother to disclose the information was being collected until page 10 of a 54-page privacy statement that was 2,971 words long. Ben Edelman, a Harvard University professor who is a frequent critic of spyware companies, said the document failed to meet standards established when the FTC settled with Direct Revenue and Zango over the lack of disclosure in their software. (Both companies have since gone out of business).
"Respondent failed to disclose adequately that the software application, when installed, would" monitor just about every internet activity taking place on the machine, including those protected by secure sessions, a complaint filed by FTC lawyers stated. "Respondent’s failure to disclose these facts, in light of the representations made, was, and is, a deceptive practice."
The FTC action makes no mention of separate allegations that a Sears website failed to adequately protect consumer information. According to a lawsuit filed last year (http://www.theregister.co.uk/2008/01/07/sears_privacy_classaction/), private customer purchase history of Managemyhome.com members was available to anyone who had the person's name, address, and phone number.
But Edelman said the FTC settlement amounted to a victory anyway. And he gave Sears credit for fessing up to the debacle.
"Sears to their credit fixed many of the most egregious problems after public concern," he told The Register. "Because Sears took some steps on its own, its harder to be as angry at them as you might be. Of course, it would be better if they hadn't done it in the first place." ®
US mega retailer settles spyware charges
Sears promises to spy no more
By Dan Goodin in San Francisco
One of the biggest US retailers has agreed to settle charges brought by federal authorities that it snuck privacy-stealing software from ComScore onto customers' machines.
Sears Holding Corporation, owner of Sears, Roebuck and Co. and Kmart, has agreed to delete all the information harvested by the software, which pried into customers' most intimate web habits. The company also agreed to be more upfront about any information it may collect in the future. The agreement by Sears came in a settlement with the Federal Trade Commission in which the company didn't admit it violated any laws.
As privacy advocates documented early last year (http://www.theregister.co.uk/2008/01/03/sears_snoopware_disclosure/), Sears sent emails to people shortly after they provided their address at Sears.com inviting them to join an "exciting online community." In fact, it was a pitch to install software from web research outfit ComScore that monitored their every online move.
No, we're not exaggerating. According to the FTC complaint, information collected included "not only information about websites consumers visited and links that they clicked, but also the text of secure pages, such as online banking statements, video rental transactions, library borrowing histories, online drug prescription records, and select header fields that could show the sender, recipient, subject, and size of web-based email messages." The software recorded in real-time "certain non-internet-related activities taking place on those computers" as well.
And as we've pointed out before (http://www.theregister.co.uk/2008/05/12/inside_comscore/), the ComScore snoopware goes as far as monitoring a user's precise mouse movements and keystrokes in an attempt to identify different people using the same monitored machine.
Privacy advocates and, eventually, the FTC took Sears to task because it didn't bother to disclose the information was being collected until page 10 of a 54-page privacy statement that was 2,971 words long. Ben Edelman, a Harvard University professor who is a frequent critic of spyware companies, said the document failed to meet standards established when the FTC settled with Direct Revenue and Zango over the lack of disclosure in their software. (Both companies have since gone out of business).
"Respondent failed to disclose adequately that the software application, when installed, would" monitor just about every internet activity taking place on the machine, including those protected by secure sessions, a complaint filed by FTC lawyers stated. "Respondent’s failure to disclose these facts, in light of the representations made, was, and is, a deceptive practice."
The FTC action makes no mention of separate allegations that a Sears website failed to adequately protect consumer information. According to a lawsuit filed last year (http://www.theregister.co.uk/2008/01/07/sears_privacy_classaction/), private customer purchase history of Managemyhome.com members was available to anyone who had the person's name, address, and phone number.
But Edelman said the FTC settlement amounted to a victory anyway. And he gave Sears credit for fessing up to the debacle.
"Sears to their credit fixed many of the most egregious problems after public concern," he told The Register. "Because Sears took some steps on its own, its harder to be as angry at them as you might be. Of course, it would be better if they hadn't done it in the first place." ®