2nd Response to Rob Harles, VP of Sears’ SHC Community

I originally published this blog at http://community.ca.com/blogs/securityadvisor

January 02 2008, 06:29 PM         by         Benjamin Googins

 On December 29, Rob Harles, the SVP for Sears’ SHC, submitted a comment to my post titled: “Sears Update: Response to Rob Harles, VP SHC Community“, here is his comment in its entirety.  I follow his comment with my response and disappointment.  By way of reference, here are my three previous posts on this topic: 1, 2, and 3.

“Author: Rob Harles

I don’t think any of Ben’s comments negate my original statement. The vast majority of members of My SHC do not participate in any form of tracking, and those that have explicitly signed up do so after having been presented with simple, easy to understand language to which they have agreed.

The e-mail that Ben received explains explicitly that if members choose to download the software, their internet browsing will be tracked. It also states in simple English that if you don’t want to participate, you don’t have to and you can opt out at any point.  The information is not buried – two short sentences into the 3rd (not 4th ) paragraph in the center of the first screen are very prominent. The remainder of the text emphasizes that a prospective member will also get more detailed information throughout the registration process (welcome e-mail, licensing agreement, privacy policy – which Ben originally stated was rather thorough), as well as how one can remove the software if one wants to opt out and how to contact SHC if one has any questions at any point.

To reiterate:

  • Tracked members are invited to join My SHC Community by invitation; the overwhelming majority of members are not tracked, nor invited to be tracked
  • The invitation to be tracked gives prominent notice to users that their internet browsing will be tracked, well before the EULA is presented
  • They are given more detail throughout the registration process that explicitly tells them what tracking means and what will be done with the data
  • Members are repeatedly told that they can opt out at any point and given instructions on how to remove the software if they so choose
  • No changes, alterations, or amendments have been made to the registration process, disclosures or privacy policy since the inception of the program”

I am disappointed by Rob’s comment.  He continues to state emphatically the Sears software is by invitation only, users are given prominent notice during install, and generally my overall assessment of the Sears software is off base.  I couldn’t disagree more.  In previous posts, I have given detailed information why the Sears software falls far short of CA and industry standards for proper handling tracking software, so I will not “flog an old horse” with this post.  For more information, please read my three previous posts: 1, 2 and 3 (listed backward chronologically).  In addition, Harvard Business School Assistant Professor Ben Edelman, a respected spyware researcher, commented on my assessment of the Sears software and made additional comments regarding its FTC violations, installation deficiencies and putting the Sears software in a broader context here.

In general, I would expect a different response from Rob – namely one of engagement and seeking better understanding of my concerns.  The Sears software tracks a considerable level of user data (at a much greater level than most spyware I analyze) and therefore, the implementation of the Sears tracking software should be done with great care and consideration for user privacy.  The fact that “no changes, alterations, or amendments have been made…since the inception of the program” does not signify anything positive to me, but a lack of adaptation and willingness to provide adequate safeguards for user privacy.

Finally, while we can’t draw any conclusions from this, an old comScore press release shows that before becoming VP in charge of Sears’ tracking program, Rob was the senior vice president for comScore – the creator of the Sears spyware and the registrants of the domains to which the Sears spyware data is sent.

By: Benjamin Googins

Benjamin Googins is a senior engineer working on CA’s Anti-Spyware product. His primary functions include analyzing spyware and privacy breaches, fielding press inquiries, blogging and drafting documents. He has been a significant contributor to the User Permission document , Spyware Scorecard , Threat… Read More..

8 people have left comments:

Classic example of corporate speak and “truthiness:” if I decide something is true and say it enough times, it must be true, despite all logical and reasoned arguments to the contrary.

Posted by:                             Steven |                             January 2, 2008 11:32 PM

To Rob:

Prominent notice would be a banner stating, “ALL OF YOUR INTERNET TRAFFIC, INCLUDING CONFIDENTIAL E-MAILS AND BANKING LOGINS, IS BEING FORWARDED TO COMSCORE BY SEARS.” This should be displayed in large bold print, always-visible, on the user’s screen at all times during the tracking.

A sentence buried in a cover-my-ass legal statement doesn’t cut it. You know very well that nobody reads those. It would be disingenuous to suggest otherwise.

My company is now going to block access to Sears, Kmart and Comscore IP addresses.

Posted by:                             Nate |                             January 3, 2008 10:21 AM

That’s incredibly sneaky and I will NO LONGER use Sears.  It was insightful to find out where Rob came from.  Sneaky is as sneaky does.  Because of this sneakiness, Sears has lost a customer that typically spends 2 grand a year at Sears.  Not much in the grand scheme of things, but, nonetheless, 2 grand less a year than they would have had had they continued to be an above-board, honest merchant.

Posted by:                             Mark Gordon |                             January 3, 2008 12:06 PM

I grew up going to Sears.  The entire family shopped there for everything.  My grandmother lived and dies by their catalog service.  However, since their auto service issues, rampantly poor customer service in two states and several towns, and now this… I think I’m done.

Is Mr Harles discussing anything he does with his superiors, or just doing it?

Do Sears executives endorse these methods and actions?

Did no one learn anything from Sony?

Posted by:                             Thom Campbell |                             January 3, 2008 1:15 PM

” The information is not buried – two short sentences into the 3rd (not 4th ) paragraph”

This is innaccurate from the screenshots I’ve seen, but even if it were true, it doesn’t resolve the actual issue.

I’d never install this crap but if I ever found this on the machines I “support” (i.e. my parents’ or sister’s) I’d pitch a fit, and so would they.  I wonder what the Sears ombudsman will say about this, not to mention the (at least appearance of) nepotism in SHC using Rob’s ex-employer comScore as a service provider.  Was an RFP released when Sears was looking for software to do this?  Does Rob own any stake in comScore?

Definitely not arm’s length dealing imo.

Posted by:                             Trails |                             January 3, 2008 3:45 PM

It would not surprise me too much if they THINK the obnoxious JavaScript pop-up appears a lot less frequently than it actually does, and/or only for people who have been directed to a particular (supposedly invitation-only) URL.  It’s not terribly uncommon to deploy something like this without having properly tested it from an end-user’s point of view even once.

(I can’t repro because I’m on Linux; I get redirected to http://www.myshccommunity.com/NotSupported.aspx which is sort of depressing/amusing but not unusually so.)

Just out of curiosity, what happens if you click “No” on the pop-up?

I’m not trying to be apologetic, mind you; these creeps deserve to be tarred and feathered.  Thanks for the heads-up and good reporting!

Posted by:                             h4xp3t |                             January 4, 2008 2:28 AM

My laptop computer has loaded a new virous protection program, while  I was on the web.  when I remove it I get a security warning that you have no virous protection and to click the icon in the notification area.

It’s also given me a new IE tool bar “Security Toolbar 7.1” that I can’t get rid of.

Easy trust Antivirous and Pestpatrol miss it.

Posted by:                             Bill |                             January 27, 2008 4:55 AM

It was insightful to find out where Rob came from.  Sneaky is as sneaky does.

Posted by:                             Busby SEO Test |                             January 9, 2009 6:24 AM

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s