I originally published this blog at http://community.ca.com/blogs/securityadvisor
December 22 2007, 12:01 AM by Benjamin Googins
Earlier today comments were submitted by Rob Harles, VP SHC Community, to my original blog posting titled: Sears.com: Join the Community – Get Spyware using the comment feature at the bottom of the page. Unfortunately, it doesn’t look like our CMS can handle a comment that large, so I am posting it in its entirety here along with my response.
Rob’s comments on Sear’s blog post
Author: Rob Harles VP SCH Community
I don’t usually respond to blogs, but in this case I thought it necessary to set the record straight about the My SHC Community.
First and absolutely foremost, the SHC Community is comprised of members whose expressed interest is in sharing their ideas and views with Sears Holdings. This is the explicit purpose that is disclosed in any and all invitations, and the ground rules are well articulated. The current version of the Community focuses primarily on gathering opinions via surveys, but future functionality and content is being shaped by the members themselves, and we hope to broaden the scope and dynamics of the site in the near future.
Second, it is essential to understand that there are two groups of members in the My SHC Community, those that only fill out a profile and simply participate (the vast majority), and those that are invited and explicitly agree to have their Internet browsing tracked (a small sub-sample). The sub-sample is small by design, and the data that is collected is aggregated, anonymous and used by Sears Holdings to improve our customers’ Internet experience and help guide the future development of Community.
This distinction is crucial because Mr. Googins’ suggests that all members are tracked – they are not. To clarify, Mr. Googins states that “Every website visitor that joins the Sears community installs software that acts as a proxy to every web transaction made on the compromised computer.” This statement is absolutely, incorrect. In actual fact, it is impossible to become a tracked member of the My SHC Community by simply joining through the website link or general e-mail. Becoming a tracked member of the My SHC Community is by invitation only. Invitations are generated randomly and kept to a minimum by design.
Finally, I also feel I should respond to what Mr. Googins refers to as “Unresolved Questions.”
- Why didn’t Sears disclose that my data, that related to registration and data sent by the proxy, is actually sent to comScore?
- Why isn’t the registration process clear that the user is actually signing up to install tracking software?
We believe that the registration process is very clear, and is reinforced by post-registration notices, emails that provide additional information about the scope of the program. We are also always open to suggestions (this is the spirit of the Community – to engage in open dialog).”
What follows is a response to Rob’s comments above.
Rob says: “This statement is absolutely, incorrect. In actual fact, it is impossible to become a tracked member of the My SHC Community by simply joining through the website link or general e-mail. Becoming a tracked member of the My SHC Community is by invitation only. Invitations are generated randomly and kept to a minimum by design.”
Ben responds: The installation process I documented in my original post is exactly how I described it. In fact, I pulled up that same email I received from firstname.lastname@example.org. I received this email by entering my email address into a popup ad that displayed as soon as I navigated to Sears.com. After going through the process I documented on my original posting, I received the Sears proxy. This install process required me to do nothing special, other than enter my email address at Sears.com. The install process made no prominent notice regarding the true nature of the software.
Rob says: “My SHC Community goes to great lengths to describe the tracking aspect for those members who receive an invitation.”
Rob says: “I am not sure what Mr. Googins’ experience was, but to clarify there are two privacy policies: one for non-tracked members and one for tracked…”
Ben responds: This point is addressed in the follow-up blog here.
Ben responds: I joined the Community by entering my email address in a popup ad at Sears.com (see my original post to see a screenshot). I repeated this test today. After clicking ‘join’ from my email, filling out a form, and ok’ing the install, I was tracked fully and completely as described before.
Rob says: “Any potential tracked member is given very clear explanations throughout the registration process…”
Ben responds: I addressed this in my second point above.
Ben responds: I observed data being transmitted to domains registered to comScore. Proxy data I observed being sent to: 22.214.171.124. Form data I observed being sent: 126.96.36.199.
A closer look at an install conducted today
What I would like to do is lay out exactly how the install process looked today using screen shots. I will present them in the order in which I viewed the pages and took screenshots. Please note, I had to use two screenshots per web page because I could not fit them into one.
Step 1: Visited Sears.com and presented the following popup. I entered my email address in the box provided.
Step 2: I received an email inviting me to join.
Step 3: After clicking ‘join today’, above, I am taken here. I fill out the page details and click ‘next’.
Step 4: After clicking ‘next’, I do nothing else. The software installs and immediately begins tracking as described previous. There is no indication on the desktop that there is tracking software installed.
- The install lacks prominent notice to the user that they are installing software that can intensely track their Internet activity.
- There is absolutely zero indication on the desktop that the user is being tracked once the software installs.
- It is possible to join the My SHC Community without any “special invitation”.
When I originally conducted research for my first blog post on this topic, I took screenshots of the entire install process (the screenshots above were taken today). I do not have a screenshot for this last step – the ‘you’re almost finished’ step. I can’t verify if this is a new step or if my records are missing that screenshot. Regardless, there is nothing on this page to describe what the software is or what it does. Second, another change from my install two weeks ago is that today I received an email from email@example.com welcoming me to the My SHC Community. I never received this email when I first conducted my research.
CA stands firmly behind all original findings posted and updated in previous blogs. In the past, CA has been willing to engage in open dialogue with related parties and is committed to this today. We continue to have privacy concerns about the My SHC Community not yet addressed.
By: Benjamin Googins
Benjamin Googins is a senior engineer working on CA’s Anti-Spyware product. His primary functions include analyzing spyware and privacy breaches, fielding press inquiries, blogging and drafting documents. He has been a significant contributor to the User Permission document , Spyware Scorecard , Threat… Read More..
15 people have left comments:
Everyone my enjoy being tracked from the customer service page:
or go direct:
Posted by: TRACKER, December 22, 2007 11:26 AM
Anyone have the IP’s of the proxy servers? I would like to check to see if any of my enterprise users may have this installed.
Posted by: Belchspeak, January 2, 2008 2:39 PM
On December 29, Rob Harles, the SVP for Sears’ SHC, submitted a comment to my post titled: ”
Posted by: CA Security Advisor Research Blog, January 2, 2008 6:37 PM
OMG. It gets worse! check out a sears site managemyhome.com. Once you register, you can look up major purchases for ANY address. All you need to do is enter a name address and phone number and if the person attached to that info has made a major purchase at sears you get that info!! They have no real controls in place — you have to enter an onscreen code and they say that keeps your info safe, but that does not stop someone from entering other people’s contact info to see their product purchases. This brings casing someone’s house to a whole new level.
I contacted the compliance e-mail listed on the site, and never got a response, which confirms that Sears does not care about the customer or customer privacy. If anyone has any ideas about how to get in contact with someone over there that might care about customer privacy, I’d welcome the ideas. That service should really be off the site.
What do you have to say to that Rob?
Posted by: heather, January 3, 2008 11:09 AM
Wow…I seriously will never use Sears again. This is sneaky stuff. I don’t like companies that are huge….and sneaky to boot.
Posted by: Mark Gordon, January 3, 2008 12:02 PM
“If we change our practices in how we handle personally identifiable information, or if we materially change other aspects of our program, including but not limited to any changes to the scope or nature of incentives provided, we will post these changes on our website, and the changes will be effective immediately upon such posting. If you do not agree with any of the changes, you may remove our application as described above.”
Posted by: Alex, January 3, 2008 2:20 PM
Belchspeak, as I post above: ‘Proxy data I observed being sent to: 188.8.131.52. Form data I observed being sent: 184.108.40.206’.
Posted by: Benjamin Googins, January 3, 2008 7:27 PM
“Hey Dad, did you guys by any chance buy a new sewing machine from Sears on September 30 th ?”
Posted by: CA Security Advisor Research Blog, January 3, 2008 7:40 PM
thanks for your comment. See: community.ca.com/…/managemyhome-com-another-privacy-issue-for-sears.aspx My colleague picked up on your comment.
Posted by: Benjamin Googins, January 3, 2008 7:43 PM
Sears is Evil. Hope this costs them millions.
Posted by: james, January 4, 2008 12:38 AM
Thank you so much for keeping us informed. It appears as though Sears/Kmart has developed a great marketing strategy tool but… at the expense of their consumers’ personal security. Not good at all. I’m glad that I have not fallen prey to their marketing program. Thanks again!
Your expertise and investigative research will be shared with my sphere of influence. I encourage other mavens to do the same.
Posted by: Girard, January 5, 2008 10:59 AM
Thank you so much for informing us about your research findings. Evidently Sears/Kmart has developed a great marketing strategy tool. However, it is at the expense of their customers’ security. Not good. I intend to inform everyone in my sphere of influence and encourage other mavens to do the same. Again… thank you!
Posted by: Girard, January 5, 2008 11:04 AM
Yes, the real buffoon here is Jim Hilt the director of Manage My Home. See this article that Ben highlighted in his article about what Manage My Home was doing. Jim is freely talking about the benefit.
This guy definitely gets the award for the stupidest web marketer of the year! Think I’ll shoot him and Alwyn an e-mail and let them know what I think about them giving out my personal information to the general public. Since they were so free with my info, I don’t have a problem sharing their info — I got Alwyn’s e-mail address from a posting on the ca website Alewis1@searshc.com — I would guess that Jim’s e-mail address is Jhilt00@searshc.com or firstname.lastname@example.org.
Posted by: mike m, January 7, 2008 10:24 AM
Well, there is one (very minor) indication: you’re asked by the Windows Installer to install a component signed by TMRG, Inc. The first hit for that on google is http://www.tmrginc.com – “TMRG is an organization dedicated to managing a leading market research community comprised of millions of Internet and mobile consumers from around the … “.
Granted, that wouldn’t mean anything to a non-technically savvy user.
By the way, have a look at TMRG’s license agreement:
Posted by: Matthew, February 5, 2008 8:08 PM
I tried what Heather said above on managemyhome. This is not true. You have to answer a number on questions about the address you try, validating that you live there. The scary thing is what they automatically know if you provide any address– my ex’s birthday, my last address, my last county i lived in before, etc.
Posted by: Rob Reeeve, March 10, 2008 12:23 PM