Sears Update: Response to Rob Harles, VP SHC Community

I originally published this blog at http://community.ca.com/blogs/securityadvisor

December 22 2007, 12:01 AM         by         Benjamin Googins

Earlier today comments were submitted by Rob Harles, VP SHC Community, to my original blog posting titled: Sears.com: Join the Community – Get Spyware using the comment feature at the bottom of the page.  Unfortunately, it doesn’t look like our CMS can handle a comment that large, so I am posting it in its entirety here along with my response.

Rob’s comments on Sear’s blog post

Author: Rob Harles VP SCH Community

“In response….

I don’t usually respond to blogs, but in this case I thought it necessary to set the record straight about the My SHC Community.

First and absolutely foremost, the SHC Community is comprised of members whose expressed interest is in sharing their ideas and views with Sears Holdings. This is the explicit purpose that is disclosed in any and all invitations, and the ground rules are well articulated. The current version of the Community focuses primarily on gathering opinions via surveys, but future functionality and content is being shaped by the members themselves, and we hope to broaden the scope and dynamics of the site in the near future.

Second, it is essential to understand that there are two groups of members in the My SHC Community, those that only fill out a profile and simply participate (the vast majority), and those that are invited and explicitly agree to have their Internet browsing tracked (a small sub-sample). The sub-sample is small by design, and the data that is collected is aggregated, anonymous and used by Sears Holdings to improve our customers’ Internet experience and help guide the future development of Community.

This distinction is crucial because Mr. Googins’ suggests that all members are tracked – they are not.  To clarify, Mr. Googins states that “Every website visitor that joins the Sears community installs software that acts as a proxy to every web transaction made on the compromised computer.”  This statement is absolutely, incorrect.  In actual fact, it is impossible to become a tracked member of the My SHC Community by simply joining through the website link or general e-mail.  Becoming a tracked member of the My SHC Community is by invitation only.  Invitations are generated randomly and kept to a minimum by design.

With regard to informed consent, I strongly disagree with Mr. Googins’ claims that there is a lack of informed consent relating to the members who have explicitly agreed to be tracked.  My SHC Community goes to great lengths to describe the tracking aspect for those members who receive an invitation.  Clear notice appears in the invitation. It also appears on the first signup page, in the privacy policy and user licensing agreement (the same ULA Mr. Googins describes as containing “direct, clear language” and that does “a reasonable job of explaining clearly how the proxy operates”). We provide additional notice of the tracking feature in the form of a welcome email that is sent to everyone after they become a member.

Mr. Googins goes on to state that the “direct, clear language [of the Privacy Policy] been removed and replaced.”  For the record, the privacy policy has never been altered in the life of the Community. I am not sure what Mr. Googins’ experience was, but to clarify there are two privacy policies: one for non-tracked members and one for tracked (the one I think he was referring to originally) The privacy policy for people who join through the website link or general invitation does not contain any language regarding tracking because, as stated above, these people are not being tracked nor will they ever be. .

Any potential tracked member is given very clear explanations throughout the registration process concerning the purpose of the community, what “tracking means”, what software will be downloaded, what will be done with the data, a detailed privacy statement in plain English, several opportunities in the download process to decline loading any software, reminders that software will be loaded if they accept, a progress bar that they can abort, and instructions on how to opt out of the Community and remove the application if they change their minds. A help link is also provided if people have any difficulties with any of the above.  The tracked member privacy policy is also displayed permanently in the Privacy Policy tab on the membership site when tracked members log in.

With regard to the software generated by a third party, yes we do use a third party to provide this software and collect data. This is also disclosed to tracked members. Sears Holdings is not in the business of developing software, so we turn to third parties as do many major corporations. The vendors we select to work with must abide by stringent privacy policies and codes of conduct.  Our vendors must abide by the law. As stated in the privacy policy, any data collected through the My SHC Community is “stored on a secure database owned by Sears.”  It is encrypted and managed very carefully within strict guidelines established at the beginning of this project. The privacy policy also clearly states that “we may share your customer information with trusted service providers that need access to your information to provide operational or other support services.”  A vendor may operate some of the technology behind the panel, but the vendor cannot, and does not, use that data for any purpose other than for providing services to Sears Holdings.

Finally, I also feel I should respond to what Mr. Googins refers to as “Unresolved Questions.”

  • Why didn’t Sears disclose that my data, that related to registration and data sent by the proxy, is actually sent to comScore?

As discussed above, the SHC privacy policy clearly discloses that data may be shared with service providers.  comScore is simply a service provider to Sears Holdings.

  • Why has Sears removed all the clear language from the Privacy Policy and replaced it with vague legal language?

As stated before, Sears Holdings did not remove language from any Privacy Policy, Mr. Googins simply did not recognize that there are two separate and distinct policies.

  • Why isn’t the registration process clear that the user is actually signing up to install tracking software?

We believe that the registration process is very clear, and is reinforced by post-registration notices, emails that provide additional information about the scope of the program. We are also always open to suggestions (this is the spirit of the Community – to engage in open dialog).”

What follows is a response to Rob’s comments above.

Rob says: “This statement is absolutely, incorrect.  In actual fact, it is impossible to become a tracked member of the My SHC Community by simply joining through the website link or general e-mail.  Becoming a tracked member of the My SHC Community is by invitation only.  Invitations are generated randomly and kept to a minimum by design.”

Ben responds: The installation process I documented in my original post is exactly how I described it.  In fact, I pulled up that same email I received from searsholdings@myshccommunity.com.  I received this email by entering my email address into a popup ad that displayed as soon as I navigated to Sears.com.  After going through the process I documented on my original posting, I received the Sears proxy.  This install process required me to do nothing special, other than enter my email address at Sears.com.  The install process made no prominent notice regarding the true nature of the software.

Rob says: “My SHC Community goes to great lengths to describe the tracking aspect for those members who receive an invitation.”

Ben responds: When I analyzed the install process against the CA Anti-Spyware Scorecard, it clearly failed on criterion number 2: ‘Installs itself or any other item without clear notice to user and obtaining user permission at time of installation.’  The initial email was the only place where I found any reference to “software” or “tracking”.  As noted before, this is buried in the middle of the fourth paragraph with only one real sentence describing the software – in a 7 paragraph, 5 bullet point, 582 word email.  This is insufficient disclosure to the user.  Burying this critical language in the middle of a large email is far from going to ‘great lengths to describe the tracking aspects’.  Common sense would tell us that, but for more understanding, CA’s User Permission document lays things out in more concrete terms.  The level of disclosure during the install process violates section VI of the Permission document stating: ‘Choice or notice is presented in its own separate window.’  Burying in the middle of a 7 paragraph email is not a ‘separate window’.  In addition, it should be noted, that CA does not consider a privacy policy prominent notice, particularly when the policy is presented on a page with a variety of other purposes or is very difficult for the average person to read.

Rob says: “I am not sure what Mr. Googins’ experience was, but to clarify there are two privacy policies: one for non-tracked members and one for tracked…”

Ben responds: This point is addressed in the follow-up blog here.

Rob says: “The privacy policy for people who join through the website link or general invitation does not contain any language regarding tracking because, as stated above, these people are not being tracked nor will they ever be.”

Ben responds: I joined the Community by entering my email address in a popup ad at Sears.com (see my original post to see a screenshot).  I repeated this test today.  After clicking ‘join’ from my email, filling out a form, and ok’ing the install, I was tracked fully and completely as described before.

Rob says: “Any potential tracked member is given very clear explanations throughout the registration process…”

Ben responds: I addressed this in my second point above.

Rob says: “The privacy policy also clearly states that “we may share your customer information with trusted service providers that need access to your information to provide operational or other support services.””

Ben responds: I observed data being transmitted to domains registered to comScore.  Proxy data I observed being sent to: 209.247.230.166.  Form data I observed being sent: 66.119.41.87.

A closer look at an install conducted today

What I would like to do is lay out exactly how the install process looked today using screen shots.  I will present them in the order in which I viewed the pages and took screenshots.  Please note, I had to use two screenshots per web page because I could not fit them into one.

Step 1: Visited Sears.com and presented the following popup.  I entered my email address in the box provided.

Step 2: I received an email inviting me to join.

Step 3: After clicking ‘join today’, above, I am taken here.  I fill out the page details and click ‘next’.

Step 4: After clicking ‘next’, I do nothing else.  The software installs and immediately begins tracking as described previous.  There is no indication on the desktop that there is tracking software installed. 

The screenshots above show the install steps I took today.  They show us a few things:

 

  • The install lacks prominent notice to the user that they are installing software that can intensely track their Internet activity.
  • There is absolutely zero indication on the desktop that the user is being tracked once the software installs.
  • It is possible to join the My SHC Community without any “special invitation”.

When I originally conducted research for my first blog post on this topic, I took screenshots of the entire install process (the screenshots above were taken today).  I do not have a screenshot for this last step – the ‘you’re almost finished’ step.  I can’t verify if this is a new step or if my records are missing that screenshot.  Regardless, there is nothing on this page to describe what the software is or what it does.  Second, another change from my install two weeks ago is that today I received an email from support-team@myshccommunity.com welcoming me to the My SHC Community.  I never received this email when I first conducted my research.

CA stands firmly behind all original findings posted and updated in previous blogs.  In the past, CA has been willing to engage in open dialogue with related parties and is committed to this today.  We continue to have privacy concerns about the My SHC Community not yet addressed.

By: Benjamin Googins

avatar

Benjamin Googins is a senior engineer working on CA’s Anti-Spyware product. His primary functions include analyzing spyware and privacy breaches, fielding press inquiries, blogging and drafting documents. He has been a significant contributor to the User Permission document , Spyware Scorecard , Threat… Read More..

15 people have left comments:

Everyone my enjoy being tracked from the customer service page:

www.sears.com/…/nb_10153_12605_NB_CSHome

or go direct:

www.myshccommunity.com/default.aspx

Posted by: TRACKER, December 22, 2007 11:26 AM

Anyone have the IP’s of the proxy servers?  I would like to check to see if any of my enterprise users may have this installed.

Posted by: Belchspeak, January 2, 2008 2:39 PM

On December 29, Rob Harles, the SVP for Sears’ SHC, submitted a comment to my post titled: ”

Posted by: CA Security Advisor Research Blog, January 2, 2008 6:37 PM

OMG.  It gets worse!  check out a sears site managemyhome.com.  Once you register, you can look up major purchases for ANY address.  All you need to do is enter a name address and phone number and if the person attached to that info has made a major purchase at sears you get that info!!  They have no real controls in place — you have to enter an onscreen code and they say that keeps your info safe, but that does not stop someone from entering other people’s contact info to see their product purchases.  This brings casing someone’s house to a whole new level.

I contacted the compliance e-mail listed on the site, and never got a response, which confirms that Sears does not care about the customer or customer privacy.  If anyone has any ideas about how to get in contact with someone over there that might care about customer privacy, I’d welcome the ideas.  That service should really be off the site.

What do you have to say to that Rob?

Posted by:  heather, January 3, 2008 11:09 AM

Wow…I seriously will never use Sears again.  This is sneaky stuff.  I don’t like companies that are huge….and sneaky to boot.

Posted by: Mark Gordon, January 3, 2008 12:02 PM

1. I’ve never signed up for the “community”, so I’m not a “tracked user”.  When I clicked on the privacy policy link in the popup for sears.com (which I only got after temporarily disabling NoScript), I was taken to this page – www.myshccommunity.com/privacy.aspx – which clearly has the tracking language included.

2. Rob directly states “As discussed above, the SHC privacy policy clearly discloses that data may be shared with service providers.”

The privacy policy I’m looking at – “In certain circumstances, we may share your customer information with trusted service providers that need access to your information to provide operational or other support services.”

I read the privacy policy to mean that sharing information with service providers is the exception, not the rule.  I don’t interpret Rob’s statement the same way.

3. And no privacy policy would be complete without the “we can change our policy at any time and it’s up to you to continually monitor our site to discover any changes” clause –

“If we change our practices in how we handle personally identifiable information, or if we materially change other aspects of our program, including but not limited to any changes to the scope or nature of incentives provided, we will post these changes on our website, and the changes will be effective immediately upon such posting. If you do not agree with any of the changes, you may remove our application as described above.”

Posted by: Alex, January 3, 2008 2:20 PM

Belchspeak, as I post above: ‘Proxy data I observed being sent to: 209.247.230.166.  Form data I observed being sent: 66.119.41.87’.

-Benjamin

Posted by: Benjamin Googins, January 3, 2008 7:27 PM

“Hey Dad, did you guys by any chance buy a new sewing machine from Sears on September 30 th ?”

Posted by:  CA Security Advisor Research Blog, January 3, 2008 7:40 PM

Heather,

thanks for your comment.  See: community.ca.com/…/managemyhome-com-another-privacy-issue-for-sears.aspx  My colleague picked up on your comment.

-Ben

Posted by: Benjamin Googins, January 3, 2008 7:43 PM

Sears is Evil.  Hope this costs them millions.

Posted by: james, January 4, 2008 12:38 AM

Thank you so much for keeping us informed.  It appears as though Sears/Kmart has developed a great marketing strategy tool but… at the expense of their consumers’ personal security.  Not good at all.  I’m glad that I have not fallen prey to their marketing program.  Thanks again!

Your expertise and investigative research will be shared with my sphere of influence.  I encourage other mavens to do the same.

Posted by: Girard, January 5, 2008 10:59 AM

Thank you so much for informing us about your research findings.  Evidently Sears/Kmart has developed a great marketing strategy tool.  However, it is at the expense of their customers’ security.  Not good.  I intend to inform everyone in my sphere of influence and encourage other mavens to do the same.  Again… thank you!

Posted by: Girard, January 5, 2008 11:04 AM

Yes, the real buffoon here is Jim Hilt the director of Manage My Home.  See this article that Ben highlighted in his article about what Manage My Home was doing.  Jim is freely talking about the benefit.

findarticles.com/…/ai_n21104858

This guy definitely gets the award for the stupidest web marketer of the year!  Think I’ll shoot him and Alwyn an e-mail and let them know what I think about them giving out my personal information to the general public.  Since they were so free with my info, I don’t have a problem sharing their info —  I got Alwyn’s e-mail address from a posting on the ca website Alewis1@searshc.com — I would guess that Jim’s e-mail address is Jhilt00@searshc.com or jhilt01@searshc.com.

Posted by: mike m, January 7, 2008 10:24 AM

Well, there is one (very minor) indication: you’re asked by the Windows Installer to install a component signed by TMRG, Inc.  The first hit for that on google is http://www.tmrginc.com – “TMRG is an organization dedicated to managing a leading market research community comprised of millions of Internet and mobile consumers from around the … “.

Granted, that wouldn’t mean anything to a non-technically savvy user.

By the way, have a look at TMRG’s license agreement:

www.tmrginc.com/Priv.aspx

Posted by: Matthew, February 5, 2008 8:08 PM

I tried what Heather said above on managemyhome.  This is not true.  You have to answer a number on questions about the address you try, validating that you live there.  The scary thing is what they automatically know if you provide any address–  my ex’s birthday, my last address, my last county i lived in before, etc.

Posted by: Rob Reeeve, March 10, 2008 12:23 PM

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s