Free Republic
Browse · Search
General/Chat
Topics · Post Article

Skip to comments.

Sears: Come see the softer side of spyware
ars technica ^ | 1/2/08 | Jacqui Cheng

Posted on 01/02/2008 5:52:58 PM PST by LibWhacker

Sears and Kmart are places you might go when you need a new air conditioner filter or a lawnmower; they're not generally thought of as havens for spyware. But that's what the two stores have become, at least online, where their websites were found to be installing software to track users' every online move—all without their knowledge. Security researchers are now hammering Sears (the owner of both Sears.com and Kmart.com) for the move, despite Sears' claims that users were notified adequately beforehand.

The story goes like this: late last year, Sears.com and Kmart.com began asking users if they wanted to participate in a "community" online (presumably a community made up of Sears and Kmart aficionados). In late December, security researcher Benjamin Googins at Computer Associates noticed, however, that the "community" actually installed software from comScore, a market research firm, in order to track the web activities of the sites' visitors.

Googins stated on his company's blog that Sears had installed spyware which transmitted everything—"including banking logins, email, and all other forms of Internet usage"—to comScore for analysis. This was all allegedly done with no notice that anything was being installed, and it ran contrary to documentation about the community that said any data collected would stay within Sears' hands at all times.

But wait, there's more! In an update to his original post, Googins noted that Sears actually offers a slightly different privacy policy—via the same URL—to compromised computers versus those that have yet to install the software. "If you access that URL with a machine compromised by the Sears proxy software, you will get the policy with direct language (like 'monitors all Internet behavior'). If you access the policy using an uncompromised system, you will get the toned down version (like 'provide superior service')," he wrote.

Surprisingly, Sears VP Rob Harles responded to Googins' original post, stating that the company "goes to great lengths to describe the tracking aspect." He claims that "clear notice" is provided to users multiple times throughout the signup process. The "community" continued on.

Now, spyware researcher Ben Edelman has taken a look at the situation, and he agrees with Googins' assessment. Edelman heavily scrutinized all documentation that came with signing up for the community and found a few mentions of tracking software buried deep within the tangled legalese (for example, one mention was on page 10 of a 54-page license document). This, he says, goes against regulations by the Federal Trade Commission that require clear, unavoidable disclosure and "express consent" from the user before installing such software.

The two vague disclosures that Edelman found both fail to meet the FTC's standards, he says, and he argues that Harles couldn't possibly be more incorrect in his assertions that Sears goes to great lengths—or any lengths at all—to inform users of what's going on.

The whole incident is reminiscent of another recent privacy blunder by Facebook, where its Beacon application tracked user activity elsewhere on the web and reported it back to the site for the world to see. The difference is that Facebook reacted relatively quickly to the community outrage (that is, the real, actual Facebook community, and not a nebulous term to describe being tracked by a retailer) and made significant changes to how Beacon interacted with the users it was tracking. The situation is still not perfect—the tool still tracks users' activity even if they choose not to have it displayed—but it puts Facebook light-years ahead of where Sears is right now. As of today, Sears' online community—complete with very detailed comScore tracking software—is still available online.


TOPICS: Computers/Internet
KEYWORDS: malware; sears; spyware

1 posted on 01/02/2008 5:53:02 PM PST by LibWhacker
[ Post Reply | Private Reply | View Replies]

To: LibWhacker

This deserves a bump if only to highlight the incredible stupidity of the people at Sears IT.


2 posted on 01/02/2008 5:57:51 PM PST by txzman (Jer 23:29)
[ Post Reply | Private Reply | To 1 | View Replies]

To: LibWhacker

Sears executives are scuttling the company, so this doesn’t surprise me.


3 posted on 01/02/2008 5:59:09 PM PST by Gondring (I'll give up my right to die when hell freezes over my dead body!)
[ Post Reply | Private Reply | To 1 | View Replies]

To: txzman

Or the stupidtitty of people who still shop at Sears


4 posted on 01/02/2008 6:01:18 PM PST by steveo (Time flies like an arrow, fruit flies like a banana.)
[ Post Reply | Private Reply | To 2 | View Replies]

To: txzman
"This deserves a bump if only to highlight the incredible stupidity of the people at Sears IT. "

Ideas like this usually come from marketing departments.

5 posted on 01/02/2008 6:11:35 PM PST by antinomian (Show me a robber baron and I'll show you a pocket full of senators.)
[ Post Reply | Private Reply | To 2 | View Replies]

To: Tax-chick; steveo
Or the stupidtitty of people who still shop at Sears
6 posted on 01/02/2008 6:25:51 PM PST by martin_fierro (< |:)~)
[ Post Reply | Private Reply | To 4 | View Replies]

To: LibWhacker
"If you access that URL with a machine compromised by the Sears proxy software, you will get the policy with direct language (like 'monitors all Internet behavior'). If you access the policy using an uncompromised system, you will get the toned down version (like 'provide superior service'),"

With a lifetime guarantee on all CraftsRootkit Personal Hacked Computer Tools !

7 posted on 01/02/2008 6:27:18 PM PST by Mr_Moonlight (Patriots 16W at exit 16W)
[ Post Reply | Private Reply | To 1 | View Replies]

To: LibWhacker
Sears actually offers a slightly different privacy policy—via the same URL—to compromised computers versus those that have yet to install the software. "If you access that URL with a machine compromised by the Sears proxy software, you will get the policy with direct language (like 'monitors all Internet behavior'). If you access the policy using an uncompromised system, you will get the toned down version (like 'provide superior service'

Wait. Let me try to comprehend this. It tells you what it's doing only AFTER you install the software? It's as if the fine print is written in invisible ink that only becomes visible after you sign the contract.

It might be legal but it violates every code of ethics I've ever seen.

8 posted on 01/02/2008 6:29:33 PM PST by irv
[ Post Reply | Private Reply | To 1 | View Replies]

To: ShadowAce

tech ping


9 posted on 01/02/2008 8:09:00 PM PST by JoJo Gunn (Help control the Leftist population. Have them spayed or neutered. )
[ Post Reply | Private Reply | To 1 | View Replies]

To: devolve; LibWhacker

Wow, my one daughter does office work for Sears. I’ll have to send her that link!


10 posted on 01/02/2008 8:19:37 PM PST by potlatch ("Life may not be the party we hoped for, but while we're here we might as well dance!")
[ Post Reply | Private Reply | To 1 | View Replies]

To: potlatch

.

Not smart of Sears

It sounds actionable in class actions

Deliberate and knowing violation of federal regulations


11 posted on 01/02/2008 8:30:52 PM PST by devolve (---- - Hey Boone! - My bonus check is late again! -)
[ Post Reply | Private Reply | To 10 | View Replies]

To: devolve

She just told me recently that she has ‘her own private email address’ at Sears and it is alright to send ‘important’ letters - not jokes, etc.

I told her that the company probably still monitors her email. Already sent her the link.


12 posted on 01/02/2008 8:47:55 PM PST by potlatch ("Life may not be the party we hoped for, but while we're here we might as well dance!")
[ Post Reply | Private Reply | To 11 | View Replies]

To: LibWhacker

I have a conspiracy theory!

Since this began last year, (maybe about the same time Kmart Acquired Sears- i don’t really know date when Kmart aquired Sears) Maybe Kmart is responsible for the websites doing this, how else would Kmart be able to aquire a large retailer like Sears without some shady tactics....

Just thought i’d make a random conspiracy theory :)


13 posted on 01/03/2008 1:12:36 AM PST by 1FASTGLOCK45 (FreeRepublic: More fun than watching Dem'Rats drown like Turkeys in the rain! ! !)
[ Post Reply | Private Reply | To 1 | View Replies]

To: 1FASTGLOCK45

“how else would Kmart be able to aquire a large retailer like Sears without some shady tactics....”

Because the CEO of Kmart figured out that the real estate Sears owned was more valuable than the stores. He leveraged the land/leases/stores for debt to buy the company, and made a huge profit doing so.

Tells you previous owners of Sears were asleep at the wheel.


14 posted on 01/03/2008 4:34:28 AM PST by txzman (Jer 23:29)
[ Post Reply | Private Reply | To 13 | View Replies]

To: LibWhacker; rdb3; Calvinist_Dark_Lord; GodGunsandGuts; CyberCowboy777; Salo; Bobsat; JosephW; ...

15 posted on 01/03/2008 5:08:36 AM PST by ShadowAce (Linux -- The Ultimate Windows Service Pack)
[ Post Reply | Private Reply | To 1 | View Replies]

To: LibWhacker; rdb3; Calvinist_Dark_Lord; GodGunsandGuts; CyberCowboy777; Salo; Bobsat; JosephW; ...

16 posted on 01/03/2008 5:30:25 AM PST by ShadowAce (Linux -- The Ultimate Windows Service Pack)
[ Post Reply | Private Reply | To 1 | View Replies]

To: ShadowAce

I’m speechless. As anyone who knows me would say, that’s pretty darned unusual.


17 posted on 01/03/2008 6:51:09 AM PST by zeugma (Hillary! - America's Ex-Wife!)
[ Post Reply | Private Reply | To 15 | View Replies]

To: LibWhacker

Bump...


18 posted on 01/03/2008 7:03:31 AM PST by tubebender (Lost another one to the Tag Line bandit...)
[ Post Reply | Private Reply | To 1 | View Replies]

To: LibWhacker; All

is there an easy check to see if this has been installed on a machine?????


19 posted on 01/03/2008 8:47:29 AM PST by is_is (VPD of Sgt Daniel, Formerly with the 2/5 - "Sleep Well America......Our Marines have your Back")
[ Post Reply | Private Reply | To 1 | View Replies]

Bump. for more visibility.


20 posted on 01/03/2008 9:50:26 AM PST by zeugma (Hillary! - America's Ex-Wife!)
[ Post Reply | Private Reply | To 19 | View Replies]

To: is_is
Ad-Aware and Spybot S&D are two pretty good anti-spyware packages. Both have free versions and do a pretty good job of identifying where the spyware is coming from, or who is responsible for putting it on your computer.
21 posted on 01/03/2008 1:06:29 PM PST by LibWhacker (Democrats are phony Americans)
[ Post Reply | Private Reply | To 19 | View Replies]

To: is_is

In other words, I can’t think of an easier check to see if Sears’ spyware has been installed on your computer.

Now, if you didn’t want to download, install and run one of those packages (or something similar), and you know the ‘name’ of Sears’ registry entry, you could search the registry directly and if you found it, delete it.

But as you probably know, messing around with the registry is not something novices should be doing. In fact, it’s better if novices didn’t even know of its existence.

Not that novices can’t do it. They can and do. Successfully. But I think most who try to play around with the registry, screw it up royally and then have spend a day or two re-formatting their hard disk, re-installing the OS and all their apps, etc.

I’m only telling you this, is_is, not because I think you’re a newbie, but only because there might be some real computer newbies out there who are reading my words and thinking of playing around with their registries. Then later they will blame me for their computer woes. DON’T DO IT, guys (unless you study a book about the registry first and know what you’re getting into).


22 posted on 01/03/2008 1:38:37 PM PST by LibWhacker (Democrats are phony Americans)
[ Post Reply | Private Reply | To 19 | View Replies]

To: LibWhacker

Had another Sears disaster today. Two repair men - one says he has to “go out to the truck” and when I didn’t see the front door open, I got up to look and he was opening my bedroom door. I said, “what are you doing” and he said “looking for the garage”. Except that he had just been in the garage - and it’s a few rooms away from the bedroom. Sears needs to get their act together. Getting my fridge fixed has gone from bad service to now, verging on the criminal. I hate to pay more for appliances, but I’ll never buy from these guys again. Goodby Sears.


23 posted on 08/02/2008 12:15:15 PM PDT by GOPJ
[ Post Reply | Private Reply | To 1 | View Replies]

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.

Free Republic
Browse · Search
General/Chat
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson