StopBadware.org said Tuesday it has labeled the Sears and Kmart community software known as My SHC Community as "badware," or spyware.
The nonprofit organization run by Harvard Law School, Oxford University, and Consumer Reports WebWatch said it cited the Sears Holding Corporation community in particular "because of inadequate disclosure of extensive tracking and data collection and because the application does not identify itself while running."
In response to several accusations that it collects personal information without proper disclosure, My SHC Community has dramatically revised its Web site since last week. It has, among other changes, added a prominent link to its privacy policy.
At issue is the installation of tracking software from ComScore, an online data marketing firm. ComScore has maintained over the years that its data collection methods do not qualify as spyware. However, several leading antispyware researchers disagree.
In a statement (PDF), StopBadware.org said: "Sears Holding Corporation (SHC) has informed StopBadware that SHC is significantly improving the My SHC Community application disclosure and privacy policy language and adding a Start menu icon in an effort to comply with our guidelines and address privacy concerns. They expect these changes to be implemented within 48 hours."
However, late Tuesday, StopBadware.org said it has not changed its designation of SHC Community. "We have not evaluated these planned changes at this time. SHC has also informed us that they have suspended invitations to new users to install the application until these changes are implemented."
Online shoppers who signed up for the "Sears Holdings Community" ("My SHC Community" or "SHC") this holiday season got a gift that keeps on giving: spyware.
Sears defends its actions by saying it clearly notified customers before they accepted the software installation. However, several antispyware researchers found the Sears notification process fails to call out that users' online activities (including logging in to bank accounts) will be recorded and that it generally falls below industry standards.
The concern focuses on software installed by ComScore, an online data marketing firm. ComScore states on its Web site that it "maintains massive proprietary databases that provide a continuous, real-time measurement of the myriad ways in which the Internet is used and the wide variety of activities that are occurring online." The company has maintained over the years that its data collection methods do not qualify as spyware. However, several leading antispyware researchers disagree.
The controversy was first reported at the end of December by a senior researcher in the Anti-Spyware unit at Computer Associates, Benjamin Googins. In a blog, Googins related his own experience in joining the Sears Holdings Community, "a place where your voice is heard and your opinion matters." Although an initial sign up e-mail informed Googins of potential tracking opportunities, the online registration site itself does not. Nor does the Sears privacy policy clearly state what is and is not being tracked.
Rob Harles, a senior vice president of SHC, responded in a post to Googins blog . In his post, Harles said, "The vast majority of members of My SHC do not participate in any form of tracking, and those that have explicitly signed up do so after having been presented with simple, easy to understand language to which they have agreed." Googins says that a quick scan of older press releases shows that Harles was formerly a senior vice president at ComScore.
Veteran antispyware researcher Benjamin Edelman agrees with Googins. In a recent blog, Edelman stated "the limited SHC disclosure provided by email lacks the required specificity as to the nature, purpose, and effects of the ComScore software."
Specifically, Edelman cites that "the initial SHC email refers to the ComScore software as 'VoiceFive.' The license agreement refers to the ComScore software as 'our application' and 'this application.' The ActiveX prompt gives no product name, and it reports company name 'TMRG, Inc.' These conflicting names prevent users from figuring out what software they are asked to accept."
- prev
- 1
- next
