My colleague, Dennis Fisher, has already blogged about Sears using spyware on its customers. But since I’ve come across plenty of blog chatter that reflects his opinion and mine, I’ve decided to offer my two cents. So thanks for indulging me this week…
Every now and then, a big company does something to remind us how easy it is to get burned when conducting commerce in cyberspace. The latest example comes from retail giant Sears, which has decided it’s OK to use spyware on its customers.
Ben Googins, a senior researcher in CA’s antispyware division, tripped over the practice during some online holiday shopping and outlined his experience in a CA blog posting.
Here’s how he explains it in his write-up:
“Visiting Sears.com (and Kmart.com) a few weeks ago, I was offered a chance to join My SHC Community, for free, but what I received was, from a privacy perspective, very costly. Sears.com is distributing spyware that tracks all your Internet usage — including banking logins, email, and all other forms of Internet usage — all in the name of ‘community participation.’ Every Web site visitor that joins the Sears community installs software that acts as a proxy to every Web transaction made on the compromised computer. In other words, if you have installed Sears software (the proxy) on your system, all data transmitted to and from your system will be intercepted. This extreme level of user tracking is done with little and inconspicuous notice about the true nature of the software. In fact, while registering to join the ‘community,’ very little mention is made of software or tracking. Furthermore, after the software is installed, there is no indication on the desktop that the proxy exists on the system, so users are tracked silently. An interesting note, the spyware Sears distributes is ‘genetically’ related to software CA Anti-Spyware has detected for a few years by the name of MarketScore (and other aliases) and distributed by other Web sites.”
Rob Harles, a senior vice president of Sears Holdings Community (SHC), denied Sears is monitoring customers with spyware in a response to Googins blog posting. “The vast majority of members of My SHC do not participate in any form of tracking, and those that have explicitly signed up do so after having been presented with simple, easy to understand language to which they have agreed,” he insisted.
Looking around the blogosphere, I see that several security experts are as unmoved by Harles’ claims as I am.
Let’s start with a blog analysis from Benjamin Edelman, whom I consider to be one of the best antispyware researchers out there.
Edelman writes that he reviewed the installation sequence and agrees with Googins that it offers very little mention of software or tracking and otherwise falls short of industry standards. He then offers a step-by-step breakdown of his own review.
Of Harles’ claims that the installer provides “a progress bar that they [users] can abort,” Edelman writes, “I disagree. The video and screenshots are unambiguous: The SHC installer shows no progress bar and offers no abort button.”
Security luminary Bruce Schneier writes in his blog that if “a kid with a scary hacker name did this sort of thing, he’d be arrested.” But, he continues, “this is Sears, so who knows what will happen to them. But what should happen is that the antispyware companies should treat this as the malware it is, and not ignore it because it’s done by a Fortune 500 company.”
I agree. Companies that do this love to hide behind their user license agreements, which are often bogged down with legalese and confusing to customers who often accept the terms anyway because they lack the legal aptitude to see what they’re getting into. In this case, Sears buries the truth of what they are doing.
Consumers need to know that when they do business online, the vendor is doing everything possible to protect their personal information. Once in awhile, we find that a vendor’s network security efforts were insufficient, allowing hackers to access that data. That’s what happened at TJX.
But as far as I’m concerned, it’s just as bad — if not worse — when it’s the company you’re doing business with that uses specialized code to invade your privacy.
If Sears is going to insist that there’s nothing wrong with this practice, the only solution is to do business someplace else.
About Security Blog Log: Senior News Writer Bill Brenner peruses security blogs each day to see what’s got the information security community buzzing. In this column he lists the weekly highlights. If you’d like to comment on the column or bring new security blogs to his attention, contact him at firstname.lastname@example.org.