The Softer Side of Spyware from Sears, Kmart

If you visited Sears.com or Kmart.com and agreed to join their "online community," you may have installed spyware without your knowledge.

Late last year, Sears.com and Kmart.com reportedly began asking users if they wanted to participate in a "community" online -- presumably a community made up of Sears and Kmart partners. In late December, security researcher Benjamin Googins of Computer Associates noticed that the "community" actually installed software from comScore, a market research firm, in order to track the web activities of the site's visitors.

Googins noted on his company's blog that the spyware installed by Sears transmitted everything from banking logins, email, and all other forms of Internet usage to comScore for analysis all in the name of 'community' participation. This was done without notice, an act contrary to documentation about the community from Sears saying that any data collected would stay within Sears' hands at all times.

In an update to his original post, Googins noted that Sears does offer a slightly different privacy policy -- via the same URL -- to compromised computers versus those that have yet to install the software. "If you access that URL with a machine compromised by the Sears proxy software, you will get the policy with direct language (like 'monitors all Internet behavior'). If you access the policy using an uncompromised system, you will get the toned-down version (like 'provide superior service')," he wrote.

Sears VP Rob Harles responded to Googins' original post by stating that the company "goes to great lengths to describe the tracking aspect," and that "clear notice" is provided to users multiple times throughout the sign-up process.

Spyware researcher Ben Edelman looked at the situation and agreed with Googins. After heavily scrutinizing all the documentation that came with signing up for the community he found a few notices of tracking software buried deep within the tangled legalese (one warning was made on page 10 of a 54-page license document). Edelman says this goes against regulations by the Federal Trade Commission requiring clear, unavoidable disclosure and "express consent" from the user before installing that type of software.

Edelman says the two vague disclosures found don't meet the FTC's standards, and he argued that Harles couldn't possibly be more incorrect in asserting that Sears goes to great lengths, or any lengths at all, to inform users of what's going on.

Once the software is installed there is no indication on the system that it exists. As noted by Schneier, if a 'kid' did this sort of thing, he would be immediately arrested.

Visit Bill's Links and More for more great tips, just like this one!