Sears Privacy Problems: Those Who Can Not Remember the Past and All That
You expect to start the new year with fresh ideas, big plans and maybe a resolution or two. What we don't want is a re-run of last years stories but it looks like that is just what we are getting. Ben Edelman and Ars Technica are discussing the story of Sears and Kmart's misadventures with customer online tracking first reported by the CA Security Advisor blog. And to think I used to worry about "bad guys" trying to steal my bank login credentials, how about this from the CA blog:
Visiting Sears.com (and Kmart.com) a few weeks ago, I was offered a chance to join My SHC Community, for free, but what I received was, from a privacy perspective, very costly. Sears.com is distributing spyware that tracks all your Internet usage - including banking logins, email, and all other forms of Internet usage - all in the name of "community participation." Every website visitor that joins the Sears community installs software that acts as a proxy to every web transaction made on the compromised computer. In other words, if you have installed Sears software ("the proxy") on your system, all data transmitted to and from your system will be intercepted. This extreme level of user tracking is done with little and inconspicuous notice about the true nature of the software. In fact, while registering to join the "community," very little mention is made of software or tracking. Furthermore, after the software is installed, there is no indication on the desktop that the proxy exists on the system, so users are tracked silently.
Bank logins? are you kidding? Even if the a participant in the "community" read the full details of the privacy policy (which I haven't) I wonder if they would known their bank logins are tracked. But then again, that whole thing about reading "the" privacy policy should be about reading "a" privacy policy. Yes, it seems there are a couple different versions. According to Ars Technica:
But wait, there's more! In an update to his original post, Googins noted that Sears actually offers a slightly different privacy policy—via the same URL—to compromised computers versus those that have yet to install the software. "If you access that URL with a machine compromised by the Sears proxy software, you will get the policy with direct language (like 'monitors all Internet behavior'). If you access the policy using an uncompromised system, you will get the toned down version (like 'provide superior service')," he wrote.
I am jaded enough to not be surprised by someone trying to track my every move with software I agreed to download. What surprises me is that someone would think they could get away with such techniques without being detected by the likes of folks in the major security vendor's research labs.
I'd like to suggest a New Year's resolution to all the Web marketing gurus who cook up ideas like this: Do a cost benefit analysis before tracking your customer's every move to determine if the maringal gain in demographics information out weighs the negative customer reaction when we find out we our bank logins are tracked.
Will Sears be this year's TJX?
Email This!
Digg it!
Sphere it!
Del.icio.us
Reddit!
Newsvine
