Ben Edelman, an assistant professor at the Harvard Business School and noted anti-spyware researcher, says Sears and Kmart customers are giving up too much private data when they join a marketing program called "My SHC Community."
Edelman walks through the installation of the ComScore software that powers Sears Holdings Community (SHC) and then argues that Sears falls short of Federal Trade Commission privacy standards. Sears begs to differ and says it gives consumers adequate notice.
Sears may think a notice (582 words per Edelman) with a bunch of legalese that no one will read--privacy statements are crafted so no human can possibly comprehend them--is good enough, but Edelman notes that text noting Sears will "confidentially track your online browsing" is easy to miss.
Edelman's big beef: A Sears user has no clue that he is downloading software and being tracked. He writes:
The SHC/ComScore violation could hardly be simpler. The FTC requires that software makers and distributors provide clear, prominent, unavoidable notice of the key terms. SHC's installation of ComScore did nothing of the kind.
A few thoughts about Edelman's missive:
Privacy statements are bunk and they need to change. Edelman writes:
When it comes to privacy statements, Sears is just doing the standard industry practice. What needs to happen is that privacy statements need to be boiled down in a way that's readable. How about a few bullet points noting you are being tracked? That's too user friendly. Besides, no one would download the software.
If this tracking software was kosher Sears wouldn't use a bunch of different names to throw people off the scent. Edelman writes:
The initial SHC email refers to the ComScore software as "VoiceFive." The license agreement refers to the ComScore software as "our application" and "this application." The ActiveX prompt gives no product name, and it reports company name "TMRG, Inc." These conflicting names (see screens) prevent users from figuring out what software they are asked to accept. Furthermore, none of these names gives users any easy way to determine what the software is or what it does. In contrast, if SHC used the company name "ComScore" or the product name "RelevantKnowledge," users could run a search at any search engine.
This incident brings to life one of the risk factors about ComScore's business model. As previously noted, ComScore has been up front about the risks of its panels and the reluctance to download its tracking software. Edelman notes:
The basic challenge is that users don't want ComScore software. ComScore offers users nothing sufficiently valuable to compensate them for the serious privacy invasion ComScore's software entails. There's no good reason why users should share information about their browsing, purchasing, and other online activities. So time and time again, ComScore and its partners resort to trickery (or worse) to get their software onto users' PCs.
Simply put, these ComScore risk factors--outlined in SEC filings--are more than boilerplate fodder.