Researcher: Sears' use of ComScore software falls short on privacy

Researcher: Sears' use of ComScore software falls short on privacy

Summary: Ben Edelman, an assistant professor at the Harvard Business School and noted anti-spyware researcher, says Sears and Kmart customers are giving up too much private data when they join a marketing program called "My SHC Community."Edelman walks through the installation of the ComScore software that powers Sears Holdings Community (SHC) and then argues that Sears falls short of Federal Trade Commission privacy standards.

SHARE:

Ben Edelman, an assistant professor at the Harvard Business School and noted anti-spyware researcher, says Sears and Kmart customers are giving up too much private data when they join a marketing program called "My SHC Community."

Edelman walks through the installation of the ComScore software that powers Sears Holdings Community (SHC) and then argues that Sears falls short of Federal Trade Commission privacy standards. Sears begs to differ and says it gives consumers adequate notice.

Sears may think a notice (582 words per Edelman) with a bunch of legalese that no one will read--privacy statements are crafted so no human can possibly comprehend them--is good enough, but Edelman notes that text noting Sears will "confidentially track your online browsing" is easy to miss.

Edelman's big beef: A Sears user has no clue that he is downloading software and being tracked. He writes:

The SHC/ComScore violation could hardly be simpler. The FTC requires that software makers and distributors provide clear, prominent, unavoidable notice of the key terms. SHC's installation of ComScore did nothing of the kind.

A few thoughts about Edelman's missive:

Privacy statements are bunk and they need to change. Edelman writes:

Pressing "Join" in the SHC screen takes a user to a "Welcome to My SHC Community" page which requests the user's name, address, and household size. The page then presents a document labeled "Privacy Statement and User License Agreement" -- 2,971 words of text, shown in a small scroll box with just ten lines visible, requiring fully 54 on-screen pages to view in full. The initial screen of text is consistent with the "privacy statement" heading: The visible text indicates that the document describes "what information [SHC] gather[s and] how [SHC] use[s] it" -- typical subjects for a privacy policy. But despite the title and the first screen of text, the document actually proceeds to an entirely different subject, namely downloadable software and its far-reaching effects: The tenth page admits that the application "monitors all of the Internet behavior that occurs on the computer on which you install the application, including ... filling a shopping basket, completing an application form, or checking your ... personal financial or health information." That's remarkably comprehensive tracking -- but mentioned in a disclosure few users are likely to find, since few users will read through to page 10 of the license.

When it comes to privacy statements, Sears is just doing the standard industry practice. What needs to happen is that privacy statements need to be boiled down in a way that's readable. How about a few bullet points noting you are being tracked? That's too user friendly. Besides, no one would download the software.

If this tracking software was kosher Sears wouldn't use a bunch of different names to throw people off the scent. Edelman writes:

The initial SHC email refers to the ComScore software as "VoiceFive." The license agreement refers to the ComScore software as "our application" and "this application." The ActiveX prompt gives no product name, and it reports company name "TMRG, Inc." These conflicting names (see screens) prevent users from figuring out what software they are asked to accept. Furthermore, none of these names gives users any easy way to determine what the software is or what it does. In contrast, if SHC used the company name "ComScore" or the product name "RelevantKnowledge," users could run a search at any search engine.

This incident brings to life one of the risk factors about ComScore's business model. As previously noted, ComScore has been up front about the risks of its panels and the reluctance to download its tracking software. Edelman notes:

The basic challenge is that users don't want ComScore software. ComScore offers users nothing sufficiently valuable to compensate them for the serious privacy invasion ComScore's software entails. There's no good reason why users should share information about their browsing, purchasing, and other online activities. So time and time again, ComScore and its partners resort to trickery (or worse) to get their software onto users' PCs.

Simply put, these ComScore risk factors--outlined in SEC filings--are more than boilerplate fodder.

Topics: CXO, Legal, Software, IT Employment

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

3 comments
Log in or register to join the discussion
  • Sears is NOT a nice company....

    I have no doubt that Sears is being less than transparent in virtually anything they do. One only has to look back to 1999 when they pled guilty to pursuing settlements from customers who had already filed for bankruptcy. See below.

    http://findarticles.com/p/articles/mi_hb4360/is_199902/ai_n15228726

    I repeat...Sears is NOT a nice company.
    MGP2
    • I would expect nothing less from Sears!

      Well, that's not quite true; this does shock me -- rather blatant for a company already known and targeted by so many legal watchdogs!

      Sears has repeatedly been caught with stuff like this, primarily in the auto repair and financial services areas. They've been sued -- generally resulting in guilty please and consent decrees -- by Attorneys General in many states over many issues, over a long period of time. Attorneys General from 40 states were involved in the case where they illegally pressured people under bankruptcy protection to sign reaffirmation agreements, and then didn't file them promptly with the courts to evade any oversight.

      I stopped doing business with Sears a decade ago, when I realized that these were not isolated incidents, but part of a broad pattern.

      I guess people don't read the news or have short memories, because they're still in business.
      Bob.Kerns
  • relevantknowledge

    Please be assured that comScore, the parent company of RelevantKnowledge, has invested substantial resources in making our data collection and privacy practices the best they can possibly be. Our company adheres to industry-accepted best practices regarding the collection and secure storage of the data collected by software such as RelevantKnowledge.
    comScore is recognized as a leader in the privacy space by organizations such as the OnlineTrust Alliance, where our co-founder Gian Fulgoni was a panelist earlier this year, along with representatives from the FTC and TRUSTe. (link to http://blog.comscore.com/2012/01/comscore_ftc_and_truste_headline_privacy_town_hall.html).
    If you have further questions about RelevantKnowledge, please visit our website: http://www.relevantknowledge.com/faq.aspx
    Thank you,
    RelevantKnowledge Customer Support Team
    zeeshan1153