Researcher: Sears' use of ComScore software falls short on privacy
Ben Edelman, an assistant professor at the Harvard Business School and noted anti-spyware researcher, says Sears and Kmart customers are giving up too much private data when they join a marketing program called "My SHC Community."
Edelman walks through the installation of the ComScore software that powers Sears Holdings Community (SHC) and then argues that Sears falls short of Federal Trade Commission privacy standards. Sears begs to differ and says it gives consumers adequate notice.
Sears may think a notice (582 words per Edelman) with a bunch of legalese that no one will read--privacy statements are crafted so no human can possibly comprehend them--is good enough, but Edelman notes that text noting Sears will "confidentially track your online browsing" is easy to miss.
Edelman's big beef: A Sears user has no clue that he is downloading software and being tracked. He writes:
The SHC/ComScore violation could hardly be simpler. The FTC requires that software makers and distributors provide clear, prominent, unavoidable notice of the key terms. SHC's installation of ComScore did nothing of the kind.
A few thoughts about Edelman's missive:
Privacy statements are bunk and they need to change. Edelman writes:
Pressing "Join" in the SHC screen takes a user to a "Welcome to My SHC Community" page which requests the user's name, address, and household size. The page then presents a document labeled "Privacy Statement and User License Agreement" -- 2,971 words of text, shown in a small scroll box with just ten lines visible, requiring fully 54 on-screen pages to view in full. The initial screen of text is consistent with the "privacy statement" heading: The visible text indicates that the document describes "what information [SHC] gather[s and] how [SHC] use[s] it" -- typical subjects for a privacy policy. But despite the title and the first screen of text, the document actually proceeds to an entirely different subject, namely downloadable software and its far-reaching effects: The tenth page admits that the application "monitors all of the Internet behavior that occurs on the computer on which you install the application, including ... filling a shopping basket, completing an application form, or checking your ... personal financial or health information." That's remarkably comprehensive tracking -- but mentioned in a disclosure few users are likely to find, since few users will read through to page 10 of the license.
When it comes to privacy statements, Sears is just doing the standard industry practice. What needs to happen is that privacy statements need to be boiled down in a way that's readable. How about a few bullet points noting you are being tracked? That's too user friendly. Besides, no one would download the software.
If this tracking software was kosher Sears wouldn't use a bunch of different names to throw people off the scent. Edelman writes:
The initial SHC email refers to the ComScore software as "VoiceFive." The license agreement refers to the ComScore software as "our application" and "this application." The ActiveX prompt gives no product name, and it reports company name "TMRG, Inc." These conflicting names (see screens) prevent users from figuring out what software they are asked to accept. Furthermore, none of these names gives users any easy way to determine what the software is or what it does. In contrast, if SHC used the company name "ComScore" or the product name "RelevantKnowledge," users could run a search at any search engine.
This incident brings to life one of the risk factors about ComScore's business model. As previously noted, ComScore has been up front about the risks of its panels and the reluctance to download its tracking software. Edelman notes:
The basic challenge is that users don't want ComScore software. ComScore offers users nothing sufficiently valuable to compensate them for the serious privacy invasion ComScore's software entails. There's no good reason why users should share information about their browsing, purchasing, and other online activities. So time and time again, ComScore and its partners resort to trickery (or worse) to get their software onto users' PCs.
Simply put, these ComScore risk factors--outlined in SEC filings--are more than boilerplate fodder.