|
Back to press releases
StopBadware.org Labels Sears and Kmart Community Software as Badware
Application does not fully disclose features and functionality while installed and active
CAMBRIDGE, MA – 01/08/2008 – StopBadware.org, the consumer protection initiative developed to combat badware, today
released its report on Sears Holding Corporation’s (SHC) “My SHC Community” software application, finding it to be badware because of inadequate
disclosure of extensive tracking and data collection and because the application does not identify itself while running.
The My SHC Community application is installed for a subset of the users who register for the My SHC Community at
http://myshccommunity.com. These users receive an invitation to install the software via e-mail and/or a popup window. Sears Holdings Corporation,
which refers to itself as “SHC,” is the parent company of Sears, Roebuck and Co. and Kmart.
"Sears Holdings Corporation has taken seriously the concerns we have put to them in this report,” said John Palfrey,
co-director of StopBadware.org and executive director of the Berkman Center for Internet and Society at Harvard Law School. “I’m convinced that
Sears Holdings Corporation’s team, along with comScore, is making strides to address the things that make this application badware in our book. In
the meantime, though, it’s important that Internet users realize that we don’t think they’re fully informed about what’s going on with their personal
data when they are using this application in its present form or adequately notified when the software is running.”
The report highlights four areas of concern:
- The Software does not fully, accurately, clearly, and conspicuously disclose the principal and significant features
and functionality of the application prior to installation – The My SHC Community application is installed for a subset of the users who register for
the My SHC Community at myshccommunity.com. These users receive an invitation to install the software via e-mail and/or a popup window. The only
mention of the software’s functionality outside of the privacy policy and user license agreement (ULA) prior to installation is in a sentence of the
fourth paragraph of a six paragraph introduction to the community. It states that “this research software will confidentially track your online
browsing.” It does not make clear outside the privacy policy and ULA that this includes sending extensive personal data to Sears or that it monitors
all internet traffic, not just browsing.
- Information is collected and transmitted without disclosure in the privacy policy – There are two privacy policies
available to users of My SHC Community and the accompanying software application. All of the behaviors noted in this report are disclosed in one
version, which is shown to and accepted by users during installation. However, when viewing the privacy policy on the website or from the link
included in a registration confirmation e-mail, a different version of the privacy policy, which does not include any information about the software
or its behavior, appears, unless the user is currently logged into the My SHC Community site. This means, for example, that a user checking the
privacy policy from a different PC may not see the privacy policy that s/he originally agreed to.
- Software does not clearly identify itself – While running, the My SHC Community application gives no indication to
the user that it is active. It is also difficult to tell that the application is installed, as there are no Start menu or desktop shortcuts or
other icons to indicate its presence.
- Software transmits data to unknown parties – According to SHC and comScore, the parent company of the software
developer, VoiceFive, the My SHC Community application collects and transmits to Sears Holdings’s servers (hosted by comScore) extensive data,
including websites visited, e-mails sent and received (headers only, not the text of the messages), items purchased, and other records of one’s
internet use. This is not made clear to the user separate from the privacy policy or ULA, as required by StopBadware guidelines. Sears Holdings
Corp. commits in its privacy policy “to make commercially viable efforts to automatically filter confidential personally identifiable
information,” but is unable to guarantee that none of this information will be sent or stored.
“We encourage Sears Holding Corporation to go all the way to full disclosure and identification, and have provided detailed
recommendations in the report. We look forward to open communication with SHC as they work to bring their application into compliance with our
community-based guidelines," said Palfrey.
A full copy of the report can be found at http://www.stopbadware.org/home/reports.
To download a full copy of “StopBadware.org Labels Sears and Kmart Community Software as Badware,” please follow this link.
About StopBadware.org
StopBadware.org is a nonprofit consumer protection initiative working to combat badware, including malicious software such as
spyware, incessant pop-up ads, or other obtrusive programs. StopBadware.org is led by Harvard Law School’s Berkman Center for Internet & Society and
Oxford University’s Oxford Internet Institute. Consumer Reports WebWatch serves as an unpaid special advisor. The initiative is supported by
Google, Lenovo, PayPal, and VeriSign. For more information, please visit http://www.stopbadware.org.
|
