|
| BAD OR UNDISCLOSED BEHAVIOR |
| Software does not fully, accurately, clearly, and conspicuously disclose the principal and significant features and functionality of the application prior to installation (guideline II.A.a.iii.) |
|
The My SHC Community application's only mention of the software's functionality outside of the privacy policy and user license agreement (ULA) prior to installation is in a sentence of the fourth paragraph of a six paragraph introduction to the community. It states that "this research software will confidentially track your online browsing." It does not make clear outside the privacy policy and ULA that this includes sending extensive personal data to Sears (see below) or that it monitors all internet traffic, not just browsing.
|
| Information is collected and transmitted without disclosure in the privacy policy (guideline II.C.) |
|
There are two privacy policies available to users of My SHC Community and the accompanying software application. All of the behaviors noted in this report are disclosed in one version, which is shown to and accepted by users during installation. However, when viewing the privacy policy on the website or from the link included in a registration confirmation e-mail, a different version of the privacy policy, which does not include any information about the software or its behavior, appears, unless the user is currently logged into the My SHC Community site. This means, for example, that a user checking the privacy policy from a different PC may not see the privacy policy that s/he originally agreed to.
|
| Software does not clearly identify itself (guideline III.B.) |
|
While running, the My SHC Community application gives no indication to the user that it is active. It is also difficult to tell that the application is installed, as there are no Start menu or desktop shortcuts or other icons to indicate its presence.
|
| Software transmits data to unknown parties (guideline III.E.) |
|
According to SHC and comScore, the parent company of the software developer, VoiceFive, the My SHC Community application collects and transmits to Sears Holdings's servers (hosted by comScore) extensive data, including websites visited, e-mails sent and received (headers only, not the text of the messages), items purchased, and other records of one's internet use. This is not made clear to the user separate from the privacy policy or ULA, as required by StopBadware guidelines. Sears Holdings Corp. commits in its privacy policy "to make commercially viable efforts to automatically filter confidential personally identifiable information," but is unable to guarantee that none of this information will be sent or stored.
|
| Recommendations |
| We recommend that Sears Holdings Corporation makes the following changes: |
- Provide clear, conspicuous text, in the context of installing the software and/or accepting the ULA, and separate from the privacy policy and ULA, that explains the nature of the software's data collection behavior. It is critical that this makes clear to a user the full range of behavior that will be tracked and data that will be collected.
- Provide a single, unified privacy policy to all members of the My SHC Community to avoid confusion.
- Work with the software developer to provide an indication to the user (such as a system tray/notification area icon) when the application is running.
|
|
We currently recommend that users do not install the version of My SHC Community that we tested,
unless the user is comfortable with the level of risk we identify or until the application
is updated consistent with the recommendations in this report.
|
| Updates |
| January 28, 2008 |
| Sears Holdings Corp. has demonstrated that the changes mentioned in the Jan. 8 update are in place. Users invited to install the MySHCCommunity software are now provided with clearer information about the software's function. The application now adds start menu shortcuts that indicate the application's presence and provide uninstallation instructions. The application still does not provide notice to the user that it is running in the background, but SHC has indicated that they are working to change this. |
| January 8, 2008 |
| Sears Holding Corporation (SHC) has informed StopBadware that SHC is significantly improving the My SHC Community application disclosure and privacy policy language and adding a Start menu icon in an effort to comply with our guidelines and address privacy concerns. They expect these changes to be implemented within 48 hours. We have not evaluated these planned changes at this time. SHC has also informed us that they have suspended invitations to new users to install the application until these changes are implemented. |
| February 16,2008 |
| Sears Holding Corporation (SHC) has informed StopBadware that it has added a system tray icon to the My SHC Community application to ensure that users of the software are aware that the software is running on their computers. |
|
|
|
