Spyware found in Sears online community installation
A service promising an online community delivers online tracking instead, say security experts.
Online shoppers who signed up for the "Sears Holdings Community" ("My SHC Community" or "SHC") this holiday season got a gift that keeps on giving: spyware.
Sears defends its actions by saying it clearly notified customers before they accepted the software installation. However, several antispyware researchers found the Sears notification process fails to call out that users' online activities (including logging in to bank accounts) will be recorded and that it generally falls below industry standards.
The concern focuses on software installed by ComScore, an online data marketing firm. ComScore states on its Web site that it "maintains massive proprietary databases that provide a continuous, real-time measurement of the myriad ways in which the Internet is used and the wide variety of activities that are occurring online." The company has maintained over the years that its data collection methods do not qualify as spyware. However, several leading antispyware researchers disagree.
Rob Harles, a senior vice president of SHC, responded in a post to Googins blog . In his post, Harles said, "The vast majority of members of My SHC do not participate in any form of tracking, and those that have explicitly signed up do so after having been presented with simple, easy to understand language to which they have agreed." Googins says that a quick scan of older press releases shows that Harles was formerly a senior vice president at ComScore.
Veteran antispyware researcher Benjamin Edelman agrees with Googins. In a recent blog, Edelman stated "the limited SHC disclosure provided by email lacks the required specificity as to the nature, purpose, and effects of the ComScore software."
Specifically, Edelman cites that "the initial SHC email refers to the ComScore software as 'VoiceFive.' The license agreement refers to the ComScore software as 'our application' and 'this application.' The ActiveX prompt gives no product name, and it reports company name 'TMRG, Inc.' These conflicting names prevent users from figuring out what software they are asked to accept."