Published: December 22 2007, 12:01 AM
by Benjamin Googins

Earlier today comments were submitted by Rob Harles, VP SHC Community, to my original blog posting titled: Sears.com: Join the Community - Get Spyware using the comment feature at the bottom of the page.  Unfortunately, it doesn't look like our CMS can handle a comment that large, so I am posting it in its entirety here along with my response.

Rob's comments on Sear's blog post

Author: Rob Harles VP SCH Community

"In response....

I don't usually respond to blogs, but in this case I thought it necessary to set the record straight about the My SHC Community.

First and absolutely foremost, the SHC Community is comprised of members whose expressed interest is in sharing their ideas and views with Sears Holdings. This is the explicit purpose that is disclosed in any and all invitations, and the ground rules are well articulated. The current version of the Community focuses primarily on gathering opinions via surveys, but future functionality and content is being shaped by the members themselves, and we hope to broaden the scope and dynamics of the site in the near future.

Second, it is essential to understand that there are two groups of members in the My SHC Community, those that only fill out a profile and simply participate (the vast majority), and those that are invited and explicitly agree to have their Internet browsing tracked (a small sub-sample). The sub-sample is small by design, and the data that is collected is aggregated, anonymous and used by Sears Holdings to improve our customers' Internet experience and help guide the future development of Community.

This distinction is crucial because Mr. Googins' suggests that all members are tracked - they are not.  To clarify, Mr. Googins states that "Every website visitor that joins the Sears community installs software that acts as a proxy to every web transaction made on the compromised computer."  This statement is absolutely, incorrect.  In actual fact, it is impossible to become a tracked member of the My SHC Community by simply joining through the website link or general e-mail.  Becoming a tracked member of the My SHC Community is by invitation only.  Invitations are generated randomly and kept to a minimum by design.

With regard to informed consent, I strongly disagree with Mr. Googins' claims that there is a lack of informed consent relating to the members who have explicitly agreed to be tracked.  My SHC Community goes to great lengths to describe the tracking aspect for those members who receive an invitation.  Clear notice appears in the invitation. It also appears on the first signup page, in the privacy policy and user licensing agreement (the same ULA Mr. Googins describes as containing "direct, clear language" and that does "a reasonable job of explaining clearly how the proxy operates"). We provide additional notice of the tracking feature in the form of a welcome email that is sent to everyone after they become a member.

Mr. Googins goes on to state that the "direct, clear language [of the Privacy Policy] been removed and replaced."  For the record, the privacy policy has never been altered in the life of the Community. I am not sure what Mr. Googins' experience was, but to clarify there are two privacy policies: one for non-tracked members and one for tracked (the one I think he was referring to originally) The privacy policy for people who join through the website link or general invitation does not contain any language regarding tracking because, as stated above, these people are not being tracked nor will they ever be. .

Any potential tracked member is given very clear explanations throughout the registration process concerning the purpose of the community, what "tracking means", what software will be downloaded, what will be done with the data, a detailed privacy statement in plain English, several opportunities in the download process to decline loading any software, reminders that software will be loaded if they accept, a progress bar that they can abort, and instructions on how to opt out of the Community and remove the application if they change their minds. A help link is also provided if people have any difficulties with any of the above.  The tracked member privacy policy is also displayed permanently in the Privacy Policy tab on the membership site when tracked members log in.

With regard to the software generated by a third party, yes we do use a third party to provide this software and collect data. This is also disclosed to tracked members. Sears Holdings is not in the business of developing software, so we turn to third parties as do many major corporations. The vendors we select to work with must abide by stringent privacy policies and codes of conduct.  Our vendors must abide by the law. As stated in the privacy policy, any data collected through the My SHC Community is "stored on a secure database owned by Sears."  It is encrypted and managed very carefully within strict guidelines established at the beginning of this project. The privacy policy also clearly states that "we may share your customer information with trusted service providers that need access to your information to provide operational or other support services."  A vendor may operate some of the technology behind the panel, but the vendor cannot, and does not, use that data for any purpose other than for providing services to Sears Holdings. 

Finally, I also feel I should respond to what Mr. Googins refers to as "Unresolved Questions."

• Why didn't Sears disclose that my data, that related to registration and data sent by the proxy, is actually sent to comScore?

As discussed above, the SHC privacy policy clearly discloses that data may be shared with service providers.  comScore is simply a service provider to Sears Holdings.

• Why has Sears removed all the clear language from the Privacy Policy and replaced it with vague legal language?

As stated before, Sears Holdings did not remove language from any Privacy Policy, Mr. Googins simply did not recognize that there are two separate and distinct policies.

• Why isn't the registration process clear that the user is actually signing up to install tracking software?

We believe that the registration process is very clear, and is reinforced by post-registration notices, emails that provide additional information about the scope of the program. We are also always open to suggestions (this is the spirit of the Community - to engage in open dialog)."

What follows is a response to Rob's comments above.

Rob says: "This statement is absolutely, incorrect.  In actual fact, it is impossible to become a tracked member of the My SHC Community by simply joining through the website link or general e-mail.  Becoming a tracked member of the My SHC Community is by invitation only.  Invitations are generated randomly and kept to a minimum by design." 

Ben responds: The installation process I documented in my original post is exactly how I described it.  In fact, I pulled up that same email I received from searsholdings@myshccommunity.com.  I received this email by entering my email address into a popup ad that displayed as soon as I navigated to Sears.com.  After going through the process I documented on my original posting, I received the Sears proxy.  This install process required me to do nothing special, other than enter my email address at Sears.com.  The install process made no prominent notice regarding the true nature of the software. 

Rob says: "My SHC Community goes to great lengths to describe the tracking aspect for those members who receive an invitation." 

Ben responds: When I analyzed the install process against the CA Anti-Spyware Scorecard, it clearly failed on criterion number 2: ‘Installs itself or any other item without clear notice to user and obtaining user permission at time of installation.'  The initial email was the only place where I found any reference to "software" or "tracking".  As noted before, this is buried in the middle of the fourth paragraph with only one real sentence describing the software - in a 7 paragraph, 5 bullet point, 582 word email.  This is insufficient disclosure to the user.  Burying this critical language in the middle of a large email is far from going to ‘great lengths to describe the tracking aspects'.  Common sense would tell us that, but for more understanding, CA's User Permission document lays things out in more concrete terms.  The level of disclosure during the install process violates section VI of the Permission document stating: ‘Choice or notice is presented in its own separate window.'  Burying in the middle of a 7 paragraph email is not a ‘separate window'.  In addition, it should be noted, that CA does not consider a privacy policy prominent notice, particularly when the policy is presented on a page with a variety of other purposes or is very difficult for the average person to read.

Rob says: "I am not sure what Mr. Googins' experience was, but to clarify there are two privacy policies: one for non-tracked members and one for tracked..." 

Ben responds: This point is addressed in the follow-up blog here. 

Rob says: "The privacy policy for people who join through the website link or general invitation does not contain any language regarding tracking because, as stated above, these people are not being tracked nor will they ever be." 

Ben responds: I joined the Community by entering my email address in a popup ad at Sears.com (see my original post to see a screenshot).  I repeated this test today.  After clicking ‘join' from my email, filling out a form, and ok'ing the install, I was tracked fully and completely as described before.

Rob says: "Any potential tracked member is given very clear explanations throughout the registration process..." 

Ben responds: I addressed this in my second point above. 

Rob says: "The privacy policy also clearly states that "we may share your customer information with trusted service providers that need access to your information to provide operational or other support services."" 

Ben responds: I observed data being transmitted to domains registered to comScore.  Proxy data I observed being sent to: 209.247.230.166.  Form data I observed being sent: 66.119.41.87.

A closer look at an install conducted today

What I would like to do is lay out exactly how the install process looked today using screen shots.  I will present them in the order in which I viewed the pages and took screenshots.  Please note, I had to use two screenshots per web page because I could not fit them into one.

Step 1: Visited Sears.com and presented the following popup.  I entered my email address in the box provided.

Step 2: I received an email inviting me to join.

Step 3: After clicking ‘join today', above, I am taken here.  I fill out the page details and click ‘next'. 

Step 4: After clicking ‘next’, I do nothing else.  The software installs and immediately begins tracking as described previous.  There is no indication on the desktop that there is tracking software installed. 

The screenshots above show the install steps I took today.  They show us a few things: