Researchers say Sears site uses ComScore to track browsing

Share this article:

Two leading spyware researchers have warned visitors to Sears Holdings' My SHC Community that they risk intrusive third-party tracking if they download marketing software from the site.

 

Ben Edelman, an assistant professor at the Harvard Business School, posted a critique on his website Tuesday declaring that the privacy notifications on the SHC site fall far short of Federal Trade Commission (FTC) guidelines requiring a separate notification (other than within license agreements) for deployment of the ComScore software that is installed on the site.

 

ComScore software tracks every site the user visits, every search the user makes, every product the user buys, and even records each product that is viewed but not purchased, according to Edelman. The use of the software on the SHC website, which services Sears and Kmart customers, was first disclosed late last month by CA senior engineer Benjamin Googins.

 

SHC Community Vice President Rob Harles responded to Googins' report with a post on Googins' blog noting that SHC users are asked to fill out a profile, which invites them to have their web browsing tracked.

 

Harles conceded that SHC is utilizing third-party software to collect data, but he added that this information “is stored on a database owned by Sears [and is] encrypted and managed very carefully within strict guidelines.”

Harles cited SHC privacy policy as warning users that SHC “may share your customer information with trusted service providers that need your information to provide operation or other support services...A vendor may operate some of the technology behind the panel, but the vendor cannot, and does not, use that data for any purpose other than for providing services to Sears Holding,” Harles said in the blog posting.

The SHC vice president did not respond to a query from SCMagazineUS.com to clarify the type of service to which the data is being applied.

 

Edelman was skeptical about SHC's assurances.

 

“Users have no way to know exactly what [services] means,” he told SCMagazineUS.com. “In the marketing industry, phrases like 'trusted service providers' have been used to include anyone a company chooses to share data with.”

 

Edelman called on Sears to clarify whether its user browsing data is being sold to ComScore's clients. In his critique posted Tuesday, Edelman cited recent FTC settlements with Direct Revenue and Zango as establishing benchmarks for disclosure and consent required before installing tracking software on users' computers.

"The limited SHC disclosure provided by email lacks the required specificity as to the nature, purpose and effects of the ComScore software,” he said, adding that SHC is presenting the ComScore application as a means for users to participate in a community and to “help shape” future products and services. “But that doesn't mean users want to be tracked in the way that ComScore [tracks them]. And the fact that users agree to join a program described as offering one thing [feedback on products and services] does not mean [they] are willing to participate in something entirely different."

 

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS

More in News

President signs Executive Order to improve payment security

President signs Executive Order to improve payment security

President Obama signed an Executive Order at the Consumer Financial Protection Bureau calling for enhanced security measures, including microchips and PINs.

Security, tech firm coalition fights Hikit actors, other advanced groups

Security, tech firm coalition fights Hikit actors, other ...

The coalition began as an effort to stop the spread of the Hikit trojan, previously known for targeting U.S. defense contractors.

Phishing email delivers keylogger malware, also takes screenshots

Phishing email delivers keylogger malware, also takes screenshots

The malware has various features, including the ability to start persistently, take screenshots and bypass user access controls.