FTC Sears Complaint

COMMISSIONERS: Jon Leibowitz, Chairman
Pamela Jones Harbour
William E. Kovacic
J. Thomas Rosch

In the Matter of



The Federal Trade Commission, having reason to believe that Sears Holdings
Management Corporation, a corporation, has violated the provisions of the Federal Trade
Commission Act, and it appearing to the Commission that this proceeding is in the public
interest, alleges:

1. Respondent Sears Holdings Management Corporation (“respondent” or “SHMC”) is a
Delaware corporation with its principal office or place of business at 3333 Beverly Road,
Hoffman Estates, Illinois 60179. SHMC, a subsidiary of Sears Holdings Corporation (“SHC”)
with shares owned by Sears, Roebuck and Co. and Kmart Management Corporation, handles
marketing operations for the Sears Roebuck and Kmart retail stores, and operates the
and retail Internet websites.

2. The acts and practices of respondent, as alleged herein, have been in or affecting
commerce, as “commerce” is defined in Section 4 of the Federal Trade Commission Act.

3. From on or about April 2007 through on or about January 2008, SHMC disseminated or
caused to be disseminated via the Internet a software application for consumers to download and
install onto their computers (the “Application”). The Application was created, developed, and
managed for respondent by a third party in connection with SHMC’s “My SHC Community”
market research program.

4. The Application, when installed, runs in the background at all times on consumers’
computers and transmits tracked information, including nearly all of the Internet behavior that
occurs on those computers, to servers maintained on behalf of respondent. Information collected
and transmitted includes: web browsing, filling shopping baskets, transacting business during
secure sessions, completing online application forms, checking online accounts, and, through
select header information, use of web-based email and instant messaging services.

5. SHMC, during the relevant time period, presented fifteen out of every hundred visitors to
the and websites with a “My SHC Community” pop-up box (Exhibit A)
that said:

Ever wish you could talk directly to a retailer? Tell them about the products,
services and offers that would really be right for you?

If you’re interested in becoming part of something new, something different,
we’d like to invite you to become a member of My SHC Community. My SHC
Community, sponsored by Sears Holdings Corporation, is a dynamic and highly
interactive on-line community. It’s a place where your voice is heard and your
opinion matters, and what you want and need counts!

The pop-up box made no mention of the Application. Likewise, the general “Privacy Policy”
statement accessed via the hyperlink in the pop-up box did not mention the Application.

6. The pop-up box message further invited consumers to enter their email address to receive
a follow-up email from SHMC with more information. Subsequently, invitation messages
(Exhibit B) were emailed to those consumers who supplied their email address. These emails
stated, in pertinent part:

From shopping, current events, social networking, to entertainment and email, it
seems that the Internet is playing a bigger and bigger role in our daily lives these
days. If you’re interested in becoming part of something new, something different,
we’d like to invite you to join a new and exciting online community; My SHC
Community, sponsored by Sears Holdings Corporation. Membership is
absolutely free!

My SHC Community is a dynamic and highly interactive online community. It’s
a place where your voice is heard and your opinion matters, and what you want
and need counts! As a member of My SHC Community, you’ll partner directly
with the retail industry. You’ll participate in exciting, engaging and on-going
interactions – always on your terms and always by your choice. My SHC
Community gives you the chance to help shape the future by sharing and
receiving information about the products, services and offers that would really be
right for you.

To become a member of My SHC Community, we simply ask you to complete
the registration process which includes providing us with your contact
information as well as answering a series of profile questions that will help us get
to know you better. You’ll also be asked to take a few minutes to download
software that is powered by (VoiceFive). This research software will
confidentially track your online browsing. This will help us better understand
you and your needs, enabling us to create more relevant future offerings for you,
other community members, and eventually all shoppers. You can uninstall the
software at any time through the Add/Remove program utility on your computer.
During the registration process, you’ll learn more about this application software
and you’ll always have the opportunity to ask any and every question you may
Once you’re a member of My SHC Community, you’ll regularly interact with My
SHC Community members as well as employees of Sears Holdings Corporation
through special online engagements, surveys, chats and other fun and informative
online techniques. We’ll ask you to journal your shopping and purchasing
behavior. Again, this will be when you want and how you want to record it –
always on your terms and always by your choice. We’ll also collect information
on your internet usage. Community engagements are always fun and always

The email invitation message then described what consumers would receive in exchange for
becoming a member of the My SHC Community, including a $10 payment for joining the
“online community,” contingent upon the consumer retaining the Application on his or her
computer for at least one month. Consumers who wished to proceed further would need to click
a button, at the bottom, center portion of the invitation email, that said “Join Today!”

7. Consumers who clicked on the “Join Today!” button in the email invitation were directed
to a landing page (Exhibit C) that restated many of the aforementioned representations about the
potential interactions between members and the “community” and about the putative benefits of
membership. The landing page did not mention the Application.

8. Consumers who clicked on the “Join Today” button in the landing page were directed to
a registration page (Exhibit D). To complete registration, consumers needed to enter
information, including their name, address, age, and email address. Below the fields for entering
information, the registration page presented a “Privacy Statement and User License Agreement”
(“PSULA”) in a “scroll box” that displayed ten lines of the multi-page document at a time
(“Printable version” attached as Exhibit E). A description of the Application’s specific functions
begins on approximately the 75th line down in the scroll box:

Computer hardware, software, and other configuration information: Our
application may collect certain basic hardware, software, computer configuration
and application usage information about the computer on which you install our
application, including such data as the speed of the computer processor, its
memory capacities and Internet connection speed. In addition, our application
may report on devices connected to your computer, such as the type of printer or
router you may be using.

Internet usage information: Once you install our application, it monitors all of the
Internet behavior that occurs on the computer on which you install the
application, including both your normal web browsing and the activity that you
undertake during secure sessions, such as filling a shopping basket, completing an
application form or checking your online accounts, which may include personal
financial or health information. We may use the information that we monitor,
such as name and address, for the purpose of better understanding your household
demographics; however we make commercially viable efforts to automatically
filter confidential personally identifiable information such as UserID, password,
credit card numbers, and account numbers. Inadvertently, we may collect such
information about our panelists; and when this happens, we make commercially
viable efforts to purge our database of such information.

The software application also tracks the pace and style with which you enter
information online (for example, whether you click on links, type in webpage
names, or use shortcut keys), the usage of cookies, and statistics about your use of
online applications (for example, it may observe that during a given period of use
of a computer, the computer downloaded X number of bytes of data using a
particular Internet enabled gaming application).

Please note: Our application does not examine the text of your instant messages
or e-mail messages. We may, however, review select e-mail header information
from web-based e-mails as a way to verify your contact information and online
usage information.

The PSULA went on to describe how the information the Application would collect was
transmitted to respondent’s servers, how it might be used, and how it was maintained. It also
described how consumers could stop participating in the online community and remove the
Application from their computers. Respondent stated in the PSULA that it reserved the right to
continue to use information collected prior to a consumer’s “resignation.”

9. Below the scroll box on the registration page was a link that consumers could click to
access a printable version of the PSULA, and a blank checkbox next to the statement: “I am the
authorized user of this computer and I have read, agree to, and have obtained the agreement of
all computer users to the terms and conditions of the Privacy Statement and User License
Agreement.” To continue with the registration process, consumers needed to check the box and
click the “Next” button at the bottom of the registration page.

10. Consumers who completed the required information, checked the box, and clicked the
“Next” button on the registration page, were directed to an installation page (Exhibit F) that
explained the Application download and installation process. Consumers were required to click
a “Next” button to begin the download, and then click an “Install” or “Yes” button in a “security
warning” dialog box to install the Application. Nothing on the installation page provided
information on the Application.

11. When installed, the Application functioned and transmitted information substantially as
described in the PSULA. The Application, when installed, would run in the background at all
times on consumers’ computers. Although the Application would be listed (as “mySHC
Community”) in the “All Programs” menu and “Add/Remove” utilities of those computers, and
the Application’s executable file name (“srhc.exe”) would be listed as a running process in
Windows Task Manager, the Application would display to users of those computers no visible
indication, such as a desktop or system tray icon, that it was running.

12. The Application transmitted, in real time, tracked information to servers maintained on
behalf of respondent. The tracked information included not only information about websites
consumers visited and links that they clicked, but also the text of secure pages, such as online
banking statements, video rental transactions, library borrowing histories, online drug
prescription records, and select header fields that could show the sender, recipient, subject, and
size of web-based email messages.

13. Through the means described in paragraphs 3-12, respondent has represented, expressly
or by implication, that the Application would track consumers’ “online browsing.” Respondent
failed to disclose adequately that the software application, when installed, would: monitor nearly
all of the Internet behavior that occurs on consumers’ computers, including information
exchanged between consumers and websites other than those owned, operated, or affiliated with
respondent, information provided in secure sessions when interacting with third-party websites,
shopping carts, and online accounts, and headers of web-based email; track certain non-Internetrelated activities taking place on those computers; and transmit nearly all of the monitored information (excluding selected categories of filtered information) to respondent’s remote computer servers. These facts would be material to consumers in deciding to install the
software. Respondent’s failure to disclose these facts, in light of the representations made, was,
and is, a deceptive practice.

14. The acts and practices of respondent as alleged in this complaint constitute unfair or
deceptive acts or practices in or affecting commerce in violation of Section 5(a) of the Federal
Trade Commission Act.

THEREFORE, the Federal Trade Commission this ______________ day of
___________ , 2009, has issued this complaint against respondent.

By the Commission.
Donald S. Clark


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.