Sears’ Christmas Spyware Surprise

Written by Evan Schuman
January 3rd, 2008

Did Sears conclude that the only accurate way to see what consumers were truly doing online was to track customers who didn’t know they were being tracked?

Did Sears decide to give its holiday shoppers the gift that keeps on taking, Spyware? It appears that Sears isn’t disputing that it did distribute spyware, but merely that consumers knew that they were agreeing to spyware. (See related story about Sears shutting down another Sears E-Commerce that revealed consumer purchases. Another related story: analyzing a
the lawsuit filed against Sears for its latest data breach

The $53 billion retailer is learning that the online world—with its thousands of bloggers armed with screen captures—is fairly unforgiving when it comes to marketing excesses.

The latest blogger to capture and dissect the Sears incident is Harvard Business School Assistant Professor Benjamin Edelman, whose posted screen captures and commentary came out on Tuesday. His assessment followed by a couple of weeks a blog from CA—formerly Computer Associates—that included a detailed response from a Sears VP.

Here’s the consensus of what happened: Sears created something called My SHC Community, which Sears describes as a member-feedback-based online community.

To encourage consumers to join, it offers the following carrots: "It’s a community that connects shoppers like you to SHC employees, including the most senior executives, so that together we can build a better shopping experience. In exchange for participating in the community, members will have access to free planning and budgeting tools, special forums to express their views and ideas and will receive exclusive offers and promotions. Members are also eligible to win cash and merchandise prizes via sweepstakes that occur regularly throughout the year."

As part of the project, Sears installs a program from ComScore onto the consumer’s PC. Is the consumer asked for permission first? That’s an interpretation issue. Sears—correctly—says that the consumer first has to agree.

But Harvard’s Edelman said the information is vague and hidden deep within a very long "privacy statement and user license agreement," a document made even more dense because it is presented in a very small scrolling window.

The "2,971 words of text, shown in a small scroll box with just ten lines visible, requires fully 54 on-screen pages to view in full," Edelman wrote. "The tenth page admits that the application ‘monitors all of the Internet behavior that occurs on the computer on which you install the application, including … filling a shopping basket, completing an application form, or checking your … personal financial or health information.’ That’s remarkably comprehensive tracking — but mentioned in a disclosure few users are likely to find, since few users will read through to page 10 of the license."

An E-mail sent to some site visitors was even more vague. "In seven paragraphs plus a set of bullet points, 582 words in total, the E-mail describes the SHC service in general terms. But the paragraphs’ topic sentences make no mention of any downloadable software, nor do the bullet points offer even a general description of what the software does," Edelman wrote.

The software Sears used is from ComScore, Edelman said, but Sears goes out of its way to hide that fact. "The initial SHC email refers to the ComScore software as ‘VoiceFive.’ The license agreement refers to the ComScore software as ‘our application’ and ‘this application.’ The ActiveX prompt gives no product name, and it reports company name ‘TMRG, Inc.’" he wrote. "These conflicting names prevent users from figuring out what software they are asked to accept. Furthermore, none of these names gives users any easy way to determine what the software is or what it does. In contrast, if SHC used the company name ‘ComScore’ or the product name ‘RelevantKnowledge,’ users could run a search at any search engine. These confusing name-changes fit the trend among spyware vendors:"

The above links provided extensive detail, with screen captures galore. But the facts at issue appear to be under minimal debate, which frees us to look at the big picture: Sears seems to have gone out of its way to alienate its customers. The worst part: none of it was necessary.

This particular Sears incident reminds me of the politician who lies—out of habit—when the truth would actually have served him better. Or the product manager who goes of her way to fabricate four things about her product when the truth of her product would have been quite sufficient to make the sale.

Sears has put together a decent little package of consumer incentives. If it simply and explicitly said, "In exchange for all of this, we only ask that we can track your every Web effort for seven days," this wouldn’t have been an issue. The irony is that such a candid approach would likely have yielded a good group of consumer guinea pigs.

But Sears is a smart outfit so I am inclined to not think that this was something overlooked. No, the more likely scenario is that Sears knew precisely what it was doing and that it feared that a consumer who knew that he/she was being watched would be self-conscious and would not act normally.

In other words, I’m suggesting that Sears understood that the only way to be able to track the way consumers truly behaved on the Web was to track consumers who didn’t realize they were being tracked. To trick them, deceive them.

Like any plan that depends on one’s customers to be gullible or overly trusting, this risks violating a fundamental trust. That’s a dangerous thing to do when customers can move to a competitor with web-click ease.

One of the more astute technology observers I’ve run into, Dave Taylor, president of the PCI Vendor Alliance, was talking about the Sears incident on Thursday and had a fascinating take.

"This is a classic example of a company going overboard in an effort to understand its customers. There is no reason that Sears would need to know all the websites a customer visits, or how long they stay, since 95 percent of that activity is not going to change what Sears offers or how it offers those goods or services," Taylor said. "This is simply another blunt instrument that Sears is deploying to gather data. The other issue is: What if this data were stolen? I’m sure Sears isn’t immune to security breaches. Why collect data and risk major liability should the data wind up being compromised, by unauthorized employees or by external hackers? The ROI, when these risks are considered, simply isn’t there."

The most scary part of this incident is what Sears continues to say on its "My SHC Community" page. In a very prominent part of the page—surrounded by lots of white space—is this proud claim: "My SHC Community does NOT sell personal information." That’s true. It doesn’t sell it. It steals it and uses it for its own purposes.

The headline on the page reads: "Changing the Way Retail Works – One Experience at a Time." That’s perhaps a lot more true than the copywriter had intended.


6 Comments | Read Sears’ Christmas Spyware Surprise

  1. Mark Eaton Says:

    Sears: Shame on you. One would think that we learned something from the TJX fiasco. What happened to a once great company? I remember getting excited at the chance to go to Sears with my Dad on Saturday mornings. We’d peruse the Tool isles, check out the new gadgets Hardware & Appliances and say Hi to the Sales Clerks we had known for years. Maybe buy a couple of tools and some jeans or sneakers and stop at McDonalds on the way home. I wouldn’t be caught dead in a Sears store today. They never have to same person in Tools or Hardware, jeans are way overpriced unless they’re on sale and they never have my size in sneakers or shoes (11-1/2 Wide). It is an unacceptable buying experience. Sears Management got rid of all the old timers that really knew the department, replacing them with Teens that can’t make change. They used to have a register in each department, replaced them with “checkout kiosks”, went back to department checkout and now they have “centrally located” checkout…? I get the impression that Sears hired a bunch of MBA’s with sharp pencils and not a clue about what it takes to keep loyal Customers and little by little alienated them with all these weird changes…none of which appears to have saved them any money. Sears is a ship lost at sea and no navigation plan….

  2. Paula Rosenblum Says:

    Always one to investigate the latest in retail technology, when invited, I started to install and download Sears’ software. Of course I didn’t read the agreement in full either.

    Fortunately, my malware protection program (Norton Internet Security, and no this is not an endorsement…just a fact) warned me that I was about to install software that would monitor my keystrokes. That was all I needed to know.

    I was shocked and just shook my head. This is customer-centricity? My goodness.

  3. Ms. Mayfield Says:

    The story is very informative and will certainly make me pay closer attention to these types of online agreements and disclaimers. But the story doesnt mention whether the software is removable, and how the average, non-technical customer can remove it from their computer.

  4. David Pava Says:

    This is a classic example of a breach in corporate ethics; it remind me of the episode a few years ago when UPS made available a new version of their shipping software — and if you downloaded it your homepage was changed to UPS and a slew of UPS related shortcuts added to your desktop. At least in that case, one could see how they were being victimized. In this case with Sears it seems every effort was made to conceal the truth.

  5. kathryn milette Says:

    great article. it’s my sense that despite the growing acknowledgment that companies need to be more open and transparent in their communications, it either hasn’t yet really sunk in to large corporation mindsets, or that large corporations have a complex infrastructure that makes it difficult to make these necessary changes. I mean, who reads the fine print (except for Harvard professors?!)

  6. Jimbo Says:

    Sears should be taken to task for this breach of confidence. There has been enough written about spyware for them to realize that the vast majority of people who signed up with this program would never approve of spyware being placed on their computer. What’s even more difficult for me to understand is that they also must have known that someone would eventually figure this out and expose the whole sordid mess. Shame on them.


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.