The Sony BMG rootkit story is old hat, it was about time for some other big corporation to be exposed for highly questionable behavior. Sears Holding Company, parent of Sears Roebuck and Kmart, is engaged in highly questionable behavior. Details available at Computer Associates, writeups over at Bruce’s blog, ArsTechnica, and on The Register, commentary by Harvard researcher Ben Edelman also here.
In a nutshell, when you sign up for Sears Home Community, you are essentially agreeing to let Sears monitor *everything* you do over the Internet; clicking on “Join” downloads and installs a pretty invasive application that can only be described as spyware.
Sears, of course, is defending its actions, while security and privacy experts appear to be uniformly decrying this as a violation of FTC standards on disclosure. From the story in The Register:
It’s not that Sears fails to notify users it intends to spy on them. Indeed, the email sent to users states that the application “monitors all of the internet behavior that occurs on the computer on which you install the application, including…filling a shopping basket, completing an application form, or checking your…personal financial or health information.”
The rub is that this unusually frank warning comes on page 10 of a 54-page privacy statement that is 2,971 words long. Edelman, who is a frequent critic of spyware companies, said the Sears document fails to meet standards established by the Federal Trade Commission when it settled with Direct Revenue and Zango over the lack of disclosure about the extent of their snoopware.
I’ve written about companies collecting information before, as have plenty of others. I highly doubt that Sears is the first (or the last) company to deploy something that (at the very least) is ethically bankrupt. There’s a lot of this data mining going on behind the scenes, where companies can broker other companies for access to their information on their customers, and the privacy safeguards in the U.S. are laughable. Sears definitely crossed a line here, but to keep things in perspective other companies are doing comparably bad things, they’re just doing it all behind the scenes instead of being so boneheaded as to install stuff on their customer’s computers.
The fundamental issue here is that in the U.S., companies own all the data that they collection about their customers, whether they get it directly from their customers or buy it from somebody else. They have very little economic incentive to protect this data, very little regulatory incentive to protect this data (even if they’re in the financial or health care industries) and all the incentive in the world to keep collecting it. Storing data is dirt cheap, and there are more and more data mining experts every day. The more companies know about their customers, the better they can market wares targeted at getting maximized return for their advertising dollar.
Sears definitely deserves more than a slap on the wrist for this, but punishing Sears isn’t going to solve the base problem. Putting an actual financial penalty on data exposure events will force companies to really start evaluating whether or not they should be keeping this data, and also encourage them to protect it adequately.