Minggu, 06 Januari 2008

Sears IT Practices Called Into Question (TechWeb)

Sears IT practices have come under fire from spyware researcher Benjamin Edelman, who alleges that Sears is installing online tracking software from ComScore without adequate consent and that Sears is exposing its customers purchase histories in violation of its privacy policy.

In two reports published this week, Edelman, an assistant professor at the Harvard Business School and noted spyware researcher, said that Sears installation of online tracking software from ComScore falls short of the standards established by the Federal Trade Commission.

"The FTC requires that software makers and distributors provide clear, prominent, unavoidable notice of the key terms," said Edelman in his Jan. 1 report. Sears Holding Co.s "installation of comScore did nothing of the kind."

Benjamin Googins, a researcher at security company CA, leveled similar charges in December. "Sears.com is distributing spyware that tracks all your Internet usage -- including banking logins, e-mail, and all other forms of Internet usage -- all in the name of community participation, " he said in a blog post.

Sears Holding Co. VP Rob Harles disputed Googins assertions in a lengthy rebuttal that stated in part, "With regard to informed consent, I strongly disagree with Mr. Googins claims that there is a lack of informed consent relating to the members who have explicitly agreed to be tracked. My SHC Community goes to great lengths to describe the tracking aspect for those members who receive an invitation."

Edelman said he emphatically disagrees with Harles assessment of Sears practices.

In an e-mailed statement, a spokesperson for Sears echoed Harles. "The My SHC Community goes to great lengths to describe the tracking aspect for those members who receive an invitation," the spokesperson said. "Clear notice appears in the invitation. It also appears on the first signup page, in the privacy policy, and user licensing agreement. We provide additional notice of the tracking feature in the form of a welcome e-mail that is sent to everyone after they become a member."

In a report published Friday, Edelman demonstrated how Sears Manage My Home site allows anyone to view what Sears customers have purchased. "Sears offers no security whatsoever to prevent a Manage My Home user from retrieving another persons purchase history by entering that persons name, phone number, and address," he said, noting that this violates the companys privacy policy.

Edelman concedes that Sears Manage My Home site offers some useful services but chides Sears IT staff for not recognizing the need to authenticate users following their decision to make purchase data available online.

"Did Searss staff fail to notice the problem?" Edelman asked. "Decide to ignore it when they couldnt devise an easy solution to protect users purchase histories? Resolve to argue that purchase history merits no better protection than the current system provides?"

In fact, Sears has noticed the problem. "We take our customers privacy concerns very seriously," the company said in an e-mailed statement. "As a result, we have turned off the ability to view a customers purchase history on Manage My Home until we can implement a validation process that will restrict access by unauthorized third parties."

See original article on InformationWeek.com