Sears' Christmas Spyware Surprise

Did Sears conclude that the only accurate way to see what consumers were truly doing online was to track customers who didn't know they were being tracked?

Did Sears decide to give its holiday shoppers the gift that keeps on taking, Spyware? It appears that Sears isn't disputing that it did distribute spyware, but merely that consumers knew that they were agreeing to spyware. (See related story about Sears shutting down another Sears E-Commerce that revealed consumer purchases. Another related story: analyzing a
the lawsuit filed against Sears for its latest data breach

The $53 billion retailer is learning that the online world—with its thousands of bloggers armed with screen captures—is fairly unforgiving when it comes to marketing excesses.

The latest blogger to capture and dissect the Sears incident is Harvard Business School Assistant Professor Benjamin Edelman, whose posted screen captures and commentary came out on Tuesday. His assessment followed by a couple of weeks a blog from CA—formerly Computer Associates—that included a detailed response from a Sears VP.

Here's the consensus of what happened: Sears created something called My SHC Community, which Sears describes as a member-feedback-based online community.

To encourage consumers to join, it offers the following carrots: "It's a community that connects shoppers like you to SHC employees, including the most senior executives, so that together we can build a better shopping experience. In exchange for participating in the community, members will have access to free planning and budgeting tools, special forums to express their views and ideas and will receive exclusive offers and promotions. Members are also eligible to win cash and merchandise prizes via sweepstakes that occur regularly throughout the year."

As part of the project, Sears installs a program from ComScore onto the consumer's PC. Is the consumer asked for permission first? That's an interpretation issue. Sears—correctly—says that the consumer first has to agree.

But Harvard's Edelman said the information is vague and hidden deep within a very long "privacy statement and user license agreement," a document made even more dense because it is presented in a very small scrolling window.

The "2,971 words of text, shown in a small scroll box with just ten lines visible, requires fully 54 on-screen pages to view in full," Edelman wrote. "The tenth page admits that the application 'monitors all of the Internet behavior that occurs on the computer on which you install the application, including ... filling a shopping basket, completing an application form, or checking your ... personal financial or health information.' That's remarkably comprehensive tracking -- but mentioned in a disclosure few users are likely to find, since few users will read through to page 10 of the license."

An E-mail sent to some site visitors was even more vague. "In seven paragraphs plus a set of bullet points, 582 words in total, the E-mail describes the SHC service in general terms. But the paragraphs' topic sentences make no mention of any downloadable software, nor do the bullet points offer even a general description of what the software does," Edelman wrote.

The software Sears used is from ComScore, Edelman said, but Sears goes out of its way to hide that fact. "The initial SHC email refers to the ComScore software as 'VoiceFive.' The license agreement refers to the ComScore software as 'our application' and 'this application.' The ActiveX prompt gives no product name, and it reports company name 'TMRG, Inc.'" he wrote. "These conflicting names prevent users from figuring out what software they are asked to accept. Furthermore, none of these names gives users any easy way to determine what the software is or what it does. In contrast, if SHC used the company name 'ComScore' or the product name 'RelevantKnowledge,' users could run a search at any search engine. These confusing name-changes fit the trend among spyware vendors:"

The above links provided extensive detail, with screen captures galore. But the facts at issue appear to be under minimal debate, which frees us to look at the big picture: Sears seems to have gone out of its way to alienate its customers. The worst part: none of it was necessary.

This particular Sears incident reminds me of the politician who lies—out of habit—when the truth would actually have served him better. Or the product manager who goes of her way to fabricate four things about her product when the truth of her product would have been quite sufficient to make the sale.

Sears has put together a decent little package of consumer incentives. If it simply and explicitly said, "In exchange for all of this, we only ask that we can track your every Web effort for seven days," this wouldn't have been an issue. The irony is that such a candid approach would likely have yielded a good group of consumer guinea pigs.

But Sears is a smart outfit so I am inclined to not think that this was something overlooked. No, the more likely scenario is that Sears knew precisely what it was doing and that it feared that a consumer who knew that he/she was being watched would be self-conscious and would not act normally.

In other words, I'm suggesting that Sears understood that the only way to be able to track the way consumers truly behaved on the Web was to track consumers who didn't realize they were being tracked. To trick them, deceive them.

Like any plan that depends on one's customers to be gullible or overly trusting, this risks violating a fundamental trust. That's a dangerous thing to do when customers can move to a competitor with web-click ease.

One of the more astute technology observers I've run into, Dave Taylor, president of the PCI Vendor Alliance, was talking about the Sears incident on Thursday and had a fascinating take.

"This is a classic example of a company going overboard in an effort to understand its customers. There is no reason that Sears would need to know all the websites a customer visits, or how long they stay, since 95 percent of that activity is not going to change what Sears offers or how it offers those goods or services," Taylor said. "This is simply another blunt instrument that Sears is deploying to gather data. The other issue is: What if this data were stolen? I'm sure Sears isn't immune to security breaches. Why collect data and risk major liability should the data wind up being compromised, by unauthorized employees or by external hackers? The ROI, when these risks are considered, simply isn't there."

The most scary part of this incident is what Sears continues to say on its "My SHC Community" page. In a very prominent part of the page—surrounded by lots of white space—is this proud claim: "My SHC Community does NOT sell personal information." That's true. It doesn't sell it. It steals it and uses it for its own purposes.

The headline on the page reads: "Changing the Way Retail Works - One Experience at a Time." That's perhaps a lot more true than the copywriter had intended.