In two reports published this week, Edelman, an assistant professor at the Harvard Business School and noted spyware researcher, said that Sears' installation of online tracking software from ComScore falls short of the standards established by the Federal Trade Commission.
"The FTC requires that software makers and distributors provide clear, prominent, unavoidable notice of the key terms," said Edelman in his Jan. 1 report. Sears Holding Co.'s "installation of comScore did nothing of the kind."
Benjamin Googins, a researcher at security company CA, leveled similar charges in December. "Sears.com is distributing spyware that tracks all your Internet usage -- including banking logins, e-mail, and all other forms of Internet usage -- all in the name of 'community participation,' " he said in a blog post.
Sears Holding Co. VP Rob Harles disputed Googins' assertions in a lengthy rebuttal that stated in part, "With regard to informed consent, I strongly disagree with Mr. Googins' claims that there is a lack of informed consent relating to the members who have explicitly agreed to be tracked. My SHC Community goes to great lengths to describe the tracking aspect for those members who receive an invitation."
Edelman said he emphatically disagrees with Harles' assessment of Sears' practices.
Edelman concedes that Sears' Manage My Home site offers some useful services but chides Sears' IT staff for not recognizing the need to authenticate users following their decision to make purchase data available online.
"Did Sears's staff fail to notice the problem?" Edelman asked. "Decide to ignore it when they couldn't devise an easy solution to protect users' purchase histories? Resolve to argue that purchase history merits no better protection than the current system provides?"
In fact, Sears has noticed the problem. "We take our customers' privacy concerns very seriously," the company said in an e-mailed statement. "As a result, we have turned off the ability to view a customer's purchase history on Manage My Home until we can implement a validation process that will restrict access by unauthorized third parties."