It fit the classic definition of spyware. Once downloaded, it collected a wealth of data most people would consider private, including details from their online shopping, bank statements, drug-prescription records, video rentals, library-borrowing histories, even the names and addresses of their e-mail correspondents.
But this spyware didn't come from some fly-by-night company or Eastern European hacker ring. It came from one of the most trusted names in U.S. commerce: Sears.
Sears Holdings Management Corp., which operates the Sears Web site for its retailing affiliate, agreed yesterday to settle charges by the Federal Trade Commission that it had misled consumers when it lured them to join "My SHC Community" via online invitations in 2007 and 2008.
The FTC said Sears led consumers to believe that the software would simply track their "online browsing." In return, they would get a $10 incentive payment, plus access to a "dynamic and highly interactive online community" where they could provide feedback to Sears and its sister retailer, Kmart.
But the FTC said Sears failed to adequately disclose the depth and breadth of the information it was collecting. In a complaint filed with the settlement, the FTC said the software monitored "nearly all of the Internet behavior that occurs on consumers' computers," and also collected data about the users' computers, printers, and other devices. The data collection was not detailed until deep into a long licensing agreement, the FTC said.
Sears admitted no wrongdoing in the settlement, in which it agreed to destroy the data it had collected and to quit snooping without "clearly and prominently" disclosing its intentions. Neither Sears nor the FTC would say how many computer users had installed the "My SHC Community" software.
In an e-mail, Sears vice president Chris Brathwaite wrote that the information had been destroyed more than a year ago and downplayed the episode's significance.
"The company conducted a research project nearly two years ago with a small panel of consumers who were recruited online to better understand the surfing behavior of U.S. retail customers," he said. He said the panelists "were informed up front of the nature of the work."
"At all times, Sears Holdings ensured the privacy and security of the personal information of all participants who enrolled in the program," Brathwaite said. He said Sears enrolled "less than 5,000" people.
Rick Quaresima, a lawyer in the FTC's Bureau of Consumer Protection, said the agency's primary concern was that consumers were likely unaware of how much information Sears was collecting.
"They said it was going to be monitoring your online browsing, but in fact it was collecting a whole lot more," Quaresima said. "There is no allegation that they misused the data in any way."
But privacy and spyware experts, including a Harvard University researcher who helped draw the FTC's attention to "My SHC Community," said collecting such detailed personal data opens the door to what many would consider abuse.
"It's quite off-putting to think of a company tracking these kinds of things about you," said Benjamin Edelman, a longtime spyware researcher and an assistant professor at the Harvard Business School.
Edelman said a variety of companies might benefit from the kinds of data Sears collected, such as drugmakers or insurers that might want to know more about people who fill prescriptions for particular medicines.
"I hope this sends a message to all other companies thinking of installing this kind of intrusive software," Edelman said.
Ari Schwartz, vice president of the nonprofit Center for Democracy and Technology, said Sears had touted the value of the software for enabling consumers to track information about their purchases, such as warranty expiration dates. But he said that when his organization examined the "My SHC Community" Web site, it found it had inadequate controls and made the information available to "basically anyone."
"We pulled up information about the then-chairman of the FTC's refrigerator," Schwartz said.
Privacy advocates said stopping consumers' unintended disclosures was crucial, because the commercial value of the data creates a strong incentive for companies to collect it.
"For a lot of companies, the information they have about their customers is worth more than their ongoing businesses," said Paul Stephens, of the nonprofit Privacy Rights Clearinghouse.