Sears and Badware

Tonight, we at StopBadware are releasing a report that finds that Sears Holding Corporation’s MySHC Community application is badware. (We also blogged our pending review of the application a few days ago.) Our concerns are these:

1) The software does not fully, accurately, clearly, and conspicuously disclose the principal and significant features and functionality of the application prior to installation.

The My SHC Community application’s only mention of the software’s functionality outside of the privacy policy and user license agreement (ULA) prior to installation is in a sentence of the fourth paragraph of a six paragraph introduction to the community. It states that “this research software will confidentially track your online browsing.” It does not make clear outside the privacy policy and ULA that this includes sending extensive personal data to Sears (see below) or that it monitors all internet traffic, not just browsing.

2) Information is collected and transmitted without disclosure in the privacy policy.

There are two privacy policies available to users of My SHC Community and the accompanying software application. All of the behaviors noted in this report are disclosed in one version, which is shown to and accepted by users during installation. However, when viewing the privacy policy on the website or from the link included in a registration confirmation e-mail, a different version of the privacy policy, which does not include any information about the software or its behavior, appears, unless the user is currently logged into the My SHC Community site. This means, for example, that a user checking the privacy policy from a different PC may not see the privacy policy that s/he originally agreed to.

3) The software does not clearly identify itself.

While running, the My SHC Community application gives no indication to the user that it is active. It is also difficult to tell that the application is installed, as there are no Start menu or desktop shortcuts or other icons to indicate its presence.

4) The software transmits data to unknown parties.

According to SHC and comScore, the parent company of the software developer, VoiceFive, the My SHC Community application collects and transmits to Sears Holdings’s servers (hosted by comScore) extensive data, including websites visited, e-mails sent and received (headers only, not the text of the messages), items purchased, and other records of one’s internet use. This is not made clear to the user separate from the privacy policy or ULA, as required by StopBadware guidelines. Sears Holdings Corp. commits in its privacy policy “to make commercially viable efforts to automatically filter confidential personally identifiable information,” but is unable to guarantee that none of this information will be sent or stored.

We’ve spent time on the phone with the team at Sears Holding Corporation (SHC) about their app. SHC has informed StopBadware that they are significantly improving the My SHC Community application disclosure and privacy policy language and adding a Start menu icon in an effort to comply with our guidelines and address privacy concerns. They expect these changes to be implemented within 48 hours. At StopBadware, we have not evaluated these planned changes at this time. SHC has also informed us that they have suspended invitations to new users to install the application until these changes are implemented.

Our news release on this report is here.

Cookie Crumbles Contest: Make a Video, Help Consumers, Win Cash

Have fun and help raise awareness about how the Internet really works — and possibly earn a trip to DC and $5000 if you’re really good at it!

The Berkman Center, StopBadware, Google, Medium, and EDVentures present Cookie Crumbles. It’s a fun contest for people who like to make short, humorous (yet meaningful) videos and posting them to YouTube (there’s a Cookie Crumbles group set up for contest purposes). We are looking for short YouTube videos that address these questions as accurately and as creatively as possible:

Most people know cookies as a treat best enjoyed with milk. When it comes to web cookies, however, many users want to know more:

* What is a cookie?
* How do cookies work?
* How can cookies be used?
* How is the data from cookies used with data collected in other ways, including from third parties?
* How can cookies be misused?
* What options does a user have to manage cookies and their use?

The top few submissions, as determined by a combination of YouTube viewers and Berkman Center staff, will earn their creators a trip to Washington, D.C., where their videos will be aired and discussed at the United States Federal Trade Commission’s November 1-2 Town Hall workshop entitled “Ehavioral Advertising: Tracking, Targeting, and Technology.” Several prizes will be awarded by a panel of judges and discussants including Jeff Chester, Esther Dyson (who blogged the contest here and here), and others, moderated by the Berkman Center, and including one grand prize of $5,000. Submission guidelines and more can be found here.

Ira Rubinstein on Microsoft’s Corporate Privacy Guidelines

Ira Rubinstein

Ira Rubinstein is here with us at the Berkman Center today to talk about Microsoft’s corporate policies on privacy. Ira was joined yesterday here by Brad Smith, Microsoft’s General Counsel, who spoke last night on the topic of innovation, interoperability and IP, and Annmarie Levin, like Ira an Associate General Counsel and with whom we’ve been working on interop and innovation.

Ira’s lunch talk is on the company’s privacy guidelines, which have been posted online, in a 49-page document, since last October. Ira’s testimony to a US Senate committee on privacy in 2001 is also posted here.

As his slides and the policy document states, the core commitment is that “Microsoft customers will be empowered to control the collection, use, and distribution of their personal information.” This commitment drives through to a set of detailed definitions, and then to guidelines for privacy protections when developing software.

Microsoft has gone to a “layered” approach to privacy statements. There’s a basic document with a lot of links to privacy statements by type of application or topical area. One discussion topic: can a layered approach result in greater disclosure and clarity to users?

Microsoft has stated its support for comprehensive privacy legislation in the United States. My comment, not Ira’s: as an idea for comprehensive privacy legislation: what about a format regulation promulgated by the US FTC that ensures that consumers can know where to look for information about how personal information is handled?

The nature of what kind of personally identifiable information that the policies need to cover is changing as the company continues to grow and add business lines. Microsoft announced six months or so ago a new initiative into the health care domain, covering electronic medical records and so forth. All of a sudden, the type of information that Microsoft might collect about you has changed (expanded) radically.

Much of the conversation, prompted by JZ and Ben Adida, revolved around a lawyer’s problem: what happens after a subpoena arrives seeking personally identifiable information. Ira: “I agree that Data minimization is a desirable goal” from a privacy perspective. The hard question buried here is the role of technology intermediaries in retaining information that might help law enforcement v. protecting the privacy of customers.

Should Microsoft, and other companies wishing to be leaders in the security space, let people be idiots? With the “Stop Phishing Filter,” Microsoft gives you a series of choices: set the phishing filter to automatic, set it to manual, or ask me later — but not “no thanks” for this phishing filter. Is “no thanks” a choice they should offer, even if that’s a very poor choice for a user to make?

JZ is the semi-formal respondent: He keys in initially to the notion of making affirmative choices to design privacy protection into software. JZ wants an interface where a consumer could check in on the conversations going on in the background as clients connect back to servers. Or a periodic audit, where you’re prompted to go back in to check periodically on all the pinging that’s gone back and forth. He’s also keyed in on the possibilities for government surveillance in a world of software-as-service instead of products.

Armstrong: Digital Natives, beware…

Tim Armstrong, former Berkman fellow and now a prof at the U of C, writes: “… the permanence of networked information has costs, too, which (like the benefits) are only beginning to be explored. Members of the generation just behind mine, who have grown up reflexively creating and posting information online, are learning that digital is forever — if you’re a job applicant (or even a camp counselor), anything that has ever been written by (or about) you online is, at least potentially, still there. (Back in my day, we used goofy aliases to hide our online identities; but I gather that practice has been fading.) Once information is online, it turns out, it may becomes quite hard ever to get it back offline again — the Wayback Machine preserves old web pages; Google Groups archives Usenet posts; and it’s only a matter of time before somebody comes up with the magic bullet that automatically archives IRC and IM conversations and makes them searchable. Even your deleted e-mails aren’t necessarily gone; they may still exist on backup tapes where law enforcement authorities can get them. The durability of digital content raises problems that touch on both informational security and individual privacy.”

Bloglines, RSS privacy problem

A call to action: the security infrastructure for RSS is not where it needs to be for the mainstreaming of this technology to work and to be adequately protective of user privacy.

I was resetting my Bloglines account this morning, adding some new feeds, taking out some that I don’t read, and so forth. I searched on a friend’s web moniker (“Whirlycott”) to find whatever feeds he might be offering. Up popped a feed related to a web-based invoicing service he uses entitled (“[His Name] Invoices”) to which I could subscribe in Bloglines. I am not sure what it would have rendered — I did not subscribe! — but I thought it worth mentioning to him. It turns out he has been mad about this privacy problem for months. His initial post, worth reading and reviving as an issue of public discussion, is here.

I credit the fact that this may not be (just) a “Bloglines issue” but rather an “RSS industry” issue. But it’s a real problem if we are to continue to express ourselves via these citizen-generated media tools that offer RSS feeds, and moreso if we move into the promising realm of using RSS feeds to support other productivity-type tools. The privacy problems that already exist in cyberspace are enough to tackle; we need to get in front of an RSS privacy problem before it grows into yet widespread issue. After this morning’s experience, it’s clear to me it’s already a problem.

(Following the thread a bit, there’s another post in the series, including, some months ago, a note from someone appearing to be with Bloglines saying that they know it’s a serious problem.  How can we fix it, gang?  If it’s not a Bloglines-only issue and it’s a community issue, what has to get done?)

Re-envisioning privacy and security online

The combination of our conference this week on digital identity, JZ’s paper and forthcoming book on Generativity and his OII inaugural lecture, this morning’s WSJ, and all manner of other things has convinced me that we need a new framework for thinking about privacy and security in the digital world.

On a plane this morning from SFO-PDX, I read found (at least) three articles that made this problem plain to me, again. One was the piece on the Consumer Privacy Legislative Forum’s day on the Hill yesterday (see the CDT et al. statement), in the context of which Meg Whitman of eBay and Nicole Wong of Google and others made the case for laying “a foundation for a long-term approach to privacy protection” (Whitman, as quoted in the WSJ). Wong wrote, correctly in my view, that “this matrix of [privacy/security] laws is complex, incomplete and sometimes contradictory.” She went on to say: “On an Internet beset with spyware, malware, phishing, identity-theft, and other privacy threats, enforcement of privacy protections has become an industry-wide challenge.” The WSJ story on MySpace and its advertiser relationships — in the wake of a $30 million lawsuit against the company related to online safety of a user — made the same point, implicitly. A nice Web2.0 story on Boston-based Tabblo didn’t have to make the point that anyone can post online photos about anyone, mash them up into a collage, and publish — to anyone else, and everyone else.

The creative opportunities of the web have never been more wonderful and should be embraced. But the privacy and security stakes are rising as we bring our digital identities come online, more and more, and as our digital native children start to experience the good and the bad of this brave new world. What’s the role of schools, and universities, and parents, and kids, and companies, and governments? As the wisdom of the crowd is relied upon to make more and more decisions, what’s the due process when your privacy and security is at stake, if things go wrong? JZ has some good ideas, and so do others. We need to get on with the planning and the building of this foundation, and fast.

(If you’re having trouble grasping the digital ID part of this equation, zip over to ZDNet, where David Berlind does his usual amazingly lucid job of putting it all in context in his review of the Higgins Trust Framework — and n.b. the “spectrum” that he describes, which is right on. Berlind writes: “By the end of the panel, I was visualizing a spectrum of attitudes about technological expression of identity that range from the very negative to the very positive. On one end are the warning signs about what could happen if the right checks, balances, and governance aren’t in place. On the other end is hope. Hope that idenitity could be tapped in a fashion that serves the greater social good.”)