Tomorrow, I’ll be at the State of the Net Conference in Washington DC to release formally the Internet Safety Technical Task Force final report. It’s available online. We’ve posted an executive summary (3 pages plus cover pages) as well as the full report (278 pages in total).
Tonight, we at StopBadware are releasing a report that finds that Sears Holding Corporation’s MySHC Community application is badware. (We also blogged our pending review of the application a few days ago.) Our concerns are these:
1) The software does not fully, accurately, clearly, and conspicuously disclose the principal and significant features and functionality of the application prior to installation.
The My SHC Community application’s only mention of the software’s functionality outside of the privacy policy and user license agreement (ULA) prior to installation is in a sentence of the fourth paragraph of a six paragraph introduction to the community. It states that “this research software will confidentially track your online browsing.” It does not make clear outside the privacy policy and ULA that this includes sending extensive personal data to Sears (see below) or that it monitors all internet traffic, not just browsing.
2) Information is collected and transmitted without disclosure in the privacy policy.
There are two privacy policies available to users of My SHC Community and the accompanying software application. All of the behaviors noted in this report are disclosed in one version, which is shown to and accepted by users during installation. However, when viewing the privacy policy on the website or from the link included in a registration confirmation e-mail, a different version of the privacy policy, which does not include any information about the software or its behavior, appears, unless the user is currently logged into the My SHC Community site. This means, for example, that a user checking the privacy policy from a different PC may not see the privacy policy that s/he originally agreed to.
3) The software does not clearly identify itself.
While running, the My SHC Community application gives no indication to the user that it is active. It is also difficult to tell that the application is installed, as there are no Start menu or desktop shortcuts or other icons to indicate its presence.
4) The software transmits data to unknown parties.
According to SHC and comScore, the parent company of the software developer, VoiceFive, the My SHC Community application collects and transmits to Sears Holdings’s servers (hosted by comScore) extensive data, including websites visited, e-mails sent and received (headers only, not the text of the messages), items purchased, and other records of one’s internet use. This is not made clear to the user separate from the privacy policy or ULA, as required by StopBadware guidelines. Sears Holdings Corp. commits in its privacy policy “to make commercially viable efforts to automatically filter confidential personally identifiable information,” but is unable to guarantee that none of this information will be sent or stored.
We’ve spent time on the phone with the team at Sears Holding Corporation (SHC) about their app. SHC has informed StopBadware that they are significantly improving the My SHC Community application disclosure and privacy policy language and adding a Start menu icon in an effort to comply with our guidelines and address privacy concerns. They expect these changes to be implemented within 48 hours. At StopBadware, we have not evaluated these planned changes at this time. SHC has also informed us that they have suspended invitations to new users to install the application until these changes are implemented.
Our news release on this report is here.
Have fun and help raise awareness about how the Internet really works — and possibly earn a trip to DC and $5000 if you’re really good at it!
The Berkman Center, StopBadware, Google, Medium, and EDVentures present Cookie Crumbles. It’s a fun contest for people who like to make short, humorous (yet meaningful) videos and posting them to YouTube (there’s a Cookie Crumbles group set up for contest purposes). We are looking for short YouTube videos that address these questions as accurately and as creatively as possible:
Most people know cookies as a treat best enjoyed with milk. When it comes to web cookies, however, many users want to know more:
* What is a cookie?
* How do cookies work?
* How can cookies be used?
* How is the data from cookies used with data collected in other ways, including from third parties?
* How can cookies be misused?
* What options does a user have to manage cookies and their use?
The top few submissions, as determined by a combination of YouTube viewers and Berkman Center staff, will earn their creators a trip to Washington, D.C., where their videos will be aired and discussed at the United States Federal Trade Commission’s November 1-2 Town Hall workshop entitled “Ehavioral Advertising: Tracking, Targeting, and Technology.” Several prizes will be awarded by a panel of judges and discussants including Jeff Chester, Esther Dyson (who blogged the contest here and here), and others, moderated by the Berkman Center, and including one grand prize of $5,000. Submission guidelines and more can be found here.
Microsoft has just unveiled a new commitment not to assert certain rights against people who develop code based on specifications that Microsoft has developed. It’s called the Open Specification Promise. Warning: the announcement itself, at the top of the page, is written in legalese, though probably pretty readable legalese. The FAQs make things a lot clearer for non-lawyer readers.
The upshot of this announcement is that it will hopefully turn out to be a Very Good Thing. Bravo to the lawyers and the policy people who no doubt worked very hard on it; the promise obviously reflects a huge amount of careful and open-minded thinking. The notion is that Microsoft agrees unilaterally not to come after people based on IP rights that the company holds with respect to a series of widely-used web services, such as SOAP and various of its progeny, WSDL, and so forth (all listed mid-way down the announcement page). From a geeky-lawyerly perspective, one of the things I like a lot is the fact that the requirement of availing oneself of the promise is yourself NOT to participate voluntarily in a patent infringement suit related to the same specification — commitments of this sort could help to create an anti-patent-thicket. (Maybe, down the road, this aspect of the promise might not prove to be as great as I think it could be, but for now, from here, it looks very appealing, in a detente kind of way.)
Why could this promise help? Any promise of forbearance by a huge player — where they say they won’t stand in the way of your innovating on top of the work of others — is certainly positive. More than that, such a promise that is made “irrevocably” establishes a commitment on the part of the company for the long haul. Set aside the legal enforceability of such a promise, the idea has enormous rhetorical force and would make it very hard for the company to backtrack and to go in another direction. Of course, the idea no doubt has good business judgment behind it in an era of dramatic growth in terms of the open development of web services, including those related to security and to web 2.0 apps.
Why might it not be so great? Well, I think it is a great thing, and not just because we at the Berkman Center have been looking into interoperability, with support from Microsoft and others, and learning more about how companies are taking novel steps in this sort of direction. Its limitation might take a few forms, I suppose. The promise itself has limitations — it applies to some specifications and the promise extends only to some possible IPR-related claims, of course, but that seems natural, especially with such a first step. Other possible limitations: 1) Will developers pay attention to it, and in fact believe it? 2) Will this promise itself be interoperable with other such promises? I am reminded of Prof. Lessig’s speech at Wikimania last month, when he talked about interoperable licenses. Hopefully, others will either follow this lead or help developers to understand how this meshes with other similar promises of forebearance in the marketplace. 3) I don’t know well enough whether these are the right specifications to be included in such a promise. Are there other specs that developers would like to see opened up in this fashion?
A call to action: the security infrastructure for RSS is not where it needs to be for the mainstreaming of this technology to work and to be adequately protective of user privacy.
I was resetting my Bloglines account this morning, adding some new feeds, taking out some that I don’t read, and so forth. I searched on a friend’s web moniker (“Whirlycott”) to find whatever feeds he might be offering. Up popped a feed related to a web-based invoicing service he uses entitled (“[His Name] Invoices”) to which I could subscribe in Bloglines. I am not sure what it would have rendered — I did not subscribe! — but I thought it worth mentioning to him. It turns out he has been mad about this privacy problem for months. His initial post, worth reading and reviving as an issue of public discussion, is here.
I credit the fact that this may not be (just) a “Bloglines issue” but rather an “RSS industry” issue. But it’s a real problem if we are to continue to express ourselves via these citizen-generated media tools that offer RSS feeds, and moreso if we move into the promising realm of using RSS feeds to support other productivity-type tools. The privacy problems that already exist in cyberspace are enough to tackle; we need to get in front of an RSS privacy problem before it grows into yet widespread issue. After this morning’s experience, it’s clear to me it’s already a problem.
(Following the thread a bit, there’s another post in the series, including, some months ago, a note from someone appearing to be with Bloglines saying that they know it’s a serious problem. How can we fix it, gang? If it’s not a Bloglines-only issue and it’s a community issue, what has to get done?)
John Palfrey 