Sears faces class action for violating customer privacy on their site

A few days ago, I wrote about a post on the Truston blog concerning Sears being taken to task by a Harvard professor and the Washington Post (Brian Krebs) for violating customer privacy on their site.

Not only was information being data mined for marketing purposes, but the site allowed third parties (anyone) access to it.

Now it appears lawyers have gotten together a class action against Sears.

In an update, Brian Krebs is reporting:

In a complaint filed Friday in Cook County, Illinois -- where Sears is headquartered -- the plaintiffs allege that the lack of privacy protections at Sears's managemyhome.com site violated its own privacy promises to consumers, and in so doing ran afoul of the Illinois Consumer Fraud Act, which prohibits "unfair and deceptive practices."

The complaint seeks class-action status, and more than $5 million in damages, including attorneys' fees. A copy of the complaint is linked here (PDF).

The suit was filed by KamberEdelson, the same New York City based law firm that successfully pursued Sony BMG Music Entertainment after the media giant shipped millions of music CDs that included spyware.

The same law firm is also seeking plantiffs for a second class action against Sears for installing tracking software on customer's computers after they made a purchase on their site. This might set an interesting legal precedent given all the tracking sofware being used out there.

After all, there is a lot of customer espionage going on out there (my opinion).

So far as me personally, this story has made me extremely wary of shopping at Sears, whether in a mall or on the Internet.

Full story from Brian Krebs on the Security Fix blog, here.

Sears site violates people's privacy!

Ran into this story on the Truston blog. Tom Fragala, CEO of Truston writes:

The internet retailer you choose just might, without disclosure, install software on your computer to snoop on your web browsing. Brian Krebs at the Security Fix blog has this story. Would you believe it could be one of the country's oldest retailers though?

"Sears is having a bit of a rough day with the privacy community. The company got off to a rocky start with revelations that many customers who gave Sears their personal details after shopping at the company's Web site also were giving away their online Web browsing habits to marketers, thanks to snooping software silently installed (and ill-documented) by a Sears marketing partner."

Even worse, as revealed in Brian Krebs interesting blog post is that:

The discovery comes from Ben Edelman, an assistant professor at the Harvard Business School and a privacy expert whose research has done much to raise public awareness about the intersection of big business and shady advertising practices.

Sears offers no security whatsoever to prevent any user from retrieving a third party's purchase history, Edelman said, which violates its own privacy policy with such disclosures, no part of which "grants Sears the right to share users' purchases with the general public."

I guess this means that anyone can violate a Sears customer's privacy by using their website as a tool?

Please note that Professor Edelman has shown some pretty good evidence that regular and not just e-commerce customers can be compromised, also.

Going back to Professor Edelman's contention that snooping software was spying on customers -- spyware and adware are used on a lot of sites. In fact, I highly recommend scanning your system on a regular basis using reputable software. I'm always amazed at how much of it I find when I do.

My opinion is that that when information is data mined, there needs to be a transparent way a customer opts-in (authorizes) an entity to use their information.

Current opt-out options are often deceptive and laden with a lot of small print.

So far as Sears, until they disclose what they are doing to fix this (at least answer Mr. Krebs), I'm going to make sure I avoid using their shopping facilities!