Weren’t we just discussing the idea of criminal liability for egregious security problems with data? And… weren’t we also just discussing Sears’ offering to install spyware on your computer without much notice and all in the name of community? Well, let’s combine those two stories. Ben Edelman has been doing some more digging on the Sears website and discovered a rather massive security hole allowing you to look up the purchases at Sears of just about anyone so long as you know their name, address and telephone number. As Edelman notes, this appears to be in direct violation of Sears’ own privacy policy (and, well, common sense, but that’s a different story…). So, now, Sears.com is spying on users without making it all that clear and revealing all customer purchase data with poorly implemented security. It’s not a particularly comforting picture.
http://techdirt.com/articles/20080104/010843.shtml