Over the holidays the Uneasy Silence blog posted the discovery that Adobe CS3 applications when launched always ping a website owned by Omniture, a web analytics firm. Disturbingly, the Omniture subdomain, 192.168.112.2O7.net, seemed to have been disguised by using a capital letter "O" in "2O7" to be mistaken for an internal IP address.

Also in December came the revelation from Computer Associates anti-spyware researcher Benjamin Googins that accepting Sears.com's invitation to join their free "My SHC Community" resulted in tracking software quietly being loaded on the user's computer. Not only did the software track all Internet traffic including secure sessions, it transmitted the data to a domain owned by ComScore, a market research firm that distributes programs identified as spyware by CA and many other security product vendors.

So what are Adobe and Sears up to? Even now it's not entirely clear, but so far certainly the Sears case is the one that has the most serious privacy implications. Spyware expert Ben Edelman followed up Googins' report with an analysis of how difficult the Sears site's "Privacy Policy and ULA" makes it for customers to understand the massive amount of tracking the software does and then the discovery that a related Sears site makes it far too easy to access any customer's purchase history.

Retracing Edelman's steps this week, I see that Sears has now changed the Privacy Policy and ULA shown to SHC Community invitees by adding a new introductory paragraph that specifies their software "monitors all of the Internet behavior that occurs on the computer on which you install the application." But it still contains terms that are generally found only in spyware EULAs, such as restrictions on how you can remove the software and a restriction that you not be employed or related to any employee of "an unaffiliated market research company." (Confusingly, going to the SHC Community Privacy Policy tab if you haven't accepted the cookie from Sears' online invitation shows you only a much shorter privacy document without any of the spyware terms.) Sears still seems to believe it gave customers adequate notice of the tracking but has promised it will do a better job in the future.

Like Sears, Adobe also promises to make things more clear, and certainly what's been learned about the Adobe situation is much more innocuous. This week Adobe posted a Technote acknowledging the issue and saying they will work with Omniture "to assign more standard hostnames that do not give rise to such confusion." And an Adobe product manager who has been blogging on the issue says that the 2O7 code was inherited in the Macromedia merger and no one really knows what it was for. In any case, Omniture has been using similar subdomains for a number of its customers for many years, and is apparently preparing a new privacy policy to explain it all.

So perhaps all will be made clear in the end, but I doubt it. After all, what these two incidents really share is the fact that two big-name vendors contracted with two firms that are in the business of tracking you without you noticing. And Adobe isn't Omniture's only customer, and ComScore does business with others besides Sears. And even if you think you know what the privacy policies are of all the vendors who might be watching you, you don't know what those policies will be tomorrow. Indeed, for all of spyware terms in Sears' policy, I think the privacy language that bothered me the most was the privacy policy Adobe's Technote references, not because it's at all unusual but because it's the very first thing the policy says:

"Please note that the practices of Adobe Systems Incorporated, its affiliates, and agents ... are governed by this online privacy policy ("Privacy Policy") as amended from time to time, and not the privacy policy in effect at the time the data was collected. Please regularly review our Privacy Policy."

In other words, the lesson to be learned here is that what Adobe's stated privacy policies say, what Sears' spyware terms say, and what their partners say at the moment really means nothing. They can and very well might re-write the rules tomorrow on how they treat the information they collected about you yesterday. And the same goes for every other vendor you and I deal with on a daily basis. We simply don't know who is watching how we use our computers, but it's probably best to assume the worst.

--------------------

To receive this column in my free e-mail newsletter, please go to my subscription page and follow the instructions to opt-in for the EdFoster mailing list.

Post your comments or write me at Foster@gripe2ed.com.