Between April 2007 and January 2008, visitors to the Kmart and Sears web sites were invited to join an “online community” for which they would be paid $10 with the idea they would be helping the company learn more about their customers. It turned out they learned a lot more than participants realized or that the feds thought was reasonable.
To join the “My SHC Community,” users downloaded software that ended up grabbing some members’ prescription information, emails, bank account data and purchases on other sites. Sears called the group that participated “small” and said the data captured by the program was at all times secure and was then destroyed. [...]
The feds just officially resolved the case after commissioners accepted the proposed settlement and the penalty for Sears’ alleged overzealous, privacy invading behavior wasn’t even a slap on the wrist. It was a gentle touch. The harshest part of whole situation was the FTC actually letting people know the situation even happened.
The penalty: if Sears offers such a software program again it should be more honest about the implications. Sears has to destroy all the data — which was already done. And, Sears needs to help those who want to uninstall the software.
(via Schneier on Security)
If an individual had used a virus to collect sensitive data? David L. Smith was sentenced to 20 months in federal prison and fined $5,000 for writing the Melissa virus. Under the Patriot Act, he could conceivably have been sentence to 10 years in prison (Smith committed the crime in 1999, before the Patriot Act was passed).