The Federal Trade Commission (FTC) has busted a strange set of spyware purveyors—US retailing giants Sears and Kmart.

The FTC this week approved its final consent order against the companies (which share the same owner) over an episode that can only be chalked up to incompetence of a truly epic scope. Sears Holding Management Company decided that it could really use a lot more marketing data to fuel its decision-making process, so it began offering visitors to sears.com and kmart.com a special invite—sign up for "My SHC Community," download a piece of "research" software, and earn 10 American dollars. That's right—10... American... dollars.

All one had to do to secure this bounty was turn over to the company every single bit of information about one's Web browsing. This wasn't just about the websites visited, or even about specific URLs; the "research" software transmitted the complete contents of a browsing session, even secure sessions. This meant that Sears and its data collection partner would have access to the "contents of shopping carts, online bank statements, drug prescription records, video rental records, library borrowing histories, and the sender, recipient, subject, and size for web-based e-mails," said the FTC. Among other things—the software also collected non-Web information about the user's personal computer.

Also, do you ever wish you could transmit

all your secure session data to Sears?

Sears did tell people that it would track their "online browsing," but when security researchers looked into the software in early 2008, they charged that the disclosure was mostly buried in legalese. As we wrote at the time, "[Security researcher Ben] Edelman heavily scrutinized all documentation that came with signing up for the community and found a few mentions of tracking software buried deep within the tangled legalese (for example, one mention was on page 10 of a 54-page license document). This, he says, goes against regulations by the Federal Trade Commission that require clear, unavoidable disclosure and 'express consent' from the user before installing such software."

The FTC agreed. It launched an investigation of its own after the story came to light, and found that Sears did mention the tracking, but provided details only in "a lengthy user license agreement, available to consumers at the end of a multi-step registration process." The agency charged that Sears did not "adequately disclose the scope of the tracking software's data collection."

Under the settlement (PDF) with the FTC, Sears has now agreed to destroy all data gained from the experiment and stop collecting data from any software still running in the wild. In addition, if it wants to do any tracking in the future, the company has committed to "clearly and prominently disclose the types of data the software will monitor, record, or transmit. This disclosure must be made prior to installation and separate from any user license agreement. Sears must also disclose whether any of the data will be used by a third party."

No money changed hands (well, except for those 10 American dollars), but Sears is out of the spyware business—at least for now.