I want to talk about the Sears Holding Company, and I have nothing nice to say.
They encouraged their own Sears and Kmart CUSTOMERS to download a piece of software that seriously compromised privacy, transmitting banking details, unrelated shopping card details, and online prescription orders back to the mothership.
To me, this is worse than an accidental breach. This isn’t about ignorance or stupidity, but about willful intent to do harm. A whole group of people inside this organization decided it was a good idea to write a piece of software that “monitored consumers’ online secure sessions – including sessions on third parties’ Web sites – and collected consumers’ personal information transmitted in those sessions, such as the contents of shopping carts, online bank statements, drug prescription records, video rental records, library borrowing histories, and the sender, recipient, subject, and size for Web-based e-mails” (from the FTC notice).  How could this project be designed, written, approved, and then evangelized without anyone raising the ethical issues? How about the lack of respect shown to the very group of people whose privacy the Sears Holding group should have felt beholden to protect? Worse, why *could* it be done? Oh yes, right. We all use operating systems every day that have an egregious lack of granularity in access control.
There is little to do except spit in Sears’ general direction – so I do.  Ptooey.
Wow. That’s unbelievable. I’d be seriously angry at Sears. Of course, it’s not helpful that the FTC took over eighteen months to come to some kind of solution – the story apparently came out in early January 2008.
There ought to be a place to go to find out which companies use questionable practices like these. A net search is kind of hit or miss, depending on what one is looking for. Try googling “privacy practices”.