Lenovo settles Superfish adware complaint, fined $3.5m

Computer giant Lenovo has settled charges brought by the US Federal Trade Commission over it preinstalling the “Superfish" adware on consumer PCs. 

In 2014 Lenovo began installing Superfish on PCs without user consent to inject product recommendations into search results. 

The company drew sharp criticism in early 2015 because the pre-installed program switched the digital certificates for HTTPS sites that users visited with it own certificate, essentially carrying out a man-in-the-middle attack on its own customers. Even worse, researchers found the certificates private key could be recovered, which could allow others to attack consumers the same way. 

“Lenovo compromised consumers’ privacy when it preloaded software that could access consumers’ sensitive information without adequate notice or consent to its use,” said acting FTC Chairman Maureen K. Ohlhausen in a statement on Tuesday. 

“This conduct is even more serious because the software compromised online security protections that consumers rely on.”

Lenovo at the time agreed to remove all third-party pre-installed software in its devices from Windows 10 onwards. The settlement doesn't ban it from doing so in future, but Lenovo is required to implement a security program for 20 years covering a “most consumer software” it preloads on laptops, which will also be subject to third-party audits.

Lenovo wasn't fined by the FTC, but it was separately fined $3.5m as part of a settlement with 32 states. 

The FTC's settlement requires Lenovo to gain a consumer’s “affirmative express consent” before installing advertising-related software like Superfish. The settlement lays out a much higher standard for transparency for Lenovo regarding pre-installed adware. 

As noted in the settlement, Lenovo can’t simply bundle a request for adware in its end user license agreement, privacy policy or terms of use, but rather must communicate “clearly and conspicuously” that its request pertains to software that will display ads. It also needs to explain how frequent and under what circumstances the ads will be displayed.   

Further, Lenovo needs to flag to users that it will transmit their data to a third-party, explain what information will be transmitted, and list the name of the third party.

These measures target the way VisualDiscovery, the maker of Superfish, previously gained user consent. It displayed a pop-up window the first time a consumer visited a shopping web site and if a consumer didn't affirmatively opt out, the adware would be enabled.  

The FTC’s definition for “clearly and conspicuously" includes a raft of requirements Lenovo must meet for online, phone, video, and product label communications. 

Lenovo also needs to be able to show that its security program can address security risks for software covered by the settlement.  

The Superfish fiasco prompted a major clean-up effort by security vendors and Microsoft, which added signatures for the software in its Windows Defender and Security Essentials anti-malware products. Microsoft removed around 250,000 instances of Superfish

Tags security risksadwareftcUS Federal Trade CommissionSuperfish

Show Comments