Antitrust Law Daily Lenovo settles charges it sold laptops made vulnerable to security threats by adware
News
Tuesday, September 5, 2017

Lenovo settles charges it sold laptops made vulnerable to security threats by adware

By Jody Coultas, J.D.

The FTC and 32 state attorneys general have agreed to settle charges against Lenovo Inc., alleging that the company harmed consumers by pre-loading software on some laptops that compromised security protections in order to deliver advertisements to consumers’ computers in violation of the FTC Act, the FTC announced today. Lenovo, one of the world’s largest manufacturers of personal computers, agreed to obtain affirmative consent before pre-installing this type of software and will implement a software security program for most consumer software preloaded on its laptops (In the Matter of Lenovo (United States) Inc., FTC File No. 152 3134).

In August 2014, Lenovo began selling consumer laptops in the United States with a preinstalled software program called VisualDiscovery. VisualDiscovery, developed by Superfish, Inc., delivered pop-up ads from Superfish’s retail partners whenever a user’s cursor hovered over a similar looking product on a website. To deliver its ads, VisualDiscovery acted as a "man-in-the-middle" between consumers’ browsers and the websites they visited. Without the consumer’s knowledge or consent, VisualDiscovery accessed all of the consumer’s personal information transmitted over the Internet, including login credentials, Social Security numbers, medical information, and financial and payment information. VisualDiscovery collected and transmitted more limited information to Superfish’s servers, but Superfish had the ability to collect more information from Lenovo users through VisualDiscovery at any time.

The FTC alleged that VisualDiscovery used an insecure method to replace digital certificates for those websites with its own VisualDiscovery-signed certificates. VisualDiscovery, however, did not adequately verify that the websites’ digital certificates were valid before replacing them, and used the same, easy-to-crack password on all affected laptops rather than using unique passwords for each laptop.

Because of the alleged security issues with the software, consumers’ browsers could not warn users about potentially spoofed or malicious websites with invalid digital certificates. The security issues also allegedly enabled hackers to intercept consumers’ electronic communications with any website by simply cracking the pre-installed password. Lenovo allegedly failed to discover the security vulnerabilities because it failed to assess and address security risks created by third-party software it preloaded on its laptops.

Lenovo did not make any disclosures about VisualDiscovery to consumers prior to purchase, and the software was allegedly designed to have limited visibility. The software was always on and running in the background without the consumer having to do anything to start or otherwise activate the software. The risk that the security vulnerability would be exploited increased when security researchers published information about the vulnerabilities and bloggers described how to exploit the private encryption key vulnerability. Many consumers spent considerable time removing VisualDiscovery and its root certificate from their affected laptops since merely opting out, disabling, or uninstalling VisualDiscovery would not address the security vulnerabilities. Lenovo stopped shipping laptops with VisualDiscovery on or about February 20, 2015.

The settlement will prohibit Lenovo from misrepresenting any features of software preloaded on laptops that will inject advertising into consumers’ Internet browsing sessions or transmit sensitive consumer information to third parties. Lenovo must also obtain affirmative consent before pre-installing this type of software on laptops it sells in the future. Also, Lenovo agreed to implement a comprehensive software security program for most consumer software preloaded on its laptops. The security program will also be subject to third-party audits.

Commissioner McSweeny supported the complaint against Lenovo, but wrote a concurring statement arguing that "the FTC should have included additional deceptive conduct" in the complaint. "The FTC should not turn a blind eye to deceptive disclosures and opt-ins, particularly when consumers’ privacy and security are at stake," wrote McSweeny.

Acting Chairman Ohlhausen also supported the case and settlement, but wrote separately "to caution against an over broad application of our failure to disclose (sometimes called "deceptive omission") authority. We should hew to longstanding case law and avoid circumventing congressionally-established limits on our authority. I therefore respectfully disagree with [McSweeny’s] position that we should expand Count I to allege additional failures to disclose."

The FTC will publish a description of the consent agreement package in the Federal Register shortly. The agreement will be subject to public comment through October 5, 2017.

Companies: Lenovo (United States) Inc.; Superfish Inc.

MainStory: TopStory Advertising ConsumerProtection Privacy FederalTradeCommissionNews

Back to Top

Interested in submitting an article?

Submit your information to us today!

Learn More