Lenovo on Tuesday settled charges that it compromised the security of its computers to fling ads onto desktops from August 2014 through early 2015.
The settlement with America's trade watchdog the FTC, plus 32 State Attorneys General, acknowledges no wrongdoing and imposes no financial penalty – other than a paltry $3.5m to those roughly three dozen states.
Instead, it forbids Lenovo from lying about the nature of software that injects ads or harvests data, if present on its computers, and obliges the company to get consent from customers before installing such software.
Furthermore, for the next 20 years, it requires the company to maintain a third-party audited risk assessment program for software on its computers.
"The FTC does not have the authority to obtain civil penalties for initial violations of the FTC Act," an FTC spokesperson said in an email to The Register. "That said, Lenovo will spend money to hire outside auditors to monitor its security program. This relief will ensure that consumers are protected going forward. However, if Lenovo violates the terms of its settlement with the FTC, the company could face civil penalties."
It's not much of a punishment for what Cloudflare security researcher Marc Rogers characterized as "quite possibly the single worst thing I have seen a manufacturer do to its customer base."
Three years ago, Lenovo began shipping laptops quietly bundled with software called VisualDiscovery, a version of Superfish's ad-injector WindowShopper, customized for Lenovo. When Lenovo customers browsed the web and hovered over an image, the software would inject a popup ad for a similar product sold by one of Superfish's retail partners.
The customization incorporated the Komodia SSL interjection module, in order to allow VisualDiscovery to inject ads into https and http browsing sessions by replacing websites' digital certificates with a self-signed root certificate.
"This allowed VisualDiscovery to act as a man-in-the-middle, causing both the browser and the website to believe that they had established a direct, encrypted connection, when in fact, the VisualDiscovery software was decrypting and re-encrypting all encrypted communications passing between them without the consumer's or the website's knowledge," the FTC complaint says.
Basically, the software hijacked an estimated 750,000 computers of Lenovo customers.
The FTC complaint charges Lenovo with:
- Deceptively failing to disclose VisualDiscovery's man-in-the-middle capabilities and its transmission of browsing data to Superfish.
- Unfair practices, for installing the software without adequate notice or consent and for failing to take reasonable steps to deal with the security risks created by their software.
In a statement email to The Register, Lenovo said while it disagrees with the allegations, it is pleased to bring the matter to a close.
"After learning of the issues, in early 2015 Lenovo stopped preloading VisualDiscovery and worked with antivirus software providers to disable and remove this software from existing PCs," a company spokesperson said in an email. "To date, we are not aware of any actual instances of a third party exploiting the vulnerabilities to gain access to a user’s communications."
Lenovo said that a policy implemented after the uproar over its software that limited the amount of pre-installed software on its PCs and introduced a security and privacy review process is consistent with the terms it agreed to as part of the settlement.
Lenovo may not be aware of any actual instances of exploitation, but it's not clear how hard the company has looked. In early 2015, security researcher Robert Graham published a proof-of-concept exploit.
In a statement, FTC Commissioner Terrell McSweeny said she was troubled that the agency had failed to challenge Lenovo's deceptive conduct.
"In this case, Lenovo deceptively omitted that VisualDiscovery would alter the very internet experience for which most consumers buy a computer," she said. "I believe that if consumers were fully aware of what VisualDiscovery was, how it compromised their system, and how they could have opted out, most would have decided to keep VisualDiscovery inactive."
In her own statement, FTC Acting Chairman Maureen K Ohlhausen dismissed McSweeney's concerns, noting that while Lenovo failed to disclose that VisualDiscovery would intercept web traffic, it did disclose that the software would inject ads and that consumers expect ad software to affect their browsing and be intrusive.
"In short, although VisualDiscovery's ad placement and effect on web browsing may have been irritating to many, those features did not make VisualDiscovery unfit for its intended use," she said. ®