Remember when Lenovo sold PCs with Superfish adware? It just got a mild scolding from FTC

Settlement requires disclosure and monitoring, not much else

Lenovo on Tuesday settled charges that it compromised the security of its computers to fling ads onto desktops from August 2014 through early 2015.

The settlement with America's trade watchdog the FTC, plus 32 State Attorneys General, acknowledges no wrongdoing and imposes no financial penalty – other than a paltry $3.5m to those roughly three dozen states.

Instead, it forbids Lenovo from lying about the nature of software that injects ads or harvests data, if present on its computers, and obliges the company to get consent from customers before installing such software.

Furthermore, for the next 20 years, it requires the company to maintain a third-party audited risk assessment program for software on its computers.

"The FTC does not have the authority to obtain civil penalties for initial violations of the FTC Act," an FTC spokesperson said in an email to The Register. "That said, Lenovo will spend money to hire outside auditors to monitor its security program. This relief will ensure that consumers are protected going forward. However, if Lenovo violates the terms of its settlement with the FTC, the company could face civil penalties."

It's not much of a punishment for what Cloudflare security researcher Marc Rogers characterized as "quite possibly the single worst thing I have seen a manufacturer do to its customer base."

Three years ago, Lenovo began shipping laptops quietly bundled with software called VisualDiscovery, a version of Superfish's ad-injector WindowShopper, customized for Lenovo. When Lenovo customers browsed the web and hovered over an image, the software would inject a popup ad for a similar product sold by one of Superfish's retail partners.

The customization incorporated the Komodia SSL interjection module, in order to allow VisualDiscovery to inject ads into https and http browsing sessions by replacing websites' digital certificates with a self-signed root certificate.

"This allowed VisualDiscovery to act as a man-in-the-middle, causing both the browser and the website to believe that they had established a direct, encrypted connection, when in fact, the VisualDiscovery software was decrypting and re-encrypting all encrypted communications passing between them without the consumer's or the website's knowledge," the FTC complaint says.

Basically, the software hijacked an estimated 750,000 computers of Lenovo customers.

The FTC complaint charges Lenovo with:

  • Deceptively failing to disclose VisualDiscovery's man-in-the-middle capabilities and its transmission of browsing data to Superfish.
  • Unfair practices, for installing the software without adequate notice or consent and for failing to take reasonable steps to deal with the security risks created by their software.


In a statement email to The Register, Lenovo said while it disagrees with the allegations, it is pleased to bring the matter to a close.

"After learning of the issues, in early 2015 Lenovo stopped preloading VisualDiscovery and worked with antivirus software providers to disable and remove this software from existing PCs," a company spokesperson said in an email. "To date, we are not aware of any actual instances of a third party exploiting the vulnerabilities to gain access to a user’s communications."

Lenovo said that a policy implemented after the uproar over its software that limited the amount of pre-installed software on its PCs and introduced a security and privacy review process is consistent with the terms it agreed to as part of the settlement.

Lenovo may not be aware of any actual instances of exploitation, but it's not clear how hard the company has looked. In early 2015, security researcher Robert Graham published a proof-of-concept exploit.

In a statement, FTC Commissioner Terrell McSweeny said she was troubled that the agency had failed to challenge Lenovo's deceptive conduct.

"In this case, Lenovo deceptively omitted that VisualDiscovery would alter the very internet experience for which most consumers buy a computer," she said. "I believe that if consumers were fully aware of what VisualDiscovery was, how it compromised their system, and how they could have opted out, most would have decided to keep VisualDiscovery inactive."

In her own statement, FTC Acting Chairman Maureen K Ohlhausen dismissed McSweeney's concerns, noting that while Lenovo failed to disclose that VisualDiscovery would intercept web traffic, it did disclose that the software would inject ads and that consumers expect ad software to affect their browsing and be intrusive.

"In short, although VisualDiscovery's ad placement and effect on web browsing may have been irritating to many, those features did not make VisualDiscovery unfit for its intended use," she said. ®

Similar topics

Narrower topics

Other stories you might like

  • Stolen university credentials up for sale by Russian crooks, FBI warns
    Forget dark-web souks, thousands of these are already being traded on public bazaars

    Russian crooks are selling network credentials and virtual private network access for a "multitude" of US universities and colleges on criminal marketplaces, according to the FBI.

    According to a warning issued on Thursday, these stolen credentials sell for thousands of dollars on both dark web and public internet forums, and could lead to subsequent cyberattacks against individual employees or the schools themselves.

    "The exposure of usernames and passwords can lead to brute force credential stuffing computer network attacks, whereby attackers attempt logins across various internet sites or exploit them for subsequent cyber attacks as criminal actors take advantage of users recycling the same credentials across multiple accounts, internet sites, and services," the Feds' alert [PDF] said.

    Continue reading
  • Big Tech loves talking up privacy – while trying to kill privacy legislation
    Study claims Amazon, Apple, Google, Meta, Microsoft work to derail data rules

    Amazon, Apple, Google, Meta, and Microsoft often support privacy in public statements, but behind the scenes they've been working through some common organizations to weaken or kill privacy legislation in US states.

    That's according to a report this week from news non-profit The Markup, which said the corporations hire lobbyists from the same few groups and law firms to defang or drown state privacy bills.

    The report examined 31 states when state legislatures were considering privacy legislation and identified 445 lobbyists and lobbying firms working on behalf of Amazon, Apple, Google, Meta, and Microsoft, along with industry groups like TechNet and the State Privacy and Security Coalition.

    Continue reading
  • SEC probes Musk for not properly disclosing Twitter stake
    Meanwhile, social network's board rejects resignation of one its directors

    America's financial watchdog is investigating whether Elon Musk adequately disclosed his purchase of Twitter shares last month, just as his bid to take over the social media company hangs in the balance. 

    A letter [PDF] from the SEC addressed to the tech billionaire said he "[did] not appear" to have filed the proper form detailing his 9.2 percent stake in Twitter "required 10 days from the date of acquisition," and asked him to provide more information. Musk's shares made him one of Twitter's largest shareholders. The letter is dated April 4, and was shared this week by the regulator.

    Musk quickly moved to try and buy the whole company outright in a deal initially worth over $44 billion. Musk sold a chunk of his shares in Tesla worth $8.4 billion and bagged another $7.14 billion from investors to help finance the $21 billion he promised to put forward for the deal. The remaining $25.5 billion bill was secured via debt financing by Morgan Stanley, Bank of America, Barclays, and others. But the takeover is not going smoothly.

    Continue reading

Biting the hand that feeds IT © 1998–2022