Lenovo Settles Superfish Privacy Claims with U.S. FTC for $3.5M

Share it on Twitter  
Share it on Facebook  
Share it on Linked in  

Back in February 2015, PC vendor Lenovo first admitted that adware known as 'Superfish' was pre-installed on systems it sold in the U.S. After a multi-year investigation, the U.S. Federal Trade Commission (FTC) and a coalition of 32 state attorneys have settled with Lenovo.

The FTC originally filed a legal compliant against Lenovo in 2014, claiming that the Superfish software was violating consumer privacy.

"Lenovo compromised consumers' privacy when it pre-loaded software that could access consumers' sensitive information without adequate notice or consent to its use," Acting FTC Chairman Maureen K. Ohlhausen said in a statement. "This conduct is even more serious because the software compromised online security protections that consumers rely on."

Lenovo began installing the Superfish software, known as Visual Discovery, in August 2014 and when first confronted with allegations that it was violating consumer privacy, denied the claims. On Feb. 19, 2015, Lenovo issued a statement claiming that it did not find any evidence to substantiate security concerns. On Feb. 20, 2015, Lenovo changed its official position on Superfish, admitting that there were security risks to the adware technology that it bundled with its PCs.

The security risk with the Visual Discovery software was that it installed a security certificate that allowed it work as a man-in-the-middle (MiTM) and intercept traffic between the user and the intended location. The express purpose was for ad delivery, though the security implication of having an ununauthorized MiTM certificate meant that all user information could have been intercepted.

Though Lenovo has admitted there could be potential security risks, the company has never agreed that consumer privacy was actually violated.

"To date, we are not aware of any actual instances of a third party exploiting the vulnerabilities to gain access to a user's communications," Lenovo stated. "Subsequent to this incident, Lenovo introduced both a policy to limit the amount of pre-installed software it loads on its PCs, and comprehensive security and privacy review processes, actions which are largely consistent with the actions we agreed to take in the settlements announced today. "

As part of the settlement with the FTC, Lenovo agreed not to misrepresenting any features of software pre-loaded on laptops that will inject advertising into consumers' Internet browsing sessions or transmit sensitive consumer information to third parties.

Lenovo also consented to implement a comprehensive software security program for most consumer software pre-loaded on its laptops that will be in force for the next 20 years and will be subject to third-party audits.

Sean Michael Kerner is a senior editor at eSecurityPlanet and InternetNews.com. Follow him on Twitter @TechJournalist.