Adware company Superfish has agreed to pay $1 million to settle a class-action privacy lawsuit on behalf of consumers who purchased Lenovo notebooks in late 2014 and early 2015, according to court papers filed on Thursday.
Lenovo, which allegedly bundled Superfish's "VisualDiscovery" ad-serving software with notebooks, is still fighting the lawsuit. Superfish closed last year, but reportedly re-launched as the company Just Visual.
The litigation stems from last year's revelations about security flaws in Superfish -- a program that inserts ads into a variety of Web pages -- including secure HTTPS pages. To do so, Superfish tinkers with Windows' cryptographic security, according to numerous reports. But breaking encryption also paves the way for hackers to intercept sensitive data, including passwords and online banking credentials.
News about the technology spurred digital rights group Electronic Frontier Foundation to characterize Lenovo's bundling decision as “catastrophically irresponsible.”
Last year, Lenovo posted a notice on its site saying that it wasn't originally aware of the “potential security vulnerability” created by Superfish. The company also said it had server connections shut down in January of 2014. Lenovo posted instructions telling people how to remove Superfish, and said it was working with McAfee and Microsoft to fix the security vulnerability created by the software.
If accepted by U.S. District Court Judge Ronald Whyte in San Jose, the settlement will resolve allegations that Superfish violated various laws, including the federal wiretap law, a California law regarding spyware and a New York law regarding deceptive business practices.
Lenovo last month asked Whyte to dismiss the lawsuit. Among other arguments, the manufacturer says the consumers can't proceed in federal court because they weren't injured by the software.