Lenovo may have violated anti-hacking laws by allegedly selling notebooks that came pre-loaded with adware from the company Superfish, a federal judge ruled Thursday.
The ruling, issued by U.S. District Court Judge Ronald Whyte in San Jose, California, stems from a class-action complaint against Lenovo and Superfish. Consumers who purchased the notebooks filed suit against the company in February of 2015, soon after it emerged that Superfish's ad-serving software contained security flaws.
Superfish allegedly inserted ads into a host of Web pages, including secure HTTPS pages. To accomplish this, Superfish tinkered with Windows' cryptographic security, according to numerous reports. But that move left a host of encrypted data -- including passwords and bank account numbers -- at risk.
Lenovo argued that hacking allegations should be dismissed on the grounds that it never accessed people's computers without authorization, or obtained users' personal information.
Whyte rejected that argument, noting that the hacking claims against Lenovo were based on allegations that the company "conspired to enable Superfish to access the laptops after they were sold to consumers."
He denied Lenovo's motion to dismiss allegations that the company violated the federal Computer Fraud and Abuse Act as well as the California Computer Crime Law. Whyte dismissed several other claims, but without prejudice -- meaning that the consumers can revise their allegations and bring them again.
The judge also ruled that the consumers who are suing can proceed as a class.
News of Lenovo's deal with Superfish drew widespread criticism from watchdogs like the Electronic Frontier Foundation, which called Lenovo's decision to embed Superfish “catastrophically irresponsible.”
After reports surfaced about Superfish's problems, Lenovo said it stopped preloading the software and shut down server connections that enabled Superfish. The company also posted instructions telling people how to remove Superfish, and said it was working with McAfee and Microsoft to fix the security vulnerability created by the software.