A group of consumers who purchased Lenovo notebooks in late 2014 and early 2015 is asking a federal judge to grant preliminary approval to a class-action settlement requiring adware company Superfish to pay $1 million.
"The settlement was the result of analysis and consideration of the litigation and financial risks faced by both sides," class counsel writes in a motion filed Friday with U.S. District Court Judge Haywood Gilliam in San Francisco. "The size of the monetary component of the Settlement is commensurate with Superfish’s financial condition and business prospects, but still represents a substantial monetary recovery."
Lenovo, which allegedly bundled Superfish's "VisualDiscovery" ad-serving software with notebooks sold around two years ago, is still fighting the lawsuit. Superfish closed last year, but reportedly re-launched as "Just Visual."
Lawyers for the consumers tell Gilliam that Superfish's business declined after reports emerged about security flaws in Visual Discovery. "Its insurance carrier disputed coverage, and a bankruptcy filing was being considered by the company," the motion states.
In addition to the monetary settlement, the proposed deal also requires Superfish to cooperate with the consumers in their lawsuit against Lenovo.
The litigation against both Superfish and Lenovo stems from revelations about security flaws in Superfish's software, which inserts ads in Web pages -- including secure HTTPS pages. To do so, Superfish circumvents with the cryptographic security of Windows' operating system, according to numerous reports. But breaking encryption also paves the way for hackers to intercept sensitive data, including passwords and online banking credentials.
When news about the technology first emerged, the digital rights group Electronic Frontier Foundation characterized Lenovo's bundling decision as “catastrophically irresponsible.”
In January 2015, soon after the security problems became known, Lenovo said it stopped preloading the software and shut down server connections that enabled Superfish. The company also posted instructions telling people how to remove Superfish, and said it was working with McAfee and Microsoft to fix the security vulnerability created by the software.
In October, U.S. District Court Judge Ronald Whyte in San Jose ruled that Lenovo may have violated anti-hacking laws by allegedly selling notebooks that came pre-loaded with Superfish.
Lenovo argued that hacking allegations should be dismissed on the grounds that it never accessed people's computers without authorization, or obtained users' personal information.
Whyte rejected that argument, noting that the hacking claims against Lenovo were based on allegations that the company "conspired to enable Superfish to access the laptops after they were sold to consumers." The judge also denied Lenovo's motion to dismiss allegations that the company violated the federal Computer Fraud and Abuse Act as well as the California Computer Crime Law.