Lenovo Settles With FTC And 31 States Over Superfish 'Man-In-The-Middle' Attacks

Computer manufacturer Lenovo has agreed to obtain consumers' explicit consent before pre-installing certain types of ad-serving software, in order to settle charges brought by the Federal Trade Commission.

The manufacturer also will implement a comprehensive security program for pre-installed software, and be subject to 20 years of audits, the FTC said Tuesday. The company also agreed to pay $3.5 million to settle a complaint brought by 31 attorneys general.

The settlement and charges, unveiled Tuesday, stem from Lenovo's 2014 decision to install the ad-serving software Visual Discovery on new notebooks. Soon after the computers shipped, it emerged that the adware had security flaws.

Visual Discovery, which was developed by Superfish, allegedly inserted ads into a host of Web pages, including secure HTTPS pages. To accomplish this, the software tinkered with Windows' cryptographic security.

Specifically, VisualDiscovery allegedly acted as a "man-in-the-middle," causing both the browser and the website to believe that they had established a direct, encrypted connection, when in fact, the VisualDiscovery software was decrypting and re-encrypting all encrypted communications passing between them without the consumer’s or the website’s knowledge," the FTC alleges in its complaint. That move left a host of encrypted data -- including passwords and bank account numbers -- at risk.

News of the security glitch spurred digital rights group Electronic Frontier Foundation to condemn Lenovo's bundling decision as "catastrophically irresponsible.”

The FTC alleged that Lenovo deceptively failed to disclose that the ad-serving software would act as a man-in-the-middle. The agency also said Lenovo engaged in an unfair practice by failing to address the software's security risks.

Commissioner Terrell McSweeny said Tuesday that she thought Lenovo should also have been charged with duping consumers by failing to adequately explain the disruptive nature of the adware.

"The software it preinstalled on computers would: (1) inject pop-up ads every time consumers visited a shopping website; and (2) disrupt web browsing by reducing download speeds by almost 25 percent and upload speeds by 125 percent," she stated. "These facts were not disclosed to consumers and these omissions were deceptive."

Acting FTC Chair Maureen Ohlhausen disagreed that Lenovo's alleged omissions about the adware amounted to a deceptive practice.

"Lenovo did disclose that the software would introduce advertising into consumers’ web browsing, although its disclosure could have been better," she stated. "Furthermore, to the extent ordinary consumers expect anything from advertising software, they likely expect it to affect their web browsing and to be intrusive, as the popularity of ad blocking technology shows."

Lenovo still faces a class-action suit over the adware installations.

Next story loading loading..