Lenovo banned from installing bloatware on its laptops after Superfish

Lenovo also agrees to FTC security audits, on top of a $3.5 million fine

Lenovo cannot install any bloatware on its laptops without customers' express agreement, under the terms of its settlement with the Federal Trade Commission (FTC) over the Superfish scandal.

On top of a $3.5 million fine that the company agreed to pay in September, Lenovo will now be required to obtain express consent from consumers before any preinstalled software is able to run on a laptop, as well as provide an easy means of uninstalling any Lenovo tools.

Advertisement - Article continues below

The decision, announced yesterday, concludes the FTC's long-running complaint against the company, which stated that Lenovo compromised security in order to deliver targeted advertising to its customers.

The company has also agreed to open itself up to regular third party auditing over the next 20 years, part of which will involve the creation of a "comprehensive software security program" that will identify risks to applications, and protect information collected on customers.

In the original complaint against Lenovo, the FTC charged that "beginning in August 2014 Lenovo began selling consumer laptops in the United States that came with a pre-installed advertising software program called VisualDiscovery that interfered with how a user's browser interacted with websites and created serious security vulnerabilities".

It was found that the VisualDiscovery was a modified version of the Superfish adware, a tool that allowed web pages to deliver targeted advertising to users when their mouse hovered over links. The tool was installed on hundreds of thousands of Lenovo machines and advertised as a search assistant to help users find similar products to those shown on screen.

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

However, VisualDiscovery was found to not only collect vast quantities of user data, such as logins, payment information and social security numbers, but also contained a major security risk that allowed hackers to access the encrypted data sent over the internet.

Following FTC intervention in 2014, 32 US states issued lawsuits against the company that alleged the software violated the regulator's provisions that block misleading practices, prompting Lenovo to pull VisualDiscovery from future machines.

A Lenovo spokesman told IT Pro: "Lenovo has been informed that the FTC has given final approval to the settlement announced in September which now brings this matter to a close."

06/09/2017: Lenovo settles Superfish spyware lawsuit for $3.5m

Lenovo has agreed to settle the Superfish spyware case with the Federal Trade Commission (FTC) and 32 states for $3.5 million.

Lenovo preloaded the bloatware on some of its consumer notebooks which delivered ads to users and risked compromising their security, according to the FTC's charges. The Superfish adware was installed on hundreds of thousands of laptops and potentially allowed hackers to access users' encrypted data when it loaded visual search results into users' browsers, security experts warned back in 2015.

Advertisement - Article continues below

As part of the settlement, Lenovo must not misrepresent preloaded software on its laptops which transmit sensitive data to third-parties, or force users to look at advertising. Instead, it will need user consent before installing this type of software and must also implement a software security program for consumer software on its laptops for the next 20 years.

Lenovo began selling its laptops in August 2014 preloaded with software called VisualDiscovery, which interfered with user's browsers and "created serious security vulnerabilities", the FTC said.

Acting FTC chairman Maureen Ohlhausen said: "Lenovo compromised consumers' privacy when it preloaded software that could access consumers' sensitive information without adequate notice or consent to its use. This conduct is even more serious because the software compromised online security protections that consumers rely on."

Lenovo said it stopped preloading VisualDiscovery into its laptops once it learnt of the issues, and tried to remove the software from existing PCs.

Advertisement - Article continues below

It added: "To date, we are not aware of any actual instances of a third party exploiting the vulnerabilities to gain access to a user's communications. Subsequent to this incident, Lenovo introduced both a policy to limit the amount of pre-installed software it loads on its PCs, and comprehensive security and privacy review processes, actions which are largely consistent with the actions we agreed to take in the settlements announced today."

Superfish inadvertently enabled a "man-in-the-middle" technique, where VisualDiscovery was able to access all of a user's personal information sent over the internet, such as their login details, social security numbers, and even payment information.

VisualDiscovery replaced a website's digital certificate with its own to impersonate SSL-enabled websites, which meant consumers were not warned before they visited potentially malicious websites with invalid digital certificates. This was because the spyware did not verify if a certificate was valid before it replaced it. This would allow hackers to monitor users' every action online, including bank and email activity.

Advertisement - Article continues below

The FTC has previously cracked down on tech support scams that fool users into thinking their computers are infected and charge them money for "fixing" them. It took action against four more companies and their subsidiaries in May, and worked with tech companies such as Apple and Microsoft to prevent the scams and take action against criminals.

Featured Resources

Top 5 challenges of migrating applications to the cloud

Explore how VMware Cloud on AWS helps to address common cloud migration challenges

Download now

3 reasons why now is the time to rethink your network

Changing requirements call for new solutions

Download now

All-flash buyer’s guide

Tips for evaluating Solid-State Arrays

Download now

Enabling enterprise machine and deep learning with intelligent storage

The power of AI can only be realised through efficient and performant delivery of data

Download now
Advertisement
Advertisement

Recommended

Visit/hardware/laptops/354709/hands-on-with-lenovos-2020-business-hardware-lineup
Laptops

Hands-on with Lenovo's 2020 business hardware lineup

5 Feb 2020
Visit/hardware/laptops/354694/lenovo-thinkpad-x1-fold-hands-on-review-first-foldable-pc-feels-like-the
Laptops

Lenovo ThinkPad X1 Fold hands-on review: First foldable PC feels like the future

3 Feb 2020
Visit/hardware/laptops/354654/lenovo-thinkbook-13s-review-unassuming-but-dependable
Laptops

Lenovo ThinkBook 13s review: Unassuming but dependable

28 Jan 2020
Visit/hardware/354336/the-it-pro-products-of-the-year-2019-all-the-years-best-hardware
Hardware

The IT Pro Products of the Year 2019: All the year’s best hardware

24 Dec 2019

Most Popular

Visit/security/privacy/355155/zoom-kills-facebook-integration-after-data-transfer-backlash
privacy

Zoom kills Facebook integration after data transfer backlash

30 Mar 2020
Visit/infrastructure/server-storage/355118/hpe-warns-of-critical-bug-that-destroys-ssds-after-40000-hours
Server & storage

HPE warns of 'critical' bug that destroys SSDs after 40,000 hours

26 Mar 2020
Visit/security/data-breaches/355173/marriott-hit-by-data-breach-exposing-personal-data-of-52-million
data breaches

Marriott data breach exposes personal data of 5.2 million guests

31 Mar 2020
Visit/security/cyber-crime/355171/fbi-warns-of-zoom-bombing-hackers-amidst-coronavirus-usage-spike
cyber crime

FBI warns of ‘Zoom-bombing’ hackers amid coronavirus usage spike

31 Mar 2020