The Federal Trade Commission has given final approval to a settlement with Lenovo Inc., related to charges that the company harmed consumers by pre-loading software on some laptops that compromised security protections to deliver ads to consumers, the FTC announced Jan. 2.
In its complaint, the FTC charged that beginning in August 2014 Lenovo began selling consumer laptops in the United States that came with a preinstalled advertising software program called VisualDiscovery that interfered with how a user’s browser interacted with websites and that it created serious security vulnerabilities.
VisualDiscovery software, developed by a company called Superfish, Inc., was installed on hundreds of thousands of Lenovo laptops. It delivered pop-up ads from the company’s retail partners whenever a user’s cursor hovered over a similar looking product on a website. In this way, VisualDiscovery acted as a “man-in-the-middle” between consumers’ browsers and the websites they visited, to deliver its ads, even to websites that were encrypted. Without the consumer’s knowledge or consent, this technique allowed VisualDiscovery to access all of a consumer’s sensitive personal information transmitted over the internet, including login credentials, Social Security numbers, medical information, and financial and payment information.
Additionally, while VisualDiscovery collected and transmitted to Superfish’s servers more limited information, such as the websites the user browsed and the consumer’s IP address, Superfish had the ability to collect more information.
To facilitate its display of pop-up ads on encrypted websites, those that include https:// in the web address, the complaint also alleges that VisualDiscovery used an insecure method to replace digital certificates for those websites with its own VisualDiscovery-signed certificates. Digital certificates are used to signal to users’ browsers that the encrypted websites they visit are authentic, secure and not fakes. VisualDiscovery, however, did not adequately verify that the websites’ digital certificates were valid before replacing them, and used the same, easy-to-crack password on all affected laptops rather than using unique passwords for each laptop, according to the FTC.
Because of these security vulnerabilities, consumers’ browsers could not warn users when they visited potentially spoofed or malicious websites with invalid digital certificates. The vulnerabilities also enabled potential attackers to intercept consumers’ electronic communications with any website, including financial institutions and medical providers, by simply cracking the pre-installed password. The complaint alleges that Lenovo did not discover these security vulnerabilities because it failed to assess and address security risks created by the third-party software it preloaded on its laptops.
As part of the settlement with the FTC, Lenovo is prohibited from misrepresenting any features of software preloaded on laptops that will insert advertising into consumers’ internet browsing sessions or transmit sensitive consumer information to third parties. If the company preinstalls this type of software, the order requires the company to get consumers’ assenting consent before the software runs on their laptops, according to the FTC. In addition, the company is required for 20 years to implement a comprehensive software security program for most consumer software preloaded on its laptops. Further, the security program will also be subject to third-party audits.
The Federal Trade Commission works to promote competition, and protect and educate consumers. You canlearn more about consumer topics and file a consumer complaint online or by calling 1-877-FTC-HELP (382-4357).