US Federal Trade Commission settles with Lenovo on charges that it preinstalled software that compromised online security and the privacy of users
September 6, 2017 |
The Federal Trade Commission announced a settlement between it, 32 State Attorneys General and Lenovo relating to a complaint that it harmed consumers privacy and compromised data security with preloaded man in the middle software onto some of its laptops. The software, described as VisualDiscovery, delivered ads to the lap top owners but in doing so compromised security protections.
This is a huge settlement which deals with another questionable data security practice, of installing self serving software for commercial or marketing advantage which puts consumers privacy in jeopardy. It also highlights the dangers of “man in the middle” software.
Lenovo commenced the practice in August 2014 and it ultimately involved hundreds of thousands of laptops. The problem was that the software:
- interfered with how a user’s browser interacted with other websites and created security vulnerabilities.
- accessed the users personal and sensitive information, including log in credentials, social security numbers, medical history and financial information
- used an insecure method to replace digital certificates with its won VisualDiscovery signed certificates. That removed warnings of when a user might visit a spoofed or malicious site with invalid digital certificates and permitted hackers to intercept communications between the user and websites including financial institutions.
The 14 page consent agreement is onerous and has a 20 year duration. Some, but by no means all, of the obligations on Lenovo are that it will:
-
shall not make a misrepresentation, in any manner, expressly or by implication, about any feature of its software.
-
shall not preinstall or cause to be preinstalled any covered software unless it obtains the consumer’s affirmative express consent. provides instructions for how the consumer may revoke consent including uninstalling the covered software and provides a reasonable and effective means for consumers to opt out, disable or remove all of the covered software’s operations, which can include uninstalling the covered software
-
establish and implement, and thereafter maintain a comprehensive software security program that is reasonably designed to (1) address software security risks related to the development and management of new and existing application software, and (2) protect the security, confidentiality, and integrity of covered information.
-
must obtain initial and biennial assessments by a qualified third party within 180 days and then every 2 years for 20 years
-
must create certain records for 20 years after the issuance date of the Order,and retain each such record for 5 years relating to revenues from all covered products sold, the costs incurred in generating those revenues, and resulting net profit or loss
-
must keep copies or records of all U.S. consumer complaints relating to covered software or thesecurity of application software, whether received directly or indirectly, such as through athird party, and any response.
There is a stark comparison between the long term onerous obligations FTC imposes on malefactors and the insipid enforceable undertakings the Privacy Commissioner enters into with homegrown miscreants.
The media release provides:
Lenovo Inc., one of the world’s largest computer manufacturers, has agreed to settle charges by the Federal Trade Commission and 32 State Attorneys General that the company harmed consumers by pre-loading software on some laptops that compromised security protections in order to deliver ads to consumers.
In its complaint, the FTC charged that beginning in August 2014 Lenovo began selling consumer laptops in the United States that came with a preinstalled “man-in-the-middle” software program called VisualDiscovery that interfered with how a user’s browser interacted with websites and created serious security vulnerabilities.
“Lenovo compromised consumers’ privacy when it preloaded software that could access consumers’ sensitive information without adequate notice or consent to its use,” said Acting FTC Chairman Maureen K. Ohlhausen. “This conduct is even more serious because the software compromised online security protections that consumers rely on.”
VisualDiscovery software, developed by a company called Superfish, Inc., was installed on hundreds of thousands of Lenovo laptops. It delivered pop-up ads from the company’s retail partners whenever a user’s cursor hovered over a similar looking product on a website.
To deliver its ads, VisualDiscovery acted as a “man-in-the-middle” between consumers’ browsers and the websites they visited, even those websites that were encrypted. Without the consumer’s knowledge or consent, this “man-in-the-middle” technique allowed VisualDiscovery to access all of a consumer’s sensitive personal information transmitted over the Internet, including login credentials, Social Security numbers, medical information, and financial and payment information. While VisualDiscovery collected and transmitted to Superfish’s servers more limited information, such as the websites the user browsed and the consumer’s IP address, Superfish had the ability to collect more information.
To facilitate its display of pop-up ads on encrypted websites (those that include https:// in the web address), the complaint also alleges that VisualDiscovery used an insecure method to replace digital certificates for those websites with its own VisualDiscovery-signed certificates. Digital certificates are used to signal to a user’s browser that the encrypted websites visited by a consumer are authentic and not imposters. VisualDiscovery, however, did not adequately verify that the websites’ digital certificates were valid before replacing them, and used the same, easy-to-crack password on all affected laptops rather than using unique passwords for each laptop.
Because of these security vulnerabilities, consumers’ browsers could not warn users when they visited potentially spoofed or malicious websites with invalid digital certificates. The vulnerabilities also enabled potential attackers to intercept consumers’ electronic communications with any website, including financial institutions and medical providers, by simply cracking the pre-installed password. The complaint alleges that Lenovo did not discover these security vulnerabilities because it failed to assess and address security risks created by third-party software it preloaded on its laptops.
As part of the settlement with the FTC, Lenovo is prohibited from misrepresenting any features of software preloaded on laptops that will inject advertising into consumers’ Internet browsing sessions or transmit sensitive consumer information to third parties. The company must also get consumers’ affirmative consent before pre-installing this type of software. In addition, the company is required for 20 years to implement a comprehensive software security program for most consumer software preloaded on its laptops. The security program will also be subject to third-party audits.
Lenovo has published a statement which gives new meaning to the word “grudging” and the corporate equivalent of bad sportsmanship. It essentially says it did nothing wrong, providing:
Today it was announced that Lenovo has reached settlements with the Federal Trade Commission (FTC) and a coalition of thirty-two U.S. states to resolve their concerns related to the third-party “VisualDiscovery” software that Lenovo preinstalled on certain consumer laptop products in late 2014 and early 2015. While Lenovo disagrees with allegations contained in these complaints, we are pleased to bring this matter to a close after 2-1/2 years.
After learning of the issues, in early 2015 Lenovo stopped preloading VisualDiscovery and worked with antivirus software providers to disable and remove this software from existing PCs. (Those instructions can be found on the Lenovo website here.) To date, we are not aware of any actual instances of a third party exploiting the vulnerabilities to gain access to a user’s communications. Subsequent to this incident, Lenovo introduced both a policy to limit the amount of pre-installed software it loads on its PCs, and comprehensive security and privacy review processes, actions which are largely consistent with the actions we agreed to take in the settlements announced today.
As is usually the case there is quite some publicity which would not be welcome to Lenovo including a report by USA Today and the National Law Journal.
[…] US Federal Trade Commission settles with Lenovo on charges that it preinstalled software that compro… […]