One of the world’s largest computer manufacturers has agreed to settle charges by the Federal Trade Commission and 32 state Attorney Generals for selling laptops that contained pre-installed software which compromised security protections in order to deliver ads to consumers.
According to the FTC, Lenovo began selling laptops with a preinstalled “man-in-the-middle” software program called VisualDiscovery in August 2014. The software, developed by a company called Superfish, Inc., was installed on hundreds of thousands of Lenovo laptops. It delivered pop-up ads from the company’s retail partners whenever a user’s cursor hovered over a similar looking product on a website.
To deliver its ads, VisualDiscovery acted as a “man-in-the-middle” between consumers’ browsers and the websites they visited, including encrypted websites. Unknown the consumer, this “man-in-the-middle” technique allowed VisualDiscovery to access all of a consumer’s sensitive personal information transmitted over the Internet, including login credentials, Social Security numbers, medical information, and financial and payment information.
“Lenovo compromised consumers’ privacy when it preloaded software that could access consumers’ sensitive information without adequate notice or consent to its use,” said Acting FTC Chairman Maureen K. Ohlhausen.
The FTC complaint stated VisualDiscovery used an insecure method to display popup ads on secure websites. The method did not allow a consumer’s browser to warn its user when they visited possible malicious websites and allowed attackers to intercept consumers’ electronic communications with any website, including financial institutions and medical providers, by simply cracking the pre-installed password.
“While Lenovo disagrees with allegations contained in these complaints, we are pleased to bring this matter to a close after 2-1/2 years,” the company said.
As part of its settlement with the FTC, Lenovo must get a consumers consent before pre-installing this type of software and are required for 20 years to implement a comprehensive software security program for most consumer software preloaded on its laptops.