As Lenovo resolves the Superfish bloatware scandal from 2015, a surprising detail has emerged from the fine print of the settlement. Consumers who bought Lenovo laptops with “man-in-the-middle” Superfish adware (by a company called VisualDiscovery) likely fell for a trick later made infamous by Microsoft: clicking the “X” to dismiss the program actually opted them into it.
Lenovo settled with the Federal Trade Commission on Tuesday, paying a reported $3.5 million in fines and agreeing to other security concessions to prevent a repeat of the Superfish debacle. According to the FTC, the software allowed VisualDiscovery to see all of a consumer’s sensitive personal information transmitted over the Internet, including log-in information, Social Security numbers, and more. In 2015, Lenovo CTO Peter Hortensius called the decision to use Superfish a “significant mistake.”
Lenovo also expressed relief that the 2.5-year investigation was over. Though the company said that it was not aware of the Superfish software exploiting any vulnerabilities, Lenovo previously published details on how to remove Superfish from existing laptops. Superfish has not been loaded on Lenovo laptops since 2015.
"Product security, privacy and quality are top priorities at Lenovo," Lenovo said in a statement.
According to the FTC, Lenovo will be prohibited from misrepresenting any features of software preloaded on laptops that will inject advertising into consumers’ Internet browsing sessions. For 20 years, Lenovo will be required to put in place a “comprehensive software security program for most consumer software preloaded on its laptop,” subject to external audits, the FTC said. If Lenovo does put adware onto its laptops, it must “get consumers’ affirmative consent,” it added.
But it’s the issue of “affirmative consent” for which one of the FTC commissioners, Terrell McSweeny, said she felt Lenovo went too far.
McSweeny, an Obama Administration appointee whose terms ends this month, wrote in a separate statement that two key facts were never communicated to consumers. First, the Superfish software on a laptop slowed Internet speeds by as much as 125 percent; and second, that dismissing the Superfish software actually opted consumers into it.
Why this matters: Bloatware already plagues laptops and tablets. We thought Lenovo crossed the line by injecting adware—the VisualDiscovery Superfish software—which would communicate users’ private information. Digging into the settlement details reveals more—the other negative effects Superfish had on day-to-day browsing, and also the mechanism by which both companies interpreted “affirmative consent” to trick people into using the software—a dirty tactic Microsoft itself employed later to force people to upgrade to Windows 10.
When clicking the 'x' doesn't close the program
According to McSweeny, the Superfish software slowed Internet browsing, specifically downstream traffic by 25 percent and uploads by as much as 125 percent. In addition to simply slowing browser speeds, VisualDiscovery also used an insecure method to replace digital certificates, exposing users to risk and preventing their browsers from warning them that the website they were visiting could have been spoofed. And on every e-commerce site, VisualDiscovery's software would display ads.
Sign up for CIO Asia eNewsletters.