Lenovo settles FTC, state complaints on preinstalled invasive adware

Computer hardware giant Lenovo settled Tuesday with the Federal Trade Commission and 32 state attorneys general in a case arising from the sale laptops preloaded with invasive adware that compromised consumer security — but the company denies any wrongdoing.

The FTC deal involves no direct financial penalty, and the company can even resume installing the VisualDiscovery adware on its products — as long as it gets affirmative consent to do so from each consumer, and as long as there is an effective and accessible way for consumers to opt out, according to the settlement.

Lenovo will pay $3.5 million to settle the state cases, although in a statement the company denied any wrongdoing, and noted that there’s no evidence of any security breaches as a result of the adware install.

“This case … emphasizes the importance of adequate disclosure,” FTC acting Chairwoman Maureen Ohlhausen told reporters in a conference call. “If you’re going to track people in unexpected and risky ways, make sure you’re clear about what you’re doing and get consumers’ permission.”

She brushed aside suggestions that this was a slap on the wrist that actually enabled the company to continue using the adware. The disclosures would have to be “clear and conspicuous,” she said. “You can’t bury it in legalese.”

VisualDiscovery is a software package intended to promote specific partner e-commerce sites by creating pop-up ads related to a user’s activity on the web. In order to monitor behavior to better aim the ads, the software interposed itself between users and the websites they were visiting, even when the traffic had been encrypted to protect the users’ security and privacy. VisualDiscovery, made by Chinese software company SuperFish, effectively launched a man-in-the-middle attack against the user of any laptop it was installed on, the FTC said in its complaint.

Ohlhausen told reporters that Lenovo had deceived consumers by not letting them know about the  interception of users’ browsing through use of a self-signed encryption certificate. “These facts would have been material to consumers, and Lenovo’s failure to disclose them was deceptive,” she said.

But in a statement released alongside the settlement, she added that there was a higher standard for deception by omission than by commission. An omission, she wrote, can only be “misleading under the FTC Act if the consumers’ ordinary fundamental expectations about the product were violated. Mere annoyances that leave the product reasonably fit for its intended use do not meet this threshold.”

In this case, she continued, the properties of the VisualDisplay adware “rendered useless a critical security feature of the laptops’ web browsers”  — i.e. web-traffic encryption — and “introduced gross hazards inconsistent with ordinary consumer expectations about the minimum performance standards of software [rendering it] … unfit for its intended use.”

Under the consent order published Tuesday, the company, while not admitting any wrongdoing, has to:

• End any misrepresentation of its products, including by omission.
• Get affirmative consumer consent to install invasive software on its products in the future.
• Institute a software security program to assess the company’s software products, document it and appoint a company executive to oversee and be responsible for it.
• Submit to biennial audits of its software security program for the next 20 years.

The state cases alleged that Lenovo violated consumer protection laws by failing to adequately ensure the security of VisualDiscovery, to disclose its presence or to provide adequate opt-out procedures, according to a statement from Connecticut, the lead state in the case.

After security researcher Peter Horne uncovered the man-in-the-middle activity in February 2015, Lenovo started shipping laptops with a different version of the software, which didn’t work on encrypted websites and didn’t use the self-signed certificate, the FTC said. But even then, the company took no action to disclose the software to new purchasers and while they provided a removal tool they didn’t ensure it was cleaned from the 750,000 laptops already shipped in the U.S. with the adware installed. The state action included allegations that some laptops with the software were still being sold by various retail outlets as late as June 2015.

“We appreciate Lenovo’s cooperation in bringing this matter to an appropriate resolution,” said Connecticut Attorney General George Jepsen.

“To date, we are not aware of any actual instances of a third party exploiting the vulnerabilities to gain access to a user’s communications,” the company said in its statement, “While Lenovo disagrees with allegations contained in these complaints, we are pleased to bring this matter to a close after two-and-a-half-years.”