Lenovo has reached a settlement with the U.S. Federal Trade Commission (FTC) and Attorneys General in 32 states regarding the company’s decision to preinstall man-in-the-middle (MitM) software on its laptops.
The proposed settlement is subject to public comment until October 5. If made final, Lenovo will be prohibited from misrepresenting the features of preloaded software that injects ads into browsing sessions or sends sensitive user data to third parties.
Lenovo is also required to obtain affirmative consent before activating such software, and it must maintain a comprehensive security program for preinstalled applications for a period of 20 years. This program will be subject to third-party audits.
As part of its settlement with state authorities, Lenovo will have to pay a total of $3.5 million. California, one of the states that led the investigation, will receive the largest share, specifically $389,204.
The FTC filed a complaint against Lenovo back in 2015, after security experts discovered that a browser add-on named WindowShopper (VisualDiscovery) from Superfish had been injecting ads into web pages visited by Lenovo laptop owners by using a local proxy and a self-signed root certificate. The application was reportedly installed on hundreds of thousands of laptops in late 2014 and early 2015.
The application basically launched an MitM attack on users’ browsing sessions, allowing it to intercept sensitive information transmitted over the Web. Experts also raised concerns that by replacing legitimate certificates with its own, the Superfish software exposed users to malicious websites that leveraged fake certificates.
The FTC accused Lenovo of failing to inform users that the software acted as an MitM component, activating the software without adequate notice or informed consent, and failing to take measures to assess and address the security risks introduced by the application.
“While Lenovo disagrees with allegations contained in these complaints, we are pleased to bring this matter to a close after 2-1/2 years,” Lenovo said in a statement posted on its website.
“After learning of the issues, in early 2015 Lenovo stopped preloading VisualDiscovery and worked with antivirus software providers to disable and remove this software from existing PCs,” the company said. “To date, we are not aware of any actual instances of a third party exploiting the vulnerabilities to gain access to a user’s communications. Subsequent to this incident, Lenovo introduced both a policy to limit the amount of pre-installed software it loads on its PCs, and comprehensive security and privacy review processes, actions which are largely consistent with the actions we agreed to take in the settlements announced today.”
While members of the FTC unanimously accepted the agreement, Commissioner Terrell McSweeny issued a separate statement pointing out that the agency should have also added a charge related to Lenovo deceptively omitting that the software would alter users’ Internet experience. FTC Acting Chairman Maureen K. Ohlhausen does not agree with McSweeny’s view.
*Updated to clarify that Lenovo will have to pay $3.5 million to the 32 U.S. states