Lenovo banned from installing bloatware on its laptops after Superfish

Lenovo cannot install any bloatware on its laptops without customers' express agreement, under the terms of its settlement with the Federal Trade Commission (FTC) over the Superfish scandal.

On top of a $3.5 million fine that the company agreed to pay in September, Lenovo will now be required to obtain express consent from consumers before any preinstalled software is able to run on a laptop, as well as provide an easy means of uninstalling any Lenovo tools.

The decision, announced yesterday, concludes the FTC's long-running complaint against the company, which stated that Lenovo compromised security in order to deliver targeted advertising to its customers.

The company has also agreed to open itself up to regular third party auditing over the next 20 years, part of which will involve the creation of a "comprehensive software security program" that will identify risks to applications, and protect information collected on customers.

In the original complaint against Lenovo, the FTC charged that "beginning in August 2014 Lenovo began selling consumer laptops in the United States that came with a pre-installed advertising software program called VisualDiscovery that interfered with how a user's browser interacted with websites and created serious security vulnerabilities".

It was found that the VisualDiscovery was a modified version of the Superfish adware, a tool that allowed web pages to deliver targeted advertising to users when their mouse hovered over links. The tool was installed on hundreds of thousands of Lenovo machines and advertised as a search assistant to help users find similar products to those shown on screen.

However, VisualDiscovery was found to not only collect vast quantities of user data, such as logins, payment information and social security numbers, but also contained a major security risk that allowed hackers to access the encrypted data sent over the internet.

Following FTC intervention in 2014, 32 US states issued lawsuits against the company that alleged the software violated the regulator's provisions that block misleading practices, prompting Lenovo to pull VisualDiscovery from future machines.

A Lenovo spokesman told IT Pro: "Lenovo has been informed that the FTC has given final approval to the settlement announced in September which now brings this matter to a close."

06/09/2017: Lenovo settles Superfish spyware lawsuit for $3.5m

Lenovo has agreed to settle the Superfish spyware case with the Federal Trade Commission (FTC) and 32 states for $3.5 million.

Lenovo preloaded the bloatware on some of its consumer notebooks which delivered ads to users and risked compromising their security, according to the FTC's charges. The Superfish adware was installed on hundreds of thousands of laptops and potentially allowed hackers to access users' encrypted data when it loaded visual search results into users' browsers, security experts warned back in 2015.

As part of the settlement, Lenovo must not misrepresent preloaded software on its laptops which transmit sensitive data to third-parties, or force users to look at advertising. Instead, it will need user consent before installing this type of software and must also implement a software security program for consumer software on its laptops for the next 20 years.

Lenovo began selling its laptops in August 2014 preloaded with software called VisualDiscovery, which interfered with user's browsers and "created serious security vulnerabilities", the FTC said.

Acting FTC chairman Maureen Ohlhausen said: "Lenovo compromised consumers' privacy when it preloaded software that could access consumers' sensitive information without adequate notice or consent to its use. This conduct is even more serious because the software compromised online security protections that consumers rely on."

Lenovo said it stopped preloading VisualDiscovery into its laptops once it learnt of the issues, and tried to remove the software from existing PCs.

It added: "To date, we are not aware of any actual instances of a third party exploiting the vulnerabilities to gain access to a user's communications. Subsequent to this incident, Lenovo introduced both a policy to limit the amount of pre-installed software it loads on its PCs, and comprehensive security and privacy review processes, actions which are largely consistent with the actions we agreed to take in the settlements announced today."

Superfish inadvertently enabled a "man-in-the-middle" technique, where VisualDiscovery was able to access all of a user's personal information sent over the internet, such as their login details, social security numbers, and even payment information.

VisualDiscovery replaced a website's digital certificate with its own to impersonate SSL-enabled websites, which meant consumers were not warned before they visited potentially malicious websites with invalid digital certificates. This was because the spyware did not verify if a certificate was valid before it replaced it. This would allow hackers to monitor users' every action online, including bank and email activity.

The FTC has previously cracked down on tech support scams that fool users into thinking their computers are infected and charge them money for "fixing" them. It took action against four more companies and their subsidiaries in May, and worked with tech companies such as Apple and Microsoft to prevent the scams and take action against criminals.

Dale Walker

Dale Walker is the Managing Editor of ITPro, and its sibling sites CloudPro and ChannelPro. Dale has a keen interest in IT regulations, data protection, and cyber security. He spent a number of years reporting for ITPro from numerous domestic and international events, including IBM, Red Hat, Google, and has been a regular reporter for Microsoft's various yearly showcases, including Ignite.