Some of you will remember back in mid 2014 that Lenovo added some software called Visual Discovery by Superfish to hundreds of thousands of computers. The purpose of Visual Discovery is to “help” you by intercepting your browser communications and either insert ads into your web traffic or even redirect you to web sites that Superfish thinks you need to visit.
If the traffic to the original web site is encrypted, then Superfish decrypts that traffic without telling you so that it can “help” you and then re-encrypts it, often in a way that is not as secure due to flaws in the Visual Discovery software.
In early 2015, the cat was let out of the bag by researchers and the media started reported about what Lenovo was doing. Lenovo tried, unsuccessfully, to do damage control and eventually released a utility that allowed people to uninstall the Superfish software. Without this hack, there was, literally, no way to uninstall the Superfish software.
Since they were intercepting user’s encrypted traffic, they likely had access to medical, financial and other sensitive information. All without obvious notice to the consumer.
It is likely that Lenovo didn’t think too much about what their partner, Superfish was doing, didn’t think much about the security implications, apparently did not look at the coding techniques that Superfish had used and was likely only interested in the size of the commission checks they were cashing. This is all speculation on my part, but I doubt that Lenovo gave Superfish access to hundreds of thousands of their customers for free.
Well the fallout has finally happened. It took over two years, but Lenovo and the Federal Trade Commission have come to an agreement in the form of a consent decree. A few of the highlights of the agreement:
- Lenovo does not have to admit any guilt. This is pretty typical.
- Lenovo agrees that if they ever do anything that even remotely looks like this again, which I doubt, but you never know, they will create a clear and conspicuous disclosure and require the consumer to OPT-IN not opt-out.
- Again, if they do this again, they will give the consumer the ability to opt-out at any point in time and also give the consumer the ability to uninstall the software. None of these were done with Superfish, although there was a brief blurb when they first fired up the browser.
- Lenovo is prohibited from making misleading representations regarding promotions like this.
- Lenovo will implement and maintain a software security program designed to address software security risks and protect customer’s information.
- They will identify a point person – the proverbial one throat to choke (or jail) to manage the program.
- They will hire an outside expert to conduct software security audits every two years for the next twenty years. That is a long time to have the FTC breathing down your neck.
Suffice it to say, this is a large pile of turds; Lenovo will spend millions of dollars and the FTC will be watching closely. FOR THE NEXT TWENTY YEARS.
All this trouble to make a few bucks from ads to their customers.
The moral of this story is to think through the security implications of programs that hijack user’s traffic and have significant privacy implications.
More than likely, any company that was considering doing something similar to what Lenovo was doing is reconsidering that plan. It is just not worth the risk.
Information for this post came from the FTC web site.