September 6, 2017 // 9:10 a.m.
Lenovo has announced a settlement with the US Federal Trade Commission (FTC) over malware it bundled with its consumer products in 2014 and 2015 which will see the company submit to third-party security audits and undertake moves to gain informed consent from its users before installing software which is designed to gather personal information.
Lenovo landed in hot water in 2015 when it was discovered that an advertising tool dubbed VisualDiscovery from a company called Superfish and pre-installed on selected Lenovo consumer devices for revenue-generation purposes had gaping security holes which allowed attackers to silently decrypt and modify supposedly-encrypted communications. At the time Lenovo denied the software had any such security vulnerability, a denial it was forced to recant following the publication of step-by-step instructions for exploiting the flaw.
While the company stopped pre-loading what become known as the 'Superfish malware' and worked with anti-virus creators to detect and remove the vulnerability, it has been under investigation by the US Federal Trade Commission for the past two years - an investigation which has now completed with the finding that Lenovo did indeed put its customers at risk to turn a quick buck.
'Lenovo compromised consumers' privacy when it preloaded software that could access consumers' sensitive information without adequate notice or consent to its use,' says acting FTC chair Maureen K. Ohlhausen in the announcement of the ruling. 'This conduct is even more serious because the software compromised online security protections that consumers rely on.'
Lenovo, however, has successfully dodged a fine for its actions: While some press reports have put the company's costs to settle with the 32 states named in the complaint at around $3.5 million (around £2.68 million), the FTC's official ruling does not require the payment of a federal fine but instead enjoins Lenovo in an agreement to submit to third-party security audits, to never misrepresent the purpose of any software, and to agree to never again pre-install software designed to gather personal information without the user's explicit consent.
'While Lenovo disagrees with allegations contained in these complaints, we are pleased to bring this matter to a close after two and a half years,' a Lenovo spokesperson claimed following the ruling's publication. 'Product security, privacy and quality are top priorities at Lenovo. We have a responsibility to deliver products and solutions that maintain the high standards we set for customer experience while also protecting the privacy, integrity, and availability of our customers' data.'