If you have a three-year-old Lenovo laptop at home, it may be secretly collecting “visual data” on your web-browsing habits and using it for advertising purposes.
The Federal Trade Commission announced Tuesday that it had settled with the Beijing-based electronics company over three violations that show how the agency is continuing to clamp down on companies that invade customer privacy.
Acting FTC chairman Maureen Ohlhausen told Inverse Tuesday during a teleconference that some 750,000 Lenovo laptops — sold between August 2014 and June 2015 — came pre-installed with a program called VisualDiscovery, made by the Palo Alto, California-based firm SuperFish. The software would act as a “man-in-the-middle” between a consumer’s browser and the website they visited.
“Imagine the online equivalent of someone, without your knowledge, intercepting your mail, opening it, reading it, re-sealing it, and putting it back in your mailbox,” Ohlhausen said. “That’s what we allege the software did.”
If you’re curious how Visual Discovery scraped user data to make money, Naked Security offers this great example: “If you’re looking at an ad for a chest of drawers, Superfish, going by the example on its own website, can help you find a matching sideboard (credenza).” The software would then “keep its eye out for related sites, all based on images instead of relying on old-fashioned keywords.”
It would also keep its eyes on consumers’ personal info, like log-in credentials, Social Security numbers, bank account information, medical information, and emails, investigators learned. And if you went to a “spoofed” website, i.e., one that looked like a furniture store but was really data-capturing one, you’d be up a creek.
How did this mess, exactly? Superfish is a third-party vendor, and while Ohlhausen didn’t say that Lenovo was unaware this software was spying on users, she did call on computer-makers to be cautious about partnering up with contractors that might not have the best intentions.
“Everybody in the chain needs to pay attention,” she said. “This happened to be one of the world’s largest computer manufacturers and I think it sends an important message: If you are going to install these kinds of software, you need to pay attention to what it’s collecting, what you’re telling consumers, and the kinds of risks that it might be creating.”
Ohlhausen also took a moment to connect the dots about the FTC’s reinvigorated mission to protect consumers from tech companies that surreptitiously scrape personal data.
“To put today’s announcement in context, this is the third privacy case that the FTC has announced in the past 30 days,” Ohlhausen said. “The first was against Uber and the second was tax preparation firm TaxSlayer.
“Those of you who follow the FTC can find some common themes from these cases: All of them involve sensitive information, so driver’s license numbers, and other financial information, in the Uber case,” she said. “Social Security numbers and tax information in TaxSlayer. And contents of consumer’s information in today’s case. All of the cases involve conduct that caused or was likely to cause substantial harm to consumers.”
Here are the affected Lenovo computers
Affected Lenovo models include many in its affordable range — the lower half of its range — giving the possible interpretation that Superfish was targeting low-income or young consumers. Included brands were the E-Series, Edge Series, Flex-Series, G-Series, Miix Series, S-Series, U-Series, Y-Series, Yoga Series, and Z-Series. Here’s a full list:
What’s Lenovo’s punishment?
At this stage, the FTC can’t actually levy any sort of fine against Lenovo, but if Lenovo violates the orders the FTC announced, the federal agency can lay down the fine hammer.
However, the attorneys general in 32 states acted alongside the FTC and those states have fined the company. In total, Lenovo will pay out $3.5 million to the 32 states. The leading state in the case was Connecticut, and its attorney general, George Jepsen, announced Tuesday that the state will receive $286,145 in settlement funds.
What’s next for Lenovo? Well, “Lenovo will have to ask users to give permission when the company pre-installs software (with certain limited exceptions) if it functions as adware, or if it sends personal information to another company.” Exceptions include things like parental controls or anti-virus software.
How to remove Superfish spyware from your Lenovo computer
The company set up a web page — “Superfish Uninstall Instructions” — after reports on security blogs in early 2015 shined a light on the spyware. Lenovo said Tuesday that it didn’t know of any cases of tampering.
“To date, we are not aware of any actual instances of a third party exploiting the vulnerabilities to gain access to a user’s communications,” the company announced with a statement on its website Tuesday.