Skip to content

Discerning Data

  • About Us
  • Additional Resources
  • Contact Us

DISCERNING DATA

A Faegre Drinker Blog Covering the Latest in Privacy, Cybersecurity and Data Strategy
  • Privacy
  • Cybersecurity
  • Data Strategy
  • Disruptionware

Cybersecurity and Adware: The FTC’s Settlement with Lenovo

Share

The FTC and 32 state attorneys general announced a settlement with Lenovo Inc., one of the largest computer manufacturers, resolving allegations that Lenovo harmed consumers by pre-loading software on some laptops that compromised security protections in order to deliver ads to consumers.

The FTC’s complaint alleged that in August 2014 Lenovo began selling consumer laptops that came with preinstalled ad-injecting software known as VisualDiscovery, which was developed by Superfish, Inc.  This adware delivered pop-up ads of similar-looking products sold by Superfish’s retail partners whenever a consumer’s cursor hovered over the image of a product on a shopping website. To facilitate its injection of pop-up ads into encrypted https:// websites, Visual Discovery installed a self-signed root certificate in the laptop’s operating system, which caused consumers’ browsers to automatically trust the VisualDiscovery-signed certificates.  Digital certificates are part of the Transport Layer Security protocol that, when properly validated, serve as proof that consumers are communicating with the authentic https:// website and not an imposter.

The FTC’s complaint alleges that the substitution of the digital certificates created significant security vulnerabilities.  The complaint notes that a security researcher reported to Lenovo that there were problems with VisualDiscovery’s interactions with https:// websites in September 2014.  The security risks became widely known in February 2015, when the U.S. Computer Emergency Readiness Team (US-CERT), a division of the Department of Homeland Security responsible for analyzing and reducing cyber threats and vulnerabilities, issued a public warning about the VisualDiscovery security vulnerabilities.  US-CERT recommended that consumers remove VisualDiscovery with a free removal tool offered by Lenovo that would also remove its root certificate because opting out, disabling or uninstalling VisualDiscovery would not address the security vulnerabilities.  Lenovo stopped shipping laptops with VisualDiscovery preinstalled in late February 2015, though some laptops were still being sold through June 2015.

The complaint highlights what the FTC considers to be inadequate data security practices in this context:

  • The failure to adopt and implement written data security policies applicable to third-party preinstalled software;
  • The failure to adequately assess the data security risks of third-party software prior to preinstallation;
  • The failure to request or review any information prior to preinstllation about Superfish’s data security policies, procedures, or practices,
  • The failure to require Superfish by contract to adopt and implement reasonable data security measures;
  • The failure to assess VisualDiscovery’s compliance with reasonable data security standards; and
  • The failure to provide adequate data security training for employees responsible for testing third-party software.

The FTC’s complaint includes one deception count and two unfairness counts.

  • The unfairness counts focus on the security vulnerabilities noted above.
  • The deception count focuses on Lenovo’s failure to make adequate disclosures about VisualDiscovery to consumers. The complaint found that a one-time pop-up window with a small opt-out link at the bottom of the pop-up was easy to miss.  By clicking on the pop-up’s “x” close button, the consumer was opted into the software.

The FTC’s settlement prohibits Lenovo from making any misrepresentation about any feature of covered software, which includes application software that injects advertisements into a consumer’s internet browsing session or that transmits or causes the transmission of sensitive personal information.  In addition, Lenovo is required to obtain a consumer’s affirmative express consent prior to any preinstalled software injecting ads into a consumer’s internet browsing session or transmitting or causing the transmission of the consumer’s personal information to any person other than the consumer.  Lenovo must also provide instructions about how to revoke consent, and provide a reasonable and effective means for consumers to opt out, disable or remove all of the covered software’s operations.

In addition, the settlement requires that Lenovo must establish, implement and maintain a comprehensive software security program that is designed to address software security risks in software preinstalled on its personal computers and undergo biennial software security assessments of its mandated software security program by a third party for the next 20 years. Under a separate state agreement, Lenovo agreed to pay 32 state attorneys general $3.5 million in fines.

FTC Commissioner Terrell McSweeny and Acting Chairman Maureen Ohlhausen issued separate statements.  Commissioner McSweeny supported the issuance of the complaint and settlement, but is troubled by the practices the FTC failed to challenge.  Specifically, she notes in her statement that the complaint describes how the software would inject pop-up ads every time consumers visited a shopping website and disrupt web browsing by reducing download and upload speeds and states that failure to disclose this information is deceptive and thus worthy of agency action.

Acting Chairman Ohlhausen’s statement notes her support of the complaint and consent, but disagrees with Commissioner McSweeny.  In her view, Lenovo failed to disclose that VisualDiscovery would act as a man-in-the-middle, but did disclose that the software would introduce advertising into consumers’ web browsing.  Therefore, Acting Chairman Ohlhausen stated that, while the disclosures could have been clearer, it was unnecessary to disclose that the advertising software would likely affect the consumer’s browsing experience because ordinary consumers expect advertising software to affect their web browsing experience.

The settlement is out for public comment and the deadline for submitting comments is October 5, 2017.

The material contained in this communication is informational, general in nature and does not constitute legal advice. The material contained in this communication should not be relied upon or used without consulting a lawyer to consider your specific circumstances. This communication was published on the date specified and may not include any changes in the topics, laws, rules or regulations covered. Receipt of this communication does not establish an attorney-client relationship. In some jurisdictions, this communication may be considered attorney advertising.

Receive Email Alerts to New Articles

SUBSCRIBE

September 7, 2017
Written by: Discerning Data Editorial Board
Category: Cybersecurity, Retail
Tags: Advertising, FTC, Software

Post navigation

Previous Previous post: Logging Your First Information Governance Success
Next Next post: Online Tax Preparation Service Settles with FTC for GLBA Violations

Search the Blog

Sign Up for Email Alerts

PODCASTS

Faegre Drinker on Law and Technology

©2023 Faegre Drinker Biddle & Reath LLP. All Rights Reserved. Lawyer Advertising.

  • About Us
  • Additional Resources
  • Contact Us
We use cookies to improve your experience with our website. By browsing our site, you are agreeing to the use of cookies. For more information about how we use cookies, please review our privacy policy and cookie policy. OK
Privacy & Cookies Policy

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Non-necessary
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
SAVE & ACCEPT