Nearly four years ago, Lenovo was making the headlines in a pre-installed adware debacle. Back in 2015, the computer manufacturer was caught installing the Superfish Visual Discovery comparison-search engine software by default on its consumer laptops.
Shortly after that revelation, security experts warned that the Superfish application is not only adware, but it also exposed encrypted traffic at risk of being intercepted by attackers.
More about the Superfish Adware App
The main purpose ofSuperfish was to inject advertisements in the web pages visited by users, presenting them with alternative shopping results for different products they have searched for, using only the image of the item.
Although the application code itself was not considered malicious, it featured a transparent man-in-the-middle service which was based on the SSL Digestor engine. The latter generates root CA certificates and private keys that are not unique.
Lenovo Reaches Settlement Agreement of $7.3 Million
Four years later, Lenovo has reached a settlement agreement with consumers who purchased an affected model, Bloomberg Law recently reported. Lenovo Group Ltd. can now move ahead with an $7.3 million settlement to end a class action that its ad software exposed customer laptops to performance, privacy, and security problems, Bloomberg said.
The U.S. District Court for the Northern District of California granted initial approval of the settlement Nov. 21, four months after Lenovo and the consumer class filed with the court to end the spyware action. The SuperFish software, which Lenovo began installing in 2014, could access customer Social Security numbers, financial data, and sensitive heath information, the court said.
Lenovo’s pre-installed adware/spyware case is a reminder of the fragile state of consumers’ privacy and security. It raises security concerns about device manufacturers and their undeniable attempts to capture users’ data, without initially informing them about these practices. And as it turns out, without proper notice and consent, companies can undergo costly regulatory enforcement actions.
Court documents reveal that Lenovo installed Superfish on 28 laptop models, all of them sold in the U.S. in the period between Sept. 1, 2014 and Feb. 28, 2015.
Lenovo is set to pay $7.3 million to the settlement fund, and SuperFish will kick in another $1 million from a prior deal with consumers over the spyware issue. None of the funds will revert back to Lenovo or SuperFish and instead will go to “all persons who purchased a Lenovo computer in the United States on which VisualDiscovery was installed by Lenovo,” U.S. Judge Haywood S. Gilliam, Jr. wrote Nov. 21, Bloomberg said.