In a settlement that should send a signal to computer companies about protecting cybersecurity, computer giant Lenovo has agreed to settle charges with the FTC and states attorneys general that it pre-loaded pop-up ad related software on laptops that compromised user security.
The FTC had charged that beginning in August 2014, Lenovo had pre-installed a software program, VisualDiscovery, that "interfered" with a browser's interaction with web sites and created "serious security vulnerabilities." It said the company's disclosures were inadequate, that it had put consumers' personal information at risk, that it failed to take reasonable security measures, and that it had harmed consumers.
“Lenovo compromised consumers’ privacy when it preloaded software that could access consumers’ sensitive information without adequate notice or consent to its use,” said Acting FTC Chairman Maureen Ohlhausen in announcing the settlement. “This conduct is even more serious because the software compromised online security protections that consumers rely on.”
Lenovo, as part of the settlement is prohibited from misrepresenting any features of preloaded software that injects ads into browsing sessions or transmits sensitive consumer info to third parties, and must get affirmative—opt-in—consent for any such features. IT must also institute a software security program that must be reviewed biennially by an independent third party and report regularly to the FTC on compliance with the settlement.
Ohlhausen said three key takeaways from the decision were the importance of disclosure, that while Lenovo or a similar company did not have liability over everything a third party might do with info, it had a responsibility to include contractual language addressing security, and that this, the third privacy case the FTC has announced in the past three days--Uber and TaxSlayer were the others--illustrated that the FTC continued its leadership in protecting consumer privacy.
Ohlhausen has argued that if the FCC returns online privacy oversight to the FTC, the latter has the tools to protect consumers' privacy and security online and will use them.
The FTC did not levy a fine on the company because it can't level civil penalties on a first offense. But Ohlhausen did say that the attorneys general can and did seek civil penalties in their separate settlement, and that the FTC could seek such penalties if Lenovo violates its agreement.
The VisualDiscovery Software (created by SuperFish), was on hundreds of thousands of Lenovo computers, said the FTC, and would show a pop-up ad from a Lenovo retail "partner" whenever the cursor was on a similar looking product on a web site.
VisualDiscovery was a middleman between a browers and a web site, even encrypted web sites, without a consumer's knowledge of consent, said the FTC. And while the FTC said that while SuperFish only transmitted information such as the web sites a user went to and a user's IP address, it also had access to personal information including log-ins, social security numbers and medical and financial information, all sensitive personal information that is supposed to get heightened protections.
Ohlhausen likened it to being able to open a piece of mail, read it, reseal it, then put it back in the mailbox without the recipient ever knowing it had been accessed.
The FTC also claimed that the information VisualDiscovery had access to was not secure and did not allow browsers to warn web surfers if they were visiting malicious web sites. The FTC alleges that Lenovo did not discover the security vulnerabilities because it failed to assess the security risks of pre-loaded third-party software.
A federal court still has to sign off on the settlement, which is essentially a formailty. The FTC files suit with the court and then the settlement at the same time, then it is up to the court to agree to it.
(Photo via Jeff Kubina's Flickr. Image taken on June 20, 2017 and used per Creative Commons 2.0 license. The photo was cropped to fit 16x9 aspect ratio.)
