Slashdot Mirror

← Back to Stories (view on slashdot.org)

Lenovo Hit With Lawsuit Over Superfish Adware

Posted by samzenpus on from the here-comes-the-trouble dept.

An anonymous reader writes with news that the fallout from the Superfish fiasco might just be starting for Lenovo. "Lenovo admitted to pre-loading the Superfish adware on some consumer PCs, and unhappy customers are now dragging the company to court on the matter. A proposed class-action suit was filed late last week against Lenovo and Superfish, which charges both companies with 'fraudulent' business practices and of making Lenovo PCs vulnerable to malware and malicious attacks by pre-loading the adware. Plaintiff Jessica Bennett said her laptop was damaged as a result of Superfish, which was called 'spyware' in court documents. She also accused Lenovo and Superfish of invading her privacy and making money by studying her Internet browsing habits."

7 of 114 comments (clear)

  1. Re:Read the EULA... the lawsuit has no merit. by hey! · · Score: 5, Interesting

    The issue isn't whether EULAs are *potentially* enforceable. The question is whether *this* EULA is enforceable.

    In general there is no contract unless their is some kind of exchange of "considerations". Typically the consideration is the privilege of using the copyright holder's software. But, if you can show that users don't want to use this software, and that it is installed for the benefit of a third party, there is no exchange of considerations between the end-user and the copyright holder, and therefore no valid contract.

    --
    Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
  2. Re:Lawyers rejoice!! by Dutch+Gun · · Score: 4, Interesting

    I'm not usually one to celebrate lawsuits. And you're right, there's not a lot of individual damage per computer. Rather, I'm perfectly fine with a modest payout per users that punishes Lenovo for this, both monetarily and with bad press. This sort of behavior absolutely has to stop, and I'm willing to enrich a few lawyers to make it happen. Sacrifices must be made for the greater good, I suppose.

    Maybe this will wake people up to the fact that we seriously need some stronger consumer privacy laws. I'm also typically one who prefers to let markets manage themselves until it's clear that government actually needs to step in. I'm afraid we're at that point, because it's abundantly clear that too many companies are willing to go to just about any lengths to extract personal data from people in unscrupulous ways (as well as the government itself, ironically, but we'll tackle that issue separately).

    So, yeah, it is actually a BFD. In fact, not every business customer uses their own system image - especially smaller business. And just because a personal user chooses specific services like Google whom they may trust, it does not give another company the right to make those decisions on their behalf. Many of those customers may well have chosen to avoid such services for that very reason. That choice was taken away from them, and instead, the computer they paid for was made less secure by that adware which was forced on them unknowingly. Fine, it's a first world problem, but that doesn't mean it's not a problem.

    --
    Irony: Agile development has too much intertia to be abandoned now.
  3. Re:Lawyers rejoice!! by stephanruby · · Score: 4, Interesting

    I fail to see what kind of financial loss Lenovo customers might have incurred over this incident to warrant a class action suit.

    Even if the class action suit only wins one penny, it will be worth it. Having a verdict on this issue can set a legal precedent (especially since Lenovo is probably not interested in defending the case too hard either).

    For instance, it could pave the way for more easily winning a class action against Verizon. Verizon's case is a bit different, especially now that they're supposedly giving their customers the option to opt-out, but with a little bit of luck, a quick verdict on the Lenovo case could make Verizon reconsider its ongoing super-cookie/man-in-the-middle attack strategy against its own customers.

  4. Re:Is this the right way? by swb · · Score: 3, Interesting

    Why not both? AFAIK there is no double-jeopardy protection between civil and criminal cases.

    Sure, the lawyers could get rich on a class action settlement but you never know, the class could get something useful out of this. I don't know what's involved in removing this spyware, but you could potentially argue for something like 4 hours of skilled time per system just to clean it as a rough median (maybe much less for brand new systems, maybe much more for systems that would need to be wiped, re-setup and have apps and data put back on). And that doesn't include any claims for damages resulting from the infection itself, just remediation. Even if Lenovo bargained that down to half, in theory they could be on the hook for $200 per machine.

  5. Re:Lawyers rejoice!! by Aaden42 · · Score: 4, Interesting

    That’s simple assuming anyone in the US actually gives enough of a damn. If fines are levied on Lenovo as a result of this lawsuit, US Customs would be within their power to seize any Lenovo merchandise shipped to the US at the border until all fines are paid in full.

    That’s a pretty good whack in the bottom line for any company, regardless of the nation in which they’re located. As long as they expect to sell their widgets to people physically located in the United States, US law can trivially be applied to them in such a way that they would need to comply before they may continue to operate profitably.

    Whether this suit will be successful of course is a completely different story, but there’s no problem enforcing any judgement which may emerge from it.

  6. Huge Ramifications to All Companies by FrodoOfTheShire · · Score: 3, Interesting

    If the Class Action is successful, then other companies could be sued too. Samsung started accidentally inserting ads right into television broadcasts while a show was playing recently. They built their ad serving infrastructure right into the televisions they sold. Samsung and Lenovo are stealing internet bandwidth to show their self serving ads, and without users' knowledge, as well as compromising the security and privacy a user should expect to have.
    I expect Lenovo will get a lot of support from corporations like Samsung in this class action suit because of the ramifications the outcome of the case has for the other corporations.

  7. Re:How's this any different... by eth1 · · Score: 4, Interesting

    Many "enterprise" (lol) class proxies (deployed by corporations to "protect" their internal networks") do the exact same thing.

    Totally different:
    1. In a proxy, the key used to sign MITM traffic is on a device not accessible to anyone but the admins, not stored on a PC (probably improperly secured) that other malware could access.
    2. A good proxy will check certs on the server side of the connection. The one we use will either "pass through" certificate errors, or allow us to block sites with invalid certs entirely.
    3. A proper setup will use the URL categorization to not MITM certain traffic. We decrypt anything that's blocked (you have to in order to deliver a block page without cert errors), but that's not a big deal since it never even talks to the server. We also don't decrypt healthcare, banking, shopping, etc.