Slashdot Mirror
Lenovo Finally Pays $7.3 M Fine Over Invasive 2014 'Superfish' Adware Pre-Installations (softpedia.com)
Leonovo will add $7.3 million into a $1M fund settling a class action lawsuit over their undisclosed pre-installation of Superfish's targeting adware on 28 different laptop models in 2014.
Within one year the U.S. Department of Homeland Security had warned that the adware made laptops vulnerable to SSL spoofing, allowing the reading of encrypted web traffic and the redirecting of traffic from official websites to spoofs, while according to Bloomberg the original software itself also "could access customer Social Security numbers, financial data, and sensitive heath information, the court said."
An anonymous reader quotes Softpedia: According to a "SuperFish Vulnerability" advisory published by Lenovo on their support website following the discovery of the pre-installed software by consumers, the VisualDiscovery comparison search engine software was designed to work in the background, intercepting HTTP(S) traffic with the help of a self-signed root certificate that allowed it to decrypt and monitor all traffic, encrypted or not.... "VisualDiscovery was installed on nearly 800,000 Lenovo laptops sold in the United States between September 1, 2014 and February 28, 2015," also states the settlement agreement. "On January 18, 2015, in response to mounting complaints about the effects of VisualDiscovery, Lenovo instructed Superfish to turn it off at the server level...."
Out of the 800,000 who bought the laptops that came with VisualDiscovery pre-installed, the 500,000 ones who registered their devices with Lenovo or bought them from retailers such as Best Buy and Amazon will be contacted directly by the Chinese company and informed about the settlement agreement. The rest of the customers who cannot be reached straightaway will be targeted by Lenovo using multiple online advertising platforms, from Google to Twitter and Facebook.
A separate settlement with the FTC in 2017 was criticized for its failure to fine Lenovo -- though it did require the company to get affirmative consent for any future adware programs, plus regular third-party audits of its bundled software for the next 20 years.
Within one year the U.S. Department of Homeland Security had warned that the adware made laptops vulnerable to SSL spoofing, allowing the reading of encrypted web traffic and the redirecting of traffic from official websites to spoofs, while according to Bloomberg the original software itself also "could access customer Social Security numbers, financial data, and sensitive heath information, the court said."
An anonymous reader quotes Softpedia: According to a "SuperFish Vulnerability" advisory published by Lenovo on their support website following the discovery of the pre-installed software by consumers, the VisualDiscovery comparison search engine software was designed to work in the background, intercepting HTTP(S) traffic with the help of a self-signed root certificate that allowed it to decrypt and monitor all traffic, encrypted or not.... "VisualDiscovery was installed on nearly 800,000 Lenovo laptops sold in the United States between September 1, 2014 and February 28, 2015," also states the settlement agreement. "On January 18, 2015, in response to mounting complaints about the effects of VisualDiscovery, Lenovo instructed Superfish to turn it off at the server level...."
Out of the 800,000 who bought the laptops that came with VisualDiscovery pre-installed, the 500,000 ones who registered their devices with Lenovo or bought them from retailers such as Best Buy and Amazon will be contacted directly by the Chinese company and informed about the settlement agreement. The rest of the customers who cannot be reached straightaway will be targeted by Lenovo using multiple online advertising platforms, from Google to Twitter and Facebook.
A separate settlement with the FTC in 2017 was criticized for its failure to fine Lenovo -- though it did require the company to get affirmative consent for any future adware programs, plus regular third-party audits of its bundled software for the next 20 years.
7.3 million divided by 800,000 customers doesn't leave much room for attorneys' fees, right?
Surely this devastating blow to their financial security will serve as a deterrent for other companies... right? What's that? Their gross profit over the last 10 years has averaged in the hundreds of millions, and this fine serves no other purpose than to demonstrate that it's a more fiscally-viable option to fuck over your customer and then pay the fine later? Color me shocked...