Lenovo Gets Smacked By FTC Over Adware

Image: iStock

I've spoken before about how bloatware still "infects" computers. The Federal Trade Commission (FTC) in the US just handed Lenovo a significant smackdown over adware they pre-installed on PCs that made systems vulnerable.

The FTC charged that from August 2014 Lenovo began selling consumer laptops in the United States that came with a preinstalled “man-in-the-middle” software program called VisualDiscovery that interfered with how a user’s browser interacted with websites and created serious security vulnerabilities.

Part of the sneakiness of VisualDiscovery, which is developed by Superfish, is that when you closed the application, you "consented" to installing adware that inserted pop-up ads when you visited websites. The software did this by "listening in" on your activity. That included confidential information like usernames and passwords, social security numbers, and other PII.

Lenovo's penalty for this - a US$3.5M fine which is probably pocket change given their CEO is on a touch over $19M per year.

In addition to the fine, which I think is little more than a slap on the wrist with a limp celery stick, the company has to implement a comprehensive software security program for most consumer software preloaded on its laptops for the next 20 years The security program will be subject to third-party audits.

All of this was decided through a negotiated settlement - Lenovo disagrees with the allegations made by the FTC and the 32 US states that bought the complaint up.


Comments

    Lenovo make some pretty decent machines but I would never run with the base image any manufacturer ships their machines with.

    Presumably it's this decision that prompted Lenovo's offering of Windows Signature Edition laptops. Mine came with no bloatware. Or any software from Lenovo at all.

    Which is good in one way. Not so much in another as some hardware components require proprietary drivers which Windows Update doesn't automatically install.

    This is easily enough fixed by downloading the correct driver packages from Lenovo's support site. But typing 'lenovo drivers" into any search engine yields results which look official but aren't. This presents a potential vulnerability with end-users inadvertently downloading malware.

    Quite why the pendulum needs to swing to the extremes of arc is beyond me. Surely it's not too hard to supply a new PC with drivers preloaded but no additional applications. Rather than a passive-aggressive all-or-nothing approach.

Join the discussion!

Trending Stories Right Now