back to article Remember when Lenovo sold PCs with Superfish adware? It just got a mild scolding from FTC

Lenovo on Tuesday settled charges that it compromised the security of its computers to fling ads onto desktops from August 2014 through early 2015. The settlement with America's trade watchdog the FTC, plus 32 State Attorneys General, acknowledges no wrongdoing and imposes no financial penalty – other than a paltry $3.5m to …

  1. Anonymous Coward
    Anonymous Coward

    'Remember when Lenovo sold PCs with Superfish adware?'

    I sure haven't forgotten... Its reminiscent of LG / Samsung Smart TV --- Surveillance-marketed-as -revolutionary-tech... Haven't forgotten when Dell did a Superfish 2.0 too... But that doesn't help much when buying new a PC as the big players are super-glued to Microsoft... Why is the only OS a product that slurps like Facebook / Google... Sure Dell sells Linux, but its not available in my area, no matter what the Dell website claims...

    1. Teiwaz

      Re: 'Remember when Lenovo sold PCs with Superfish adware?'

      PC as the big players are super-glued to Microsoft.

      Obvious answer stop buying from the 'big players'. Yes, you may pay a tiny bit more by using smaller manufacturers and resellers.

      But would you do business with a rich guy who treated you like dirt or a smaller firm who actually valued your custom?

      ...mutter mutter, 'and people moan about the 1% having all the money, when they happily hand it to them for a small amount off the price...

      1. Anonymous Coward
        Anonymous Coward

        "Obvious answer stop buying from the 'big players'"

        Obvious in UK, US / EU etc. But that excludes most of the rest of the world.. Smaller players go out of business often. At other times they rise from the ashes like a phoenix under a new name, refusing to honor former warranties. In short, most of the time its necessary to buy from big chains to avoid getting scammed and to ensure ongoing service / guarantees... Speaking about Central and South America here, but this applies to many parts of Asia as well imho...

  2. Anonymous Coward
    Anonymous Coward

    On de fence

    "In her own statement, FTC Acting Chairman Maureen K. Ohlhausen dismissed McSweeney's concerns, noting that while Lenovo failed to disclose that VisualDiscovery would intercept web traffic, it did disclose that the software would inject ads and that consumers expect ad software to affect their browsing and be intrusive."

    This Maureen K. Ohlhausen seems to have been in trade-related law forever and must know quite a lot about it. So why is she talking smack about what Lenovo did? Too much at stake, maybe?

    1. Halfmad

      Re: On de fence

      From a typical users perspective they are very different statements, even if you change them to be as soft as possible most users would react with horror at the second one.

      Will occasionally show adverts

      Will occasionally show adverts based on the sh!t you've been up to bra!

  3. bombastic bob Silver badge
    Mushroom

    Remember when Micro-shaft shipped adware with Win-10-nic?

    has anybody bothered to take THIS one on at a gummint regulatory level?

  4. Anonymous Coward
    Anonymous Coward

    American Crime Story

    Very convenient! - Its not a crime when you're a global corporate... I don't buy PC's anymore or any tech from the big names... Not as long as they continue to sleep with Microsoft, and only offer Slurp-10. Talk about free market, not!!

    1. Anonymous Coward
      Anonymous Coward

      Re: Talk about free market, not!!

      This is exactly what happens in a free market. What's your point?

  5. Doctor Syntax Silver badge

    "Lenovo said while it disagrees with the allegations"

    On what basis? Are they saying they didn't do it at all or that they weren't wrong to do it? I'm not sure which is worse but maybe the latter. Neither interpretation says anything good about them. It would have been far more reassuring if they'd admitted it was wrong. As things stand it labels them as not to be trusted.

    1. Anonymous Coward
      Anonymous Coward

      @Doctor Syntax

      I presume they disagreed on it being unreasonable for a hardware vendor to slurp, clearly it is okay for google, Apple and Microsoft etc so why not them?

      1. Anonymous Coward
        Anonymous Coward

        Re: @Doctor Syntax

        Google, Apple and Microsoft are not in the habit of arranging hidden man-in-the-middle way stations for inspecting all your encrypted surfing traffic (are they...?).

        In fact why should they? Great gobs of personal stuff is already being obtained (by them) via arguably legal methods already, having to do with their web services. Lenovo wasn't just collecting data, either. They were injecting ads and stuff onto sites belonging to others, without consent or knowledge. That's Content Hijacking, very naughty.

        1. imanidiot Silver badge

          Re: @Doctor Syntax

          Google, Apple and Microsoft are not in the habit of arranging hidden man-in-the-middle way stations for inspecting all your encrypted surfing traffic (are they...?).

          With Microsoft I'm not so sure (Given how much of a spying mess Windows 10 already is). Apple probably has enough sense not to. Google might be evil enough but doesn't need MitM attacks. People give it all the data it needs anyway.

  6. GBE

    I like Lenovo hardware

    I like Lenovo hardware, and will probably be replacing my somewhat old T500 with another Lenovo soon. However, they've always shipped with spyware, still do, and probably always will. The fact that it's brand X spyware or brand Y spyware or brand MSFT spyware is a minor detail that's irrelevant to me... I just wipe the disk and install Linux the way I have on every computer I've bought since 1992. [Like you didn't see that coming...]

    1. Anonymous Coward
      Anonymous Coward

      'I just wipe the disk and install Linux'

      That's no answer... How many people, family / friends / colleagues know how to do that...???

      1. GBE

        Re: I would have thought ...

        "That's no answer..."

        I wasn't attempting to "answer" something.

        I was just commenting that I like the hardware but not the software that Lenovo ships, and that I buy it only for the hardware: the build quality is good, and it tends to be well supported by Linux drivers. I've also found the documentation to be well done, and parts/accessory availability is good.

        If you care about (and don't like) the software that's being shipped on Lenovo products, then you should definitely not buy Lenovo products. Of course, if enough people stop buying Lenovo products because of the skeevy software, then Lenovo will stop selling those products, and then I'm out of luck when shopping for "just hardware".

      2. Neil Barnes Silver badge
        Linux

        Re: 'I just wipe the disk and install Linux'

        Many do; most don't see the need. Their choice.

        Personally, the first bit of research I do on a new laptop is 'how easy is it to install Linux?'.

        1. Hans 1

          Re: 'I just wipe the disk and install Linux'

          Stop feeding Slurp!

    2. Roland6 Silver badge

      Re: I like Lenovo hardware

      Handled correctly, the FTC have given Lenovo a marketing edge!

      Furthermore, for the next 20 years, it requires the company to maintain a third-party audited risk assessment program for software on its computers.

      To comply with this Lenovo's risk assessment program must satisfy the FTC, naturally they will be the first to operate such a program. So turn it into a differentiator!

      Aside: I also like the Thinkpad hardware, not so sure about their consumer stuff...

      1. Doctor Syntax Silver badge

        Re: I like Lenovo hardware

        "To comply with this Lenovo's risk assessment program must satisfy the FTC, naturally they will be the first to operate such a program."

        The auditor would be well advised to take into account the attitude that appears to underlie their comment about disagreeing with the allegations.

  7. hellwig

    What?

    "In short, although VisualDiscovery's ad placement and effect on web browsing may have been irritating to many, those features did not make VisualDiscovery unfit for its intended use," she said.

    What does that mean? VisualDiscovery's purpose was to inject ads, and that's what if did? You would think the question should be "what right did Lenovo have to install this software and profit from injected ads in the first place?" What about the operator of the website? Surely they care that the user experience was altered!

    There's a difference between providing a service (the TV providers and networks inject ads into the stream they provide you) and providing a product (the physical TV you use to watch the stream). Lenovo crossed a big philosophical line by providing a product (computer) that interfered with the service (internet "stream").

    I don't think major networks would be too happy if Samsung TV's started injecting Samsung-paid ads over their own shows. Imagine watching the SuperBowl, and seeing an ad they didn't pay $4-million to air? The user might not care, but the network surely would.

  8. YARR
    Windows

    Not just Lenovo's fault

    I bought one of the affected PCs. Fortunately they issued a BIOS update to remove the "feature", but I doubt the majority of users are savvy enough to update their BIOS.

    However, it takes two to tango. For this feature to work requires the OS to co-operate with the BIOS, to auto download and install the software that the BIOS points at. Needless to say only Windows supports this "feature" and it couldn't have happened without Microsoft's endorsement.

    Are there any PC hardware companies on the user's side?

    1. Teiwaz
      Mushroom

      Re: Not just Lenovo's fault

      Are there any PC hardware companies on the user's side?

      phff, obviously not, unless 'user' is a code word/alternate for 'hander' and they're just waiting long enough for the virai to be able to infect human wetware through a digital interface, ready for millions to be programmed to take out targets is the coming apocalypse.

      Run Gnu/Hurd...'cause 'Linux is probably too well-known to be safe anymore.

    2. Jordan Davenport

      Re: Not just Lenovo's fault

      "For this feature to work requires the OS to co-operate with the BIOS, to auto download and install the software that the BIOS points at. Needless to say only Windows supports this "feature" and it couldn't have happened without Microsoft's endorsement."

      Microsoft includes that feature ostensibly for automatically installing required platform drivers or other OEM "enhancement" software to a vanilla Microsoft image without requiring an active Internet connection which would not be present if the network drivers aren't present.

      Their rationale is probably that a major hardware vendor would not risk damaging its reputation with unscrupulous behavior. However, that thinking is clearly naive at best or malicious at worst, as clearly anything can be preloaded into the firmware image. As large as Microsoft is, I highly doubt they could really be that naive.

      If that feature is to stay, they should at least prompt the user at OOBE if they want to install the factory software, noting that it could potentially contain security vulnerabilities and is not provided by Microsoft. That said, any time you install drivers from a vendor or use a factory installation image, you're trusting that the vendor has not added anything else aside from the described functionality in the first place. Don't forget the Conexant driver with the debug keylogger that HP installed on its laptops...

      1. LaeMing
        Facepalm

        Re: Not just Lenovo's fault

        "For this feature to work requires the OS to co-operate with the BIOS, to auto download and install the software that the BIOS points at. Needless to say only Windows supports this "feature" and it couldn't have happened without Microsoft's endorsement."

        So after the computer has gone through the so-called 'secure-boot' process, it just installs any old trash it is told to by the manufacturer (or anyone who guessed the manufacturer's password was 'password') anyway?

  9. Terry 6 Silver badge

    Normalisation

    Because Google built a business model on supplying services while targetting adverts and then built that into an operating system that most phone makers supply it has become the de facto accepted normal behaviour in consumer computing at every level even when it's not the companies' primary business model. After all, if it's OK for Google to do this, why shouldn't everyone else put their noses in the trough? (Microsoft gets a well-deserved kicking in these pages often enough, even when it's not even about them - but in fairness they do it because, in the normal Microsoft fashion, they are just copying a lead that others have provided.)

  10. Grimsterise

    'consumers expect ad software to affect their browsing and be intrusive.'

    Yes my customers are always saying that exact phrase to me.

    But in fact for years it's been my policy to wipe the hard drive and clean install any new PC as part of setting up.

    1. Doctor Syntax Silver badge

      "But in fact for years it's been my policy to wipe the hard drive and clean install any new PC as part of setting up."

      IIRC the problem with this was that if you reinstalled Windows the firmware would just reinstall Lenovo's "enhancements".

  11. Anonymous Coward
    Anonymous Coward

    Win-10-nic - WHAT DOES THIS MEAN???

    1. BugabooSue

      re: “What does this mean?”

      I realise that your “What does this mean?” Win-10-nic comment was probably a rhetorical dig at certain posters here, but just in case - I think it is a reference to Win10 sinking possibly like the Titanic... :)

      I just wish Win10 would truly sink without trace!

  12. Mystic Megabyte
    Happy

    ebay

    If anyone's interested this Lenovo B590 runs Ubuntu perfectly. I can also boot into Windows but it's only used for updating Sat-nav and similar tasks. Picked up cheap in mint condition from ebay. My only gripe is that the audio out socket is on the front right side and gets in the way of my mouse. As for the article, someone at Lenovo must have taken a large bribe to do something that stupid.

  13. The Mighty Biff
    Pint

    No mention of Pete Horne?

    Just thought I'd give the chap that unearthed all of this a mention : Peter Horne came across the Lenovo Superfish infection back in early 2015 and alerted the New York Times (iirc). They ran the story and got the whole mess out into the open. I work with Pete on totally unrelated stuff and he's a top bloke - completely unassuming. Given that he's an Aussie this is even more remarkable.

    So here's a pint for you mate and a link to the NYT :

    https://bits.blogs.nytimes.com/2015/02/19/researcher-discovers-superfish-spyware-installed-on-lenovo-pcs/

    1. Anonymous Coward
      Anonymous Coward

      The really telling part imho:

      "Even though the PC came with McAfee antivirus software, <Peter Horne> installed antivirus software made by Trend Micro. Neither virus scanner picked up any adware on the machine."...The problem is: what can we trust?"

  14. David Nash Silver badge

    Missing the point?

    It looks like they have said, pah, users expect ads nowadays, it's fine.

    And missed the far bigger point of intercepting traffic using a man-in-the-middle, with a self-signed cert,

    and also as someone above pointed out, interfering with the original publisher's content.

    The problem wasn't "oh noes, ads!" It was "Where TF did those ads come from?"

  15. Aodhhan

    Liberal courts

    This isn't uncommon for liberal courts to provide light sentences and penalties for acts like this.

    There is a reason Microsoft and other tech giants headquarter themselves in states within in the 9th district court's jurisdiction, and then manufacture, develop, etc. in separate states where wages and other costs are lower.

  16. JCitizen
    Coffee/keyboard

    Not excusing bad behavior but..

    I remember when DELL computers came with something just as bad and maybe worse. Every time I got a Dell client the first thing I'd do is scan for it and remove it. I don't remember the name of the offending software. but they got away with it for over 5 years before the uproar finally got loud enough, and they started losing market share. I'd wager all the big players were guilty of the same or similar at least once.

  17. gannett

    Dell still stuffing products

    Dell still stuffing products : Got an Inspiron along side a corporate server. Stuffed with Mcafee not a choice, no questions. Just "boom" there it was a multi headed interfering bloatware.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like