SuperFish cram scandal: Lenovo must now ask nicely before stuffing new PCs with crapware
In America, at least
The US government's trade watchdog, the FTC, has finalized its settlement deal with Lenovo on charges the PC builder sold Americans machines crammed with intrusive adware.
The Federal Trade Commission kicked off 2018 announcing it has approved a deal that will end lawsuits against Lenovo in more than three dozen US states – as well as require the biz to cough up $3.5m and agree to various terms.
These conditions include opening itself for auditing for the next 10 years, and getting people's express permission before bundling any software as well as giving folks information on how to remove or disable any shipped crapware.
Here's the crucial passage in the settlement:
IT IS FURTHER ORDERED that, commencing no later than 120 days after the date of service of this Order, [Lenovo], its officers, agents, employees, and attorneys, and all other persons in active concert or participation with any of them, who receive actual notice of this Order, whether acting directly or indirectly, shall not preinstall or cause to be preinstalled any covered software unless [Lenovo], or the software provider:
A. will obtain the consumer’s affirmative express consent;
B. provides instructions for how the consumer may revoke consent to the covered software’s operation, which can include uninstalling the covered software; and
C. provides a reasonable and effective means for consumers to opt out, disable or remove all of the covered software’s operations, which can include uninstalling the covered software.
Going back to 2014, the Chinese computer goliath was found to have been bundling new Windows PCs it sold in the US with an application called VisualDiscovery that was presented as a "search assistant" tool to help users find similar products to those shown in images.
In reality, VisualDiscovery was just a modified version of SuperFish, a piece of adware that injected targeted marketing links into webpages whenever the user hovered over an image. In addition to being annoying and invasive, researchers found that SuperFish's use of self-signed certificates also introduced security holes to machines it was installed on.
After being publicly roasted for the move in early 2015, Lenovo backtracked and pulled VisualDiscovery from its software bundles on new PCs. At that point, more than 40 models of notebook and laptop going back to 2014 were already being sold with the adware included.
The FTC soon took note, and along with the attorneys general of 32 US states, it filed a complaint against Lenovo alleging violations of the FTC Act's provisions on unfair or deceptive practice.
So, to summarize: today's approval by the commission's ruling panel finalizes the settlement Lenovo and the FTC agreed on last summer. That deal calls for Lenovo to pay a meager $3.5m to be divided between the 32 states and, more importantly, places a new set of security and compliance requirements Lenovo will have to follow if it wants to flog gear in America and avoid further penalties.
Lenovo must hire and retain an outside security company tasked with auditing its software bundles to make sure no invasive or potentially vulnerable applications are included with new PCs.
The tech giant will also be forced to maintain a 10-year compliance program that will provide regular reports and audits of its activities to the FTC. Lenovo must also obtain direct permission from people before including factory-installed software on new PCs. ®