Superfish: Lenovo? More like Lolnono – until they get real on privacy

Rebuilding trust with Trevor, lesson 1: Be open

Facepalm by Ron Mander

Sysadmin blog Everyone and their dog has an opinion on the Superfish debacle which has struck once mighty Lolnovo Lenovo a potentially critical public relations blow. The Register's own Ian Thomson had little nice to say on the subject, and both social media and anecdotal experience indicate to me that his feelings are reasonably widespread.

My own reaction to Lenovo's screwup was visceral and immediate. How dare they install this sort of spying crap on my computer? Just who the hell do these people think they are?

"They" being the outraged popular "they", and meaning the body corporate, every single employee, the ephemeral spirit of decision making and who know what else. I'm angry damn it, and my rage needn't have a specific target to be the focus!

While all of that is understandable – even necessary, sadly, to force change in many cases – it's not overly productive in identifying the real issues that lead to this event and ensuring they don't happen again. So let's put the emotion to one side for a moment and have a rational discussion about the Lenonope event.

Who is responsible

At the end of the day, responsibility for this travesty rests on the shoulders of the CTO, the CEO who employs him and the board for keeping the CEO around. But were any of these people part and party to the decision process that led to Superfish being installed on consumer notebooks? We may all have opinions on that, but nobody except those within Lenovo have the facts.

If my experience with technology companies is instructive in any way, the chances are actually pretty good that this sort of descision was taken by a mid-level management body and signed off on by a low level executive. I am willing to guess that some business development (bizdev) wonk was conned into listening to a sales pitch, and he bought the charismatic PowerPoint presentation hook line and sinker. Lenovo would get a chunk of change for each notebook shipped out the door and as such could keep the cost of the notebook down those few precious dollars. I'm sure that the Superfish company muttered something vague about "ensuring privacy" and talked about how safe it was, and handshakes were had all 'round.

There is no need for malice to be involved. There isn't even a need for greed to be involved. I'll get to that later. All that is required for something like Superfish to occur is for someone who has risen to the top of their Peter principle ladder to be in a meeting that's out of their depth, making decisions about complicated technical products with no technical oversight.

One decision based on trusting a charismatic sales guy and an entire company can unravel.

Greed needn't be a factor

I'm the first person to lambaste corporate greed. My history as a writer and a commenter on The Register will more than attest to that. And yet I can honestly see Superfish having occurred without greed even really being a factor.

The consumer notebook market is one of negative margins. Like it or not, everyone is selling the hardware below cost and making up for it by loading the things up with crapware. Tablets are creating massive pressure from below and consumers are demanding more and more capability whilst being unwilling to even pay for the cost of manufacture.

The notebook market is oversupplied. There are too many vendors and one of them has to fold. Those who survive will survive through sheer market share, and that means that corporate survival is absolutely predicated on driving costs down as low as they will go and slurping up as much market share as possible.

Let's not split hairs here; Lenovo drives their costs down better than anyone else. They cram a lot of stuff into their notebooks and have become the market leader because of it. If we are so angry at Lenovo it is at least in part because we all felt they were "the best". That "best" was because they gave us what we wanted at lower prices than their competition.

Lower prices they achieved by filling their notebooks with the very crapware we despise them for. That's a bit of a catch-22 right there.

This is bigger than Lenovo

The other thing we, as the mewling public, don't want to admit is that this is about more than Lenovo. Lenovo are the lightning rod for our anger, angst and collective feelings of impotence around the loss of our privacy. The technology industry as a whole is doing it's very best to strip us of our privacy in order to "monetize" us. Our governments are doing the same, but they have lawyers, guns and soulless torturers with waterboards and zero qualms about using them.

The world is changing, and change is iterating faster than we can keep up. We feel out of control, besieged on all sides, and we fear what the future may bring. The future that is inseparable from technology, and the companies that make it.

Lenovo screwed up. They screwed up big time. And as such they have opened themselves to some righteous fury and vengeance! They are catalyst for our hate and our need to lash out and strike back. They can never be forgiven or this incident forgotten because we, the people, need to make an example.

This is just like the Sony Rootkit, we claim! While it's possible that this goes that deep, I really doubt it. Sony knew damned well what they were doing and did it anyways. Sony's rootkit was about removing the presumption of innocence from everyone who purchased their CDs. Sony's rootkit was about making us all out to be criminals and needing to bind our collective hands because Sony's right to eternal copyright was more important that our rights and freedoms as individuals.

My understanding of the Superfish thing – and someone please do correct me if I'm wrong – is that Lenovo doesn't get a copy of everything you're searching and viewing. They can't sell it off to a government or ad agency. Superfish (the company) might have that info, but not Lenovo. (And there are no nice things that can be said about Superfish, full stop.) Lenovo were in this for a few quid.

They weren't demonizing their own customers. They weren't making a choice to remove our "right to privacy" because – and let's be honest about this – they probably didn't think much about the implications of it one way or another.

But the comparisons will be made. Lenovo not only did the deed, their reactions to the aftermath were abhorrent. Their CTO "didn't want to argue with security professionals" but proceeded to publicly mock and ignore everything they had said repeatedly. Spokespeople left and right claimed Lenovo had done no wrong, but they'd try to fix it anyways. If only they could figure out how.

Rebuilding trust

Lenovo seem unable to understand the scope of the pile of shit they find themselves under. This is because they still believe that reactions to this event will be proportionate to the offence they've committed. It won't be. They're the lightning rod, and there's a whole lot of angry energy out there.

If Lenovo want to rebuild trust they have to do a few things they may be unable to do, given their corporate culture.

The first and most critical thing they need to do is humble themselves. Publicly and repeatedly. We, the people, are angry, damn it, and we want a validation of our emotions. Someone has to pay for the evaporation of our rights, and it might as well be Lenovo, so why aren't they properly humble in the face of our wrath?

Secondly, Lenovo need to understand that we will never trust them. They're a corporate megalith and are so disconnected from our experience we don't even know where to begin trusting them. Trust, once lost here, is almost impossible to regain. So Lenovo need to accept this and move on.

Hire outside, independent experts to review all security procedures. Do regular audits. Make sure the money to hire these folks for the next 10 years is posted into an escrow account and that the experts are chosen by an independent panel. This means Lenovo can't be accused of withholding funds from auditors who return unpleasant results.

Make all decisions about computer configurations (notebook, mobile and server alike) subject to final approval by an in-house security team. Nothing goes out the door without security and privacy being reviewed. No matter what the bizdev people say.

Lenovo needs to talk to people. Regular customers, hobbyists, the media, governments, the EFF, Microsoft... everyone. Become a champion of finding an acceptable balance between privacy, security, advertising and so forth. Participate in the industry, drive the debate, and try hard to bring different sides to the table.

The best way to rebuild trust is to show that you learned from the event and are going to keep abreast of the topic from here on out. Getting in the middle of things by sponsoring conferences, hosting symposiums and hiring experts can help now that Lenovo views privacy and security concerns as serious issues.

Everyone has an angle; but Lenovo doesn't have to. They're a hardware company. They could grow to become a calming, natural influence that helps mediate the complex disputes.

First, they need to solve the existing crisis. "Mea culpa" needs be said many times. Bring in the auditors. Change up how security is done internally. Become more transparent. Say "mea culpa" a lot more.

Real change has to happen. Slowly, but surely, Lenovo can win us back. But the window to begin is rapidly closing. Their reaction to Lenonope has been wrong, wrong, wrong...and if they don't pull the nose up before they hit the ground they may never recover.

This is all of it about more than just Lenovo's deeds, misdeeds, actions or inaction. It is about an angry populace struggling to define their relationship with corporations and even their own governments in a rapidly changing world that none of us really understand.

All of that angst is heaped upon Lenovo. They are a convenient and easy to hate target. If Lenovo can't – or won't – understand that, they're doomed.

The next few weeks may well tell the tale of their company's relevance as an IT provider for the next two decades.

No pressure, Lolnovo. ®




Biting the hand that feeds IT © 1998–2019