Lenovo, Inc has agreed to pay $3.5 million and make changes in how it sells laptops in order to put to rest allegations it sold computers equipped with preloaded software that compromised user information and security.  It entered into a settlement agreement with 32 states and the Federal Trade Commission.The sneaky software, VisualDiscovery by California-based Superfish, was installed in order to deliver pop-up ads.  Superfish inserted the ads into regular websites using root-level certificate powers.  Basically, the software was designed to analyze a user’s screen and web browsing history while looking for potential products.  If the software discovered the user was online shopping or looking over product images, it would overlay related pop-up ads in the browser with the hope that they’d catch the user’s eye and be clicked on, redirecting the individual to a page to make a purchase.  Installation began in August 2014.  VisualDiscovery not only enabled pop-ups, however.  It blocked browsers from warning users about potential viruses.  It could also access sensitive user information, including Social Security numbers.“Lenovo compromised consumers’ privacy when it preloaded software that could access consumers’ sensitive information without adequate notice or consent to its use,” Acting FTC Chairman Maureen Ohlhausen said, adding, “This conduct is even more serious because the software compromised online security protections that consumers rely on.”

Image Courtesy of Lewis Ngugi

“No consumer should have to worry that a software glitch will make them vulnerable to hackers,” said New York Attorney General Eric Schneiderman.  “This settlement will reform Lenovo’s policies and procedures to prevent this breakdown from occurring in the future.”  New York is expected to receive $154,544 in funds from the settlement.Lenovo has insisted it stopped preloading VisualDiscovery in 2015 and says that the software did not collect and distribute sensitive user information.  “While Lenovo disagrees with allegations contained in these complaints, we are pleased to bring this matter to a close after 2-1/2 years,” the company stated, adding, “To date, we are not aware of any actual instances of a third party exploiting the vulnerabilities to gain access to a user’s communications.”  Lenovo will now be required to ask permission of users before installing similar software.Lenovo was also the subject of a class action lawsuit recently alleging the company engaged in a deceptive pricing scheme by portraying fictitious “eCoupon” or “Instant Saving” options for purchasing products from its website.  Lenovo denied any wrongdoing but agreed to settle the case.  Consumers who purchased products from Lenovo’s site other than its “ThinkPad” brand between December 1, 2014, and December 31, 2015, were asked to submit a claim by the end of June 2017 to receive $50.In addition to the cash payout, Lenovo has agreed (for a period of five years) to revise related advertisements on its site.  Namely, "no price shall be advertised on its website as a alleged former price of a non-Thinkpad laptop or tablet, unless the former price was the prevailing market price within three months of the publication of the advertisement or unless the date when the alleged former price did prevail is clearly, exactly, accurately, and conspicuously stated in the advertisement."

Sources:

Lenovo settles charges it sold laptops with compromised user securityLenovo settles with the FTC over Superfish adwarePONCE V. LENOVO SETTLEMENT