The FTC said Lenovo didn't properly vet preinstalled third-party software than used insecure methods for delivering pop-up ads and gathered personal information on consumers.
The FTC said Lenovo didn't properly vet preinstalled third-party software than used insecure methods for delivering pop-up ads and gathered personal information on consumers.

Lenovo has settled privacy charges with the Federal Trade Commission and attorney generals in 32 states stemming from man-in-the-middle (MitM) software pre-installed on it consumer laptops.

The VisualDiscovery software created “serious security vulnerabilities” for those laptop users because it served as a MitM between and even encrypted websites, allowing the software program access to consumers' personal information, including Social Security numbers, medical information, financial and payment information and login credentials, the FTC said.

The information transmitted to VisualDiscovery's maker Superfish, Inc. was limited to websites browse and IP user addresses used then to deliver pop-up ads from its retail partners, the company could have accessed much more than that. Additionally, the FTC complaint charged that Superfish employed an insecure method to display pop-ups on encrypted sites replaced those sites' digital certificates with those signed by VisualDiscovery.

The security vulnerabilities prevented consumers' browsers from warning them when a site they visited could have been spoofed or was a malicious site with an invalid certificate and made their sensitive information subject to theft by hackers who only had to crack a pre-installed password to access it. The FTC complaint accused Lenovo of failing to uncover the vulnerabilities because it didn't properly vet and set requirements for third-party software that was preinstalled on its computers.

“Lenovo compromised consumers' privacy when it preloaded software that could access consumers' sensitive information without adequate notice or consent to its use,” Acting FTC Chairman Maureen K. Ohlhausen said in a release. “This conduct is even more serious because the software compromised online security protections that consumers rely on.”

As part of the settlement, Lenovo agreed not to “make a misrepresentation, in any manner, expressly or by implication, about any feature of the covered software” and to obtain consumer consent before installing the software. Lenovo must also commit to a comprehensive security program for preloaded software that spans the next 20 years and which is to be audited by independent third parties.