Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Businesses Privacy The Courts

Lenovo Hit With Lawsuit Over Superfish Adware 114

An anonymous reader writes with news that the fallout from the Superfish fiasco might just be starting for Lenovo. "Lenovo admitted to pre-loading the Superfish adware on some consumer PCs, and unhappy customers are now dragging the company to court on the matter. A proposed class-action suit was filed late last week against Lenovo and Superfish, which charges both companies with 'fraudulent' business practices and of making Lenovo PCs vulnerable to malware and malicious attacks by pre-loading the adware. Plaintiff Jessica Bennett said her laptop was damaged as a result of Superfish, which was called 'spyware' in court documents. She also accused Lenovo and Superfish of invading her privacy and making money by studying her Internet browsing habits."
This discussion has been archived. No new comments can be posted.

Lenovo Hit With Lawsuit Over Superfish Adware

Comments Filter:
  • good (Score:5, Insightful)

    by Anonymous Coward on Monday February 23, 2015 @02:00PM (#49113677)

    I hope it costs both of them twice what they earned

    • by mwvdlee ( 775178 )

      More likely it'll cost the plaintiff twice of what she earns in her lifetime.
      Lenovo is a rich company and the court is in the US; she doesn't stand a chance of winning.

      • by Anonymous Coward

        Class Action. Assuming Miss Bennett isn't a lawyer herself, a firm will take the case. And just like in the NVidia lawsuit, will take 90% of the profit and give lenovo customers a 5 dollar off coupon for their next purchase.

  • by Anonymous Coward on Monday February 23, 2015 @02:01PM (#49113687)

    The EULA that is part of clicking through to use the PC states Superfish's conditions.

    This lawsuit will be tossed out before it ever hits a court of law, just because EULAs have a legal precedent of being incredibly enforceable.

    • by Anonymous Coward
      Is it really the final word? People just chuck away EULAs without reading them. I'm pretty sure the user was not prompted with a clear question "Would you like Superfish to inject advertisements to your web traffic?"
    • by Anonymous Coward

      The lawsuit alleges fraudulent business practices - i.e., that the plaintiff was lied to. If the eula contains lies, then reading the eula would not do any good.

    • by hey! ( 33014 ) on Monday February 23, 2015 @02:17PM (#49113845) Homepage Journal

      The issue isn't whether EULAs are *potentially* enforceable. The question is whether *this* EULA is enforceable.

      In general there is no contract unless their is some kind of exchange of "considerations". Typically the consideration is the privilege of using the copyright holder's software. But, if you can show that users don't want to use this software, and that it is installed for the benefit of a third party, there is no exchange of considerations between the end-user and the copyright holder, and therefore no valid contract.

      • There's also the gross negligence displayed by both Lenovo and Superfish in deploying this software. The fact that Lenovo specifically requested to not intercept HTTPS (documented in a JS comment) demonstrates that they were not as clueless about what Superfish has been doing as they want to let on.

    • by Anonymous Coward

      EULA that says what exactly?

      "You agree by using this computer, that you paid good money for, to be spied upon and to have your computer cracked into and taken control of for possibly illegal activities. Agree? Yes/No".

      Like that you mean? Did it say stuff like that? Did it ask the user to agree to being spied on and having their computer broken into by crackers?

    • by Anonymous Coward

      A EULA does not serve to make illegal things legal. EULAs are not laws.

    • Not necessarily.

      Contracts do not shield parties from criminal liability resulting from recklessness (knowingly, and willingly placing someone at risk) or negligence (unknowingly, but unnecessarily placing someone at risk).

      One might argue that installing a root certificate on customer computers, including the private key on that same computer, and using an easily guessed password to protect that key constitutes negligent behaviour by placing customers at risk cyber attacks. It may even be argued that such an

  • We've seen how much energy is wasted when customers try to sue to get refunded for the Windows license they don't use on their PC. Why would this turn out better? Yeah, it sucks that they did it but the big difference here is someone caught them doing it.
    • Well, with that attitude nothing will ever get accomplished.
      • Well, with that attitude nothing will ever get accomplished.

        That's not true. I didn't say don't do anything, I just said the lawsuit seems pointless. The payout from the lawsuit could be effectively zero for the consumer. They could find more useful ways to exert pressure on the company than this (and when one considers that Lenovo is Chinese, which severely reduces the likelihood of getting a verdict against them enforced).

        All that the class action suit would do is line the pockets of some opportunistic attorneys (who get paid regardless of the outcome).

        • by tnk1 ( 899206 )

          Is your point to get a million dollars out of them, or is it to discourage them from doing this to you again?

          If you want a million bucks out of them, you could win. Maybe. On February 30th.

          If you want the company to be "corrected" or simply punished, then hit them with the class action suit.

          The victory in the class action suit is that you punished them, and you did, by getting more money out of them than you ever would have alone. The fact that it benefits lawyers is irrelevant. You paid nothing to get

    • by fermion ( 181285 )
      Suppose I sold people a full featured high end computer for $100. Suppose in the EULA I said I would collect data that would be aggregated and sold. Suppose I used technologies such as the web cam and keystroke monitor to collect such data. No data was personally identified to a machine, but I sold the video and emails to interested collectors.

      I assume that this would be like buying a useless windows license, and there would be no point to sue.

      Lenovo did something very very bad. It put users privacy a

  • by GrooveNeedle ( 3847301 ) on Monday February 23, 2015 @02:15PM (#49113817)
    I think we all want Lenovo's feet held to the fire for this one, but what is the right course of action? A class action lawsuit, that benefits few people in the class, but enriches lawyers... Or a criminal prosecution under the Computer Fraud and Abuse Act for aiding malicious actors in installing their malware/spyware?
    • by JoeyRox ( 2711699 ) on Monday February 23, 2015 @03:05PM (#49114263)
      It's a common refrain to say that nobody benefits from class action suits except the lawyers. While that may be true for the class litigants themselves it is entirely untrue for the public at large. The purpose of large punitive rewards is to penalize corporate misbehavior and in turn incentivize good behavior. By that measure we all benefit from these suits.
      • by DRJlaw ( 946416 )

        It's a common refrain to say that nobody benefits from class action suits except the lawyers. While that may be true for the class litigants themselves it is entirely untrue for the public at large.

        It's only true for the class members at large, if at all, because they typically refuse to pay any attention to the class litigation and/or court approval of the settlement. If you think that a settlement is only enriching the class lawyers -- OBJECT TO IT. [arstechnica.com]

        It's a common refrain, yet almost nobody attempts to fil

    • No criminal charges are necessary. A simple revocation of their charter and seizure of assets will have the desired effect. The problem is that business owns the government so basically nothing will happen until the voters wake up.

    • by ShaunC ( 203807 )

      Why not both? It's not like losing a civil complaint would absolve Lenovo of criminal liability. A lawsuit is the only option available to the consumer.

    • by swb ( 14022 ) on Monday February 23, 2015 @03:07PM (#49114277)

      Why not both? AFAIK there is no double-jeopardy protection between civil and criminal cases.

      Sure, the lawyers could get rich on a class action settlement but you never know, the class could get something useful out of this. I don't know what's involved in removing this spyware, but you could potentially argue for something like 4 hours of skilled time per system just to clean it as a rough median (maybe much less for brand new systems, maybe much more for systems that would need to be wiped, re-setup and have apps and data put back on). And that doesn't include any claims for damages resulting from the infection itself, just remediation. Even if Lenovo bargained that down to half, in theory they could be on the hook for $200 per machine.

      • by mwa ( 26272 )

        I'd be happy if the judgement required mandatory inclusion of vanilla OS install media.

        I install Linux but whenever I want to help family I'd love to start from a certified MS DVD.

    • Who cares who benefits financially? By punishing Lenovo's ILLEGAL behavior and driving them from the marketplace, society benefits. If we have to send an army of lawyers as mercs for hire to get them to do what federal prosecutors should be doing, so be it.
      • Who cares who benefits financially? By punishing Lenovo's ILLEGAL behavior and driving them from the marketplace, society benefits. If we have to send an army of lawyers as mercs for hire to get them to do what federal prosecutors should be doing, so be it.

        What? Wait. Grow some perspective.

        Lenovo accepted remuneration in return for installing a program that injects ads and presumably reports statistics. How is that logically different from installing the Google Toolbar on IE? Right. It isn't.

        Oh, but the software is poorly implemented and could allow unexpected access to the users' data. How is that logically different from installing Java, Flash, and Adobe Reader, each of which has repeatedly been found to massive security vulnerabilities? Right.

  • She also accused Lenovo and Superfish of invading her privacy and making money by studying her Internet browsing habits.

    Is she going to sue her ISP for doing the same thing?

    • To be honest, that is poorly worded. As you pointed out, ISPs typically do that, as well as many websites, like Facebook. However, if the suit was phrased in a way that included the act of a MITM attack, I'd like to think it has some teeth.
  • by Anonymous Coward on Monday February 23, 2015 @03:18PM (#49114383)

    I think it should be clear to everyone now. Lenovo is not IBM and it may have managed to retain some of the reputation of the IBM branding that went with its computers. But with one mistake it has managed to wipe that all away with SuperFish. I learned my lesson a couple years ago that Lenovo was not IBM and it would never be anything close. I would not buy another Lenovo PC if they sold them for a dollar. I hope Lenovo pays dearly for this mistake, and I hope other PC makers see this as a lesson to not sell out its customers to some two bit crapware company to earn a few bucks.

  • by ameoba ( 173803 ) on Monday February 23, 2015 @03:29PM (#49114457)

    This is exactly the sort of crap everyone was predicting when IBM sold their PC line to Lenovo.

    The only thing that surprises me is that it took so long.

  • When you go to buy a car, Superfish hires a team of gnomes to destroy the original documents, such as fliers or the title to your car, and replace it with their own documents with their ads included. If they were signed documents, then they forge the signatures as well.

  • by FrodoOfTheShire ( 3459835 ) on Monday February 23, 2015 @04:17PM (#49114605)
    If the Class Action is successful, then other companies could be sued too. Samsung started accidentally inserting ads right into television broadcasts while a show was playing recently. They built their ad serving infrastructure right into the televisions they sold. Samsung and Lenovo are stealing internet bandwidth to show their self serving ads, and without users' knowledge, as well as compromising the security and privacy a user should expect to have.
    I expect Lenovo will get a lot of support from corporations like Samsung in this class action suit because of the ramifications the outcome of the case has for the other corporations.
  • 'Canonical works closely with Lenovo to certify Ubuntu [ubuntu.com] on a range of their hardware.'
  • Tin Foil Hat Time (Score:4, Insightful)

    by TechyImmigrant ( 175943 ) on Monday February 23, 2015 @06:26PM (#49115445) Homepage Journal

    The slideware published on government attempts to undermine SSL web traffic suggests they are supremely interested in trying anything they can.
    Getting a trusted cert with a key they control installed on a large number of laptops is a dream come true.
    So who is actually behind Komodo?

  • by sconeu ( 64226 ) on Monday February 23, 2015 @07:21PM (#49115805) Homepage Journal

    "She also accused Lenovo and Superfish of invading her privacy and making money by studying her Internet browsing habits".

    To me, this was more interesting than all the rest. It has the potential to break the big telcos, cable companies, Google, and anyone else who makes a living by tracking your browsing habits to server you "targeted advertising".

  • Another aspect of a class action suit is reputational damage. The very fact of bringing a suit is negative publicity. Lenovo has a strong incentive to settle because the longer it is before the case is settled the more negative publicity there will be.

    This is why these kinds of thing never go to trial, and why the company always makes sure they never admit guilt. When they settle to "put it behind" themselves, it's like a cat burying it's shit. They can pretend that it never happened in the first place.

    As

  • I like ThinkPads, they offer a good quality and a clean design and they run well with GNU/Linux. So I'm okay really okay with Lenovo, but in this case I hope the class-actions succeeds.
    This is not a mistake or carelessness, which could happen. Just fix it and everybody is glad.
    This is greed. The spyed on there own customers to sell advertisments (with the purpose to get even more of your money) and sacrified (the technical reason doesn't matter) the security of the customers. This is not okay.

    So I hope Leno

  • Can I buy a superfish loaded Lenovo laptop now, then join a lawsuit?

Keep up the good work! But please don't ask me to help.

Working...