Lenovo Finally Pays $7.3 M Fine Over Invasive 2014 'Superfish' Adware Pre-Installations

Leonovo will add $7.3 million into a $1M fund settling a class action lawsuit over their undisclosed pre-installation of Superfish's targeting adware on 28 different laptop models in 2014.

Within one year the U.S. Department of Homeland Security had warned that the adware made laptops vulnerable to SSL spoofing, allowing the reading of encrypted web traffic and the redirecting of traffic from official websites to spoofs, while according to Bloomberg the original software itself also "could access customer Social Security numbers, financial data, and sensitive heath information, the court said."

An anonymous reader quotes Softpedia: According to a "SuperFish Vulnerability" advisory published by Lenovo on their support website following the discovery of the pre-installed software by consumers, the VisualDiscovery comparison search engine software was designed to work in the background, intercepting HTTP(S) traffic with the help of a self-signed root certificate that allowed it to decrypt and monitor all traffic, encrypted or not.... "VisualDiscovery was installed on nearly 800,000 Lenovo laptops sold in the United States between September 1, 2014 and February 28, 2015," also states the settlement agreement. "On January 18, 2015, in response to mounting complaints about the effects of VisualDiscovery, Lenovo instructed Superfish to turn it off at the server level...."

Out of the 800,000 who bought the laptops that came with VisualDiscovery pre-installed, the 500,000 ones who registered their devices with Lenovo or bought them from retailers such as Best Buy and Amazon will be contacted directly by the Chinese company and informed about the settlement agreement. The rest of the customers who cannot be reached straightaway will be targeted by Lenovo using multiple online advertising platforms, from Google to Twitter and Facebook.
A separate settlement with the FTC in 2017 was criticized for its failure to fine Lenovo -- though it did require the company to get affirmative consent for any future adware programs, plus regular third-party audits of its bundled software for the next 20 years.

HIgh art

[mermeid007]

I see /. is approaching high art: "The rest of the customers who cannot be reached straightaway will be targeted by Lenovo using multiple online advertising platforms"

What about an admission of guilt and apology?

[Anonymous Coward]

Or are those obsolete in the Trump era?

Re:

[Dogtanian]

If you meant the 7.3 *million* they were actually fined, that would probably be the case, yes.

7.3 billion, on the other hand, would sting quite a bit- even for a company the size of Lenovo...!

Re:

[Anonymous Coward]

You mean like how Aaron Schwartz was facing 35 years for putting laptops in university closets so he could publish public domain works?

https://www.eff.org/deeplinks/2013/03/3-months-or-35-years-understanding-cfaa-sentencing-part-1-why-maximums-matter

Surely abusing millions of customers and doing so in the most irresponsible way possible is worse than that.

Re:

[Anonymous Coward]

In the spirit of petty politics where every failure of a current political factor has to be compared with another:

I don't recall the fraudsters who called themselves bankers apologizing for profiting from tons of bad debt. If I recall they were quite happy to take credit for all the social good they were doing by giving loans to poor minorities who were only dis-included previously because america is racist. Oh but nobody bothered to give said minorities a raise so they all defaulted on those noble loans

Re: a cultural difference

[sound+vision]

The "pro-consumer framework", at least in the US, has been completely run over and disregarded in the digital age. Funnily enough the driving forces behind that are big technology companies and the idea that "money makes it right." Wow, just like China!

But I digress. Let us fixate on how innately terrible the Chinese are. That way we don't have to deal with the difficult task of self-improvement.

$7.3 million divided by 800,000 customers

[psychic_bacon]

7.3 million divided by 800,000 customers doesn't leave much room for attorneys' fees, right?

Re:

[bobstreo]

7.3 million divided by 800,000 customers doesn't leave much room for attorneys' fees, right?

LOL, as if anyone but the lawyers get any of the money. It will cost more to track down and notify each impacted customer than anyone will ever receive.

Re:

[Uberbah]

You could always get off your lazy entitled ass and hire your own damn attorney. Of course, that would also mean you would have to shoulder the cost of the lawsuit and assume all of the risk if you lose. Which doesn't happen with class action lawsuits - still sure you want to shit all over them?

Re:

[mermeid007]

Thank you, Anonymous, if that's your REAL name. What do bungling philosophers know, anyway?

Re:

[SirAstral]

Yes, we all got the message.

It's okay to screw people over if you are willing to pay the price. Governments think of these things in the terms of compensation.

It would be better if the citizens thought of these things in the terms... we no longer buy from companies that are caught doing this so they go out of business and other businesses are not likely try this crap or risk losing their customers.

So if it's about sending a message... we sure sent the wrong one!

Re:

[SirAstral]

That would be because you are intentionally misconstruing what I am saying.

Let me help you out. There are people that harmed themselves, it is only my opinion is that the fine should have been cut in half, though I certainly don't have any problem with Lenovo losing all of that cash either.

My other opinion is that people should stop buying Lenovo entirely so that they go completely out of business as punishment for doing what they did and as a warning to other businesses that do the same.

You see, I care ab

Should be cut in 1/2

[SirAstral]

The fine should be cut in 1/2. I told a few customers one day in Best Buy that Lenovo was installing this trash on systems as well as using the mainboard to store this trash.

They still bought the things. There is a certain point where you can start blaming the so-called "victims" for being stupid.

I no longer feel sorry for anyone that buys lenovo, nintento, Sony, or from any other business that felt that screwing customers over was OKAY and good practice. I wish people understood that boycotts are effe

Re:

[mermeid007]

Most importantly Lenovo stopped everything immediately in this case and gave consumers back their privacy and control. Great that they are paying something. In some cases people literally did lose money for various reasons. Real people.

Re:

[alvinrod]

At a certain point, people are responsible for their own actions and poor choices. It isn't victim blaming if you tell someone that they have cancer because they spent their entire life smoking cigarettes.

Re:

[SirAstral]

Wow... I guess if you are going to blatantly lie, make the lie a whopper.

Read what I posted again.

I said people were told that malware was present yet they still purchased them... when people "knowingly and voluntarily" buys a product they "legally" accepted something called "assumption of risk". This means they LOST their right "legally" to bitch about being spied on!

Re:

[SirAstral]

"You're asserting everyone who bought them was told that. You have yet to prove that. It's obviously not the case."

You have two problems.
#1. You are assuming that I can somehow PROVE that my story is correct in any meaningful way. I am not in the habit of taking video evidence of people not following my advice. So NO I don't have to prove anything, the comment is anecdotal. Do you automatically believe people when they say they were assaulted? It's the same thing... anecdotal unless some evidence suppo

Re:

[SirAstral]

Don't you know the different between, anecdotal, facts, evidence, and opinions? I guess not so let me break this down.

Me saying it should be 1/2 is my opinion.
Me saying that people bought them after me telling them they were loaded with malware was anecdotal.
Me not proving this to you means nothing, and my desire to not make any efforts to prove it are not tantamount to surrender either, it just means me proving anything to YOU is not worth the time or effort. I don't think you would be intellectually ho

Re:

[SirAstral]

Lol, it is shocking how much of a moron you are, but not surprising.

"The fact is Lenovo was fined appropriately" that is a statement of opinion. Prove Lenovo was fine appropriately. But you can't. no one can because what is appropriate is a matter of opinion, it has always been, hell it's not even in dispute and court rulings are often written as such "in the opinion of this court" for example.

"and your efforts to halve that" How does a post on Slashdot constitute 'effort' in this setting? I did not fi

Arguing on the internet

[raymorris]

At some point, this ancient wisdom comes into play:

Arguing on the internet is like the special Olympics. Even if you win ...

He's clearly not listening. Go hug someone or whatever because you're wasting your time here.

Re:

[SirAstral]

The assumption that I am a man huh? I am a man so your assumption is correct. I am definitely willing to admit when I am wrong. Now, tell me specifically what you think I am wrong about, and I will review your claim that tell you.

If I am wrong I will admit it, if I made a mistake that created confusion, I will correct what I meant. If I am not wrong, I will attempt to show you where YOU are mistaken.

Your turn! Show me where I am wrong.

Re:

[Sigma 7]

When it comes to laptops, there's not as much of a choice. If a buyer needs a laptop, it's unlikely that they'll build their own, and thus they have to rely on brand-name equipment.

Around that time, the major brands had pre-installed garbage that slows down computers or otherwise send telemetry. The question is by how much, rather than which ones.

Re:

[SirAstral]

"No, the question is which ones can you definitively prove.."

This is a class action lawsuit, a preponderance of evidence is what is required NOT definitive proof. How many of you morons are going to fill up the internet with your moronic ignorance? You must be one of those Sunday armchair lawyers that believes everything they see on TV and thinks they know far more than they do.

There is literally and internet full of people that DO KNOW that can help you. Go and listen to them and read some things!

Re:

[SirAstral]

I don't have to pass the bar, I provided proof already with a link to an actual lawyer, why do you keep ignoring that? Scared to admit you are wrong?

Re:

[epine]

The fine should be cut in 1/2. I told a few customers one day in Best Buy that Lenovo was installing this trash on systems as well as using the mainboard to store this trash.

Your logic is circular. You think they should have trusted "some guy" spouting an opinion, who turns out to be so rational, he's insisting they should have trusted "some guy" spouting an opinion, years later ...

Moreover, your 15-second anecdotal interaction warrants a 50% revision in how the world turns.

No idea why Joe Random Consumer m

Proprietary software is always unwise.

[jbn-o]

Not dealing in (whether commercially or gratis) proprietary software is always wise. $7,300,000/800,000 people is almost $9.13/person. Nobody who can afford a modern Lenovo computer will find $9.13 very rewarding and Lenovo won't find $7.3M a challenge to pay.

But the structure of proprietary software (being hidden from the user who is legally prohibited from inspecting or editing the software and often prohibited from sharing the software as well) keeps users ignorant of the software they run. Since there's

Re:

[mermeid007]

People are clueless about how to do that. Seriously how many people do you think actually have a clue how to reinstall an OS on a PC.

Re:

[TheRealQuestor]

Capable sure, but most non-computer savvy peeps I know, and I know a lot, don't have a freaking clue on how computers work, let alone know how to or want to learn more them other then click on an icon and go to a program or a website and for many of them even that is pushing their limits. Everyone's brains are wired differently. Some are wired to be good at certain things and others are wired to be shit at nearly everything. So assuming others can do something just because you think they should be able to

how to hack

[Ana Georgia]

Hello Everyone, in return for a great hack service which i received from this professional hack team collinshackworld@gmail.com i promised to refer them to other people, even after being ripped off twice by some of this so called hackers, i currently do not regret giving it a last try!!!! with collinshackworld@gmail.com i received professional job at good cost, swift delivery and also to my specifications, if you ever need a hacker you can trust i would suggest you turn to collinshackworld at gmail..c o m 1

blow out and reinstall

[p51d007]

Usually first thing I do with a laptop, is set it up, then pull and shelf the HDD/SDD until the warranty period ends. I install a blank drive, set it up how I want. Granted, if the bug is embedded in the bios or something, can't really do anything about that, but for the most part, that should clean it out, not to mention getting rid of the bloat.

Re:

[theurge14]

Or you could just not buy it from a company that loads adware.

A whole $7m?

[schitso]

Surely this devastating blow to their financial security will serve as a deterrent for other companies... right? What's that? Their gross profit over the last 10 years has averaged in the hundreds of millions, and this fine serves no other purpose than to demonstrate that it's a more fiscally-viable option to fuck over your customer and then pay the fine later? Color me shocked...

Re:

[Solandri]

That was my initial reaction. But a little research turned up that Lenovo only made about $250k from Superfish [forbes.com]. So the condition that the fine greatly exceeds the profit has been met. Though I would've added a stipulation that in addition to the fine, they have to reimburse users for any expenses they incurred due to security breaches caused by Superfish-related vulnerabilities.

Re:

[Uberbah]

Eh. As for penalizing this specific instance, sure that ration is okay - as far as deterring future similar examples, the fine is still missing a few zeros.