Security experts recently discovered that about 50 different consumer PC models sold by Lenovo since September 2014 were shipped with adware known as Superfish Visual Discovery that could be exploited by hackers to spoof secure websites with fake certificates. The discovery has prompted a number of class action lawsuits alleging violations of state and federal laws.
According to an Alert issued by the Department of Homeland Security’s U.S. Computer Emergency Readiness Team (“US-CERT”), Superfish is designed to monitor all web traffic for advertising purposes. In order to read encrypted communications that use HTTPS (such as bank and email websites), Superfish decrypts the traffic and then re-encrypts it with its own certificate. But since the certificate’s private key is stored locally in the Superfish software, hackers have access to the key and can use it to spoof secure websites. Web browsers will not detect that websites are spoofed because the Superfish certificate is trusted by every computer that has the adware installed.
On February 19, a Lenovo press release announced that it was disabling the backend server for Superfish, and it issued a Security Advisory to assist consumers in removing the adware. Some media outlets are already reporting on surveys that reflect damage to Lenovo’s brand image.
Within hours of the Lenovo press release, the first class action suit was filed in California federal court, accusing Lenovo and Superfish of violating state and federal wiretap laws, trespassing on personal property and violating California’s unfair competition law. See Bennett v. Lenovo (U.S.), Inc., et al., 15-cv-0368-CAB-RBB (S.D. Cal.). Subsequent class action suits filed in California allege violations of the Computer Fraud and Abuse Act, the Stored Communications Act and the Electronic Communications Privacy Act, as well as common law fraud, unjust enrichment and negligent misrepresentation. See Sterling International Consulting Group v. Lenovo (U.S.) Inc. et al., 5:15-cv-00807-RMW (N.D. Cal.); Hunter v. Lenovo (U.S.) Inc. et al., 5:15-cv-00819-NC (N.D. Cal.). A fourth class action has been filed in North Carolina, alleging violations of federal wiretap laws and state unfair and deceptive practice statutes. See Pick v. Lenovo (U.S.) Inc. et al., 5:15-cv-00068-D (E.D.N.C.)
Many questions remain, including what the motivation was for pre-installing Superfish on consumer PCs and whether Lenovo was (or should have been) aware of how the software functioned. It is also unclear if any hackers have, in fact, exploited the software to spoof secure websites. These issues may have a bearing on whether the plaintiffs’ causes of action can be sustained, especially with respect to issues of standing and alleged harm.