The FTC and 32 state attorneys general announced a settlement with Lenovo Inc., one of the largest computer manufacturers, resolving allegations that Lenovo harmed consumers by pre-loading software on some laptops that compromised security protections in order to deliver ads to consumers.

The FTC’s complaint alleged that in August 2014 Lenovo began selling consumer laptops that came with preinstalled ad-injecting software known as VisualDiscovery, which was developed by Superfish, Inc. This adware delivered pop-up ads of similar-looking products sold by Superfish’s retail partners whenever a consumer’s cursor hovered over the image of a product on a shopping website. To facilitate its injection of pop-up ads into encrypted https:// websites, Visual Discovery installed a self-signed root certificate in the laptop’s operating system, which caused consumers’ browsers to automatically trust the VisualDiscovery-signed certificates. Digital certificates are part of the Transport Layer Security protocol that, when properly validated, serve as proof that consumers are communicating with the authentic https:// website and not an imposter.

The FTC’s complaint alleges that the substitution of the digital certificates created significant security vulnerabilities. The complaint notes that a security researcher reported to Lenovo that there were problems with VisualDiscovery’s interactions with https:// websites in September 2014. The security risks became widely known in February 2015, when the U.S. Computer Emergency Readiness Team (US-CERT), a division of the Department of Homeland Security responsible for analyzing and reducing cyber threats and vulnerabilities, issued a public warning about the VisualDiscovery security vulnerabilities. US-CERT recommended that consumers remove VisualDiscovery with a free removal tool offered by Lenovo that would also remove its root certificate because opting out, disabling or uninstalling VisualDiscovery would not address the security vulnerabilities. Lenovo stopped shipping laptops with VisualDiscovery preinstalled in late February 2015, though some laptops were still being sold through June 2015.

The complaint highlights what the FTC considers to be inadequate data security practices in this context:

  • The failure to adopt and implement written data security policies applicable to third-party preinstalled software;
  • The failure to adequately assess the data security risks of third-party software prior to preinstallation;
  • The failure to request or review any information prior to preinstllation about Superfish’s data security policies, procedures, or practices,
  • The failure to require Superfish by contract to adopt and implement reasonable data security measures;
  • The failure to assess VisualDiscovery’s compliance with reasonable data security standards; and
  • The failure to provide adequate data security training for employees responsible for testing third-party software.

The FTC’s complaint includes one deception count and two unfairness counts.

  • The unfairness counts focus on the security vulnerabilities noted above.
  • The deception count focuses on Lenovo’s failure to make adequate disclosures about VisualDiscovery to consumers. The complaint found that a one-time pop-up window with a small opt-out link at the bottom of the pop-up was easy to miss. By clicking on the pop-up’s “x” close button, the consumer was opted into the software.

The FTC’s settlement prohibits Lenovo from making any misrepresentation about any feature of covered software, which includes application software that injects advertisements into a consumer’s internet browsing session or that transmits or causes the transmission of sensitive personal information. In addition, Lenovo is required to obtain a consumer’s affirmative express consent prior to any preinstalled software injecting ads into a consumer’s internet browsing session or transmitting or causing the transmission of the consumer’s personal information to any person other than the consumer. Lenovo must also provide instructions about how to revoke consent, and provide a reasonable and effective means for consumers to opt out, disable or remove all of the covered software’s operations.

In addition, the settlement requires that Lenovo must establish, implement and maintain a comprehensive software security program that is designed to address software security risks in software preinstalled on its personal computers and undergo biennial software security assessments of its mandated software security program by a third party for the next 20 years. Under a separate state agreement, Lenovo agreed to pay 32 state attorneys general $3.5 million in fines.

FTC Commissioner Terrell McSweeny and Acting Chairman Maureen Ohlhausen issued separate statements. Commissioner McSweeny supported the issuance of the complaint and settlement, but is troubled by the practices the FTC failed to challenge. Specifically, she notes in her statement that the complaint describes how the software would inject pop-up ads every time consumers visited a shopping website and disrupt web browsing by reducing download and upload speeds and states that failure to disclose this information is deceptive and thus worthy of agency action.

Acting Chairman Ohlhausen’s statement notes her support of the complaint and consent, but disagrees with Commissioner McSweeny. In her view, Lenovo failed to disclose that VisualDiscovery would act as a man-in-the-middle, but did disclose that the software would introduce advertising into consumers’ web browsing. Therefore, Acting Chairman Ohlhausen stated that, while the disclosures could have been clearer, it was unnecessary to disclose that the advertising software would likely affect the consumer’s browsing experience because ordinary consumers expect advertising software to affect their web browsing experience.

The settlement is out for public comment and the deadline for submitting comments is October 5, 2017.