On September 5, 2017, the FTC announced that Lenovo, Inc. (“Lenovo”) agreed to settle charges that its preloaded software on some laptop computers compromised online security protections in order to deliver advertisements to consumers. The settlement agreement (the “Settlement”) is between Lenovo, the FTC and 32 State Attorneys General.
In its complaint, the FTC charged that, since August 2014, Lenovo sold consumer laptops in the United States with a preinstalled “man-in-the-middle” software program, known as VisualDiscovery and sold by a third-party software company, that delivered pop-up advertisements from the software company’s retail partners whenever a user placed the laptop’s cursor over a similar product on a website. The FTC charged that the software was able to access consumers’ sensitive personal information transmitted online, including login credentials, Social Security numbers, medical information and financial and payment card information, in order to deliver the targeted advertisements. Further, the FTC charged that, to facilitate the display of pop-up advertisements on encrypted websites, the software “used an insecure method to replace digital certificates for those websites with its own VisualDiscovery-signed certificates,” but failed to authenticate the validity of websites’ digital certificates before replacing them. This prevented consumers’ Internet browsers from warning them when they visited potentially spoofed or malicious websites. According to the FTC, Lenovo sold laptops with the VisualDiscovery software without discovering the security vulnerabilities “because it failed to assess and address security risks created by” VisualDiscovery.
The Settlement prohibits Lenovo from future misrepresentations of preloaded software on its laptops that will inject advertising or transmit sensitive consumer information to third parties. In addition, the Settlement requires Lenovo to obtain consumers’ affirmative consent before preloading this type of software onto laptops. Lenovo also must implement a comprehensive software security program for most preloaded consumer software and be subject to third-party audits for 20 years. The Settlement will be subject to public comment until October 5, 2017, after which the FTC will determine whether to finalize it.