Lenovo settlement occasions interesting debate

Gift Horse

Personal computing titan Lenovo ran afoul of the Federal Trade Commission (FTC) when it was hit with a complaint regarding ad-injecting software developed by Superfish Inc. that Lenovo pre-installed on a number of laptop models between 2014 and 2015.

The FTC alleged that when a laptop user hovered the mouse cursor over a product image while shopping online, the software, called VisualDiscovery, displayed pop-up ads regarding similar products sold by Superfish’s marketing partners. The FTC also alleged that the software served as a local proxy that stood between the consumer’s browser and all internet websites that the consumer visited, including encrypted websites. According to the FTC, this allowed VisualDiscovery to see consumers’ sensitive personal information, including login credentials, Social Security numbers, financial accounts and medical information. While only a subset of this information was transmitted to Superfish, the company had the ability to collect more information.

In addition to the above issues, the FTC complaint alleged that VisualDiscovery software employed a number of other practices that exposed consumers to security vulnerabilities, including replacing websites’ digital certificates with VisualDiscovery-signed certificates without verifying that the websites’ own digital certificates were valid, and using easy-to-crack passwords on all affected laptops.

The FTC alleged that Lenovo failed to disclose the true nature of VisualDiscovery, which ran invisibly as a background process, without adequately requiring the user to affirmatively activate the software.

You Shall Not Pass!

The Commission hit Lenovo with three counts under the Federal Trade Commission Act: First, a deceptive failure to disclose that VisualDiscovery was enabled on the laptop and that it would present ads and serve as a proxy “middle man”; second, unfair pre-installation based on the pre-installation of VisualDiscovery that, without adequate notice or informed consent, acted as a man-in-the middle; and third, unfair security practices based on Lenovo’s failure to take reasonable measures to address security risks from this software.

Lenovo settled the case with the FTC in early September 2017. The settlement prohibits the company from misrepresenting the features of preloaded pop-up ad software on new laptops. Lenovo is also required to clearly and conspicuously disclose the software’s frequency of advertisements and data collection practices, and affirmatively secure express consent prior to initial operation. The settlement also required a software security program to address software security risks related to new and existing application software.

The Takeaway

There was a notable ending to the case which involved a public disagreement between FTC Acting Chairman Maureen Ohlhausen and FTC Commissioner Terrell McSweeny.

Both commissioners supported the complaint and the settlement, but they issued conflicting statements regarding Lenovo’s deceptive omission practices. Commissioner McSweeny asserted that Lenovo’s unlawful conduct went beyond what was alleged in the complaint. She stated that the failure to disclose that pre-installed software would serve pop-up ads while consumers shopped online and that such software would reduce download and upload speeds, in and of itself, was deceptive.

Acting Chairman Ohlhausen countered, stating that the lack of disclosure that Lenovo’s computers contained pre-installed software that would serve pop-up ads during web browsing and would slow web browsing did not in and of itself constitute a deceptive omission. The acting chairman also noted that ad software like VisualDiscovery is understood by consumers to serve up or insert advertising. While she agreed with Commissioner McSweeny on the existing first count – that the “middle man” proxy function was a deceptive practice – she did not think that the ads themselves made “VisualDiscovery unfit for its intended use. “Therefore,” she continued, “I do not find Lenovo’s silence about those features to be a deceptive omission.”

Based on the commissioners’ disagreement over what practices could be considered deceptive, businesses should exercise caution when implementing data collection and advertising practices without consumers’ consent.