Man in the Middle
On Jan. 2, 2018, the Federal Trade Commission (FTC or Commission) finalized its settlement with Lenovo Inc. regarding charges that the computer giant engaged in some risky business with its customers’ information.
The original complaint, which was filed back in September 2017, alleged that Lenovo’s VisualDiscovery software, which was preinstalled on some of the company’s laptop models between 2014 and 2015, set itself up as a local proxy on each machine. When a laptop user browsed the internet, VisualDiscovery would sit in the middle, routing and observing IP traffic flowing between the laptop and the sites the user visited. The software could monitor any piece of sensitive data..
Ostensibly, VisualDiscovery monitored user traffic to serve pop-up ads related to the user’s current browsing decisions, which might have been enough to raise certain users’ hackles. However, in order to allow the pop-up ads to work over encrypted connections, VisualDiscovery triggered third-party software that replaced the security certificate of visited encrypted sites with its own unencrypted certificate. Users might have thought they were communicating over an encrypted connection, but their information was hardly secure.
The FTC alleged that Lenovo deceptively failed to disclose the unfair preinstallation of VisualDiscovery and the faulty security that the software engendered. The Commission also claimed that Lenovo did not adequately disclose the third-party software through a pop-up window that appeared upon the initial opening of a web browser. This pop-up failed to disclose adequately that VisualDiscovery would act as a man in the middle between consumers and all websites with which they communicated and did not have an opt-out mechanism that customers could easily use.
The final settlement prohibits Lenovo from misrepresenting any features of software preloaded on laptops that will inject advertising into consumers’ internet browsing sessions or transmit sensitive consumer information to third parties. The settlement also requires Lenovo to get consumers’ affirmative consent before any such software runs on their laptops. In addition, the company is required for 20 years to implement a comprehensive software security program for most consumer software preloaded on its laptops. The implementation will be assessed by a third party every two years, in addition to the usual FTC audits. In an interesting side note, the two commissioners issued additional, conflicting statements regarding what should be considered a deceptive omission. Commissioner McSweeny held that the complaint could have gone further. He found that Lenovo’s failure to disclose the pop-up ad feature and its effect on the browsing experience was deceptive.
Acting Chairman Ohlhausen disagreed. She held that the Commission generally took a more limited approach to determining deceptive omission. Since the disclosure admitted that advertising would become part of the browsing experience, further disclosure of its effects was unnecessary; disclosing every piece of information about every product would actually cause more harm than it spared.
For a more detailed analysis of the implications of the case, see our blog post here.