The Federal Trade Commission has settled with Lenovo after it was revealed that 750,000 laptops came pre-installed with spyware and adware. The attorneys general of 32 states acted alongside the FTC and have collectively fined the company $3.5 million. Offending laptops were sold from August 2014 through June 2015 and came installed with a program called VisualDiscovery.
The full settlement is available online.
Created by California-based software developer Superfish, the program would analyze a consumer's screen and web browsing looking for potential products. If it discovered that the user was viewing product images or online shopping, it would overlay pop-up ads in the browser for similar products sold by Superfish's retail partners.
According to its own description, their man-in-the-middle attack used image searches instead of keywords.
How did this spyware get on hundreds of thousands of Lenovo laptops? According to Lenovo, they didn't know it was spyware. With all of the extra third-party software Lenovo installed on its laptops, nobody checked to see what Superfish actually did and the privacy concerns in entailed.
Although dozens of models were affected, the FTC doesn't actually have the authority to fine Lenovo (the attorneys general handled the monetary fine). In essence, the settlement today amounts to a slap on the wrist. If Lenovo violates the terms of the settlement though, then the FTC can start fining.
Going forward, Lenovo is now required to ask for user permission when installing any software that collects and sends personal information to another company.
If you believe you were affected, Lenovo has a SuperFish removal tool available on their website.