Lenovo’s Superfish scandal reveals tactic familiar to Win 10 upgrades
6 September 2017 | 0
As Lenovo resolves the Superfish bloatware scandal from 2015, a surprising detail has emerged from the fine print of the settlement. Consumers who bought Lenovo laptops with man-in-the-middle Superfish adware (by a company called VisualDiscovery) likely fell for a trick later made infamous by Microsoft: clicking the ‘x’ to dismiss the program actually opted them into it.
Lenovo settled with the Federal Trade Commission on Tuesday, paying a reported $3.5 million in fines and agreeing to other security concessions to prevent a repeat of the Superfish debacle. According to the FTC, the software allowed VisualDiscovery to see all of a consumer’s sensitive personal information transmitted over the Internet, including log-in information, social security numbers, and more. In 2015, Lenovo CTO Peter Hortensius called the decision to use Superfish a “significant mistake”.
According to the FTC, Lenovo will be prohibited from misrepresenting any features of software preloaded on laptops that will inject advertising into consumers’ Internet browsing sessions. For 20 years, Lenovo will be required to put in place a comprehensive software security programme for most consumer software preloaded on its laptop. If Lenovo does put adware onto its laptops, it must get affirmative consent, it added.
But it’s the issue of ‘affirmative consent’ for which one of the FTC commissioners, Terrell McSweeny, said she felt Lenovo went too far.
McSweeny, an Obama Administration appointee whose terms ends this month, wrote in a separate statement that two key facts were never communicated to consumers. First, the Superfish software on a laptop slowed Internet speeds by as much as 125%; and second, that dismissing the Superfish software actually opted consumers into it.
When clicking the ‘x’ doesn’t close the program
VisualDiscovery also used an insecure method to replace digital certificates, exposing users to risk and preventing their browsers from warning them that the website they were visiting could have been spoofed. And on every e-commerce site, VisualDiscovery’s software would display ads.
According to McSweeny, VisualDiscovery and its Superfish software “would alter the very Internet experience for which most consumers buy a computer,” she wrote. “I believe that if consumers were fully aware of what VisualDiscovery was, how it compromised their system, and how they could have opted out, most would have decided to keep VisualDiscovery inactive.”
VisualDiscovery used a pop-up window that introduced Superfish the first time that a user visited an e-commerce website, McSweeny wrote. Then Superfish broke the norms of conventional software: “But clicking to close that window opted consumers into the program,” McSweeny wrote.
If that sounds familiar, it should. A year or so later, Microsoft was busy trying to encourage consumers to upgrade to Windows 10, through a series of increasingly annoying nagware screens. In May 2016, it went too far: A popup pushing Windows 10 would opt consumers into Windows 10 if they clicked the ‘x’ at the top of the window to dismiss it. That behaviour prompted complaints on Reddit and other sites, and neatly encapsulated Microsoft’s strong-arm tactics to force its user base onto Windows 10.
At the time, we all thought that was a new low. According to the FTC, Microsoft was simply copying VisualDiscovery.
IDG News Service