FTC settles with Lenovo over selling laptops deliberately infected with Superfish spyware

The Federal Trade Commission has announced a settlement with Lenovo over the 2015 revelation that the company pre-installed malware called "Superfish" on its low-end models, which allowed the company to spy on its customers, and also left those customers vulnerable to attacks from third parties, who could exploit Superfish's weakened security.

The fraud prompted a class-action lawsuit, and sparked further investigations into Lenovo's software pre-installations, revealing yet another malware infection deliberately introduced by the company.


In conjunction with the FTC settlement, 32 state attorneys general have settled with Lenovo for fines totalling $3.5m. The FTC settlement does not involve fines, but puts Lenovo on notice — any similar malware loading in the future will be subject to significant fines and other punishments.

The FTC implied that Lenovo had installed the malware without fully understanding how it worked, and failed to appreciate the extent to which it would spy on users and weaken their security.


"Everybody in the chain needs to pay attention," she said. "This happened to be one of the world's largest computer manufacturers and I think it it sends an important message: If you are going to install these kinds of software, you need to pay attention to what it's collecting, what you're telling consumers, and the kinds of risks that it might be creating."


Ohlhausen also took a moment to connect the dots about the FTC's reinvigorated mission to protect consumers from tech companies that surreptitiously scrap personal data.

"To put today's announcement in context, this is the third privacy case that the FTC has announced in the past 30 days," Ohlhausen said. "The first was against Uber and the second was tax preparation firm TaxSlayer.

"Those of you who follow the FTC can find some common themes from these cases: All of them involve sensitive information, so driver's license numbers, and other financial information, in the Uber case," she said. "Social Security numbers and tax information in TaxSlayer. And contents of consumer's information in today's case. All of the cases involve conduct that caused or was likely to cause substantial harm to consumers."


Lenovo Wasn't Paying Attention: 750,000 Laptops Had Spyware
[Nick Lucchesi/Inverse Innovation]

(via Naked Capitalism)