As Lenovo resolves the Superfish bloatware scandal from 2015, a surprising detail has emerged from the fine print of the settlement. Consumers who bought Lenovo laptops with “man-in-the-middle” Superfish adware (by a company called VisualDiscovery) likely fell for a trick later made infamous by Microsoft: clicking the “X” to dismiss the program actually opted them into it.
Lenovo settled with the Federal Trade Commission on Tuesday, paying a reported $3.5 million in fines and agreeing to other security concessions to prevent a repeat of the Superfish debacle. According to the FTC, the software allowed VisualDiscovery to see all of a consumer’s sensitive personal information transmitted over the Internet, including log-in information, Social Security numbers, and more. In 2015, Lenovo CTO Peter Hortensius called the decision to use Superfish a “significant mistake.”
Lenovo also expressed relief that the 2.5-year investigation was over. Though the company said that it was not aware of the Superfish software exploiting any vulnerabilities, Lenovo previously published details on how to remove Superfish from existing laptops. Superfish has not been loaded on Lenovo laptops since 2015.
"Product security, privacy and quality are top priorities at Lenovo," Lenovo said in a statement.
According to the FTC, Lenovo will be prohibited from misrepresenting any features of software preloaded on laptops that will inject advertising into consumers’ Internet browsing sessions. For 20 years, Lenovo will be required to put in place a “comprehensive software security program for most consumer software preloaded on its laptop,” subject to external audits, the FTC said. If Lenovo does put adware onto its laptops, it must “get consumers’ affirmative consent,” it added.
But it’s the issue of “affirmative consent” for which one of the FTC commissioners, Terrell McSweeny, said she felt Lenovo went too far.
McSweeny, an Obama Administration appointee whose terms ends this month, wrote in a separate statement that two key facts were never communicated to consumers. First, the Superfish software on a laptop slowed Internet speeds by as much as 125 percent; and second, that dismissing the Superfish software actually opted consumers into it.
Why this matters: Bloatware already plagues laptops and tablets. We thought Lenovo crossed the line by injecting adware—the VisualDiscovery Superfish software—which would communicate users’ private information. Digging into the settlement details reveals more—the other negative effects Superfish had on day-to-day browsing, and also the mechanism by which both companies interpreted “affirmative consent” to trick people into using the software—a dirty tactic Microsoft itself employed later to force people to upgrade to Windows 10.
When clicking the 'x' doesn't close the program
According to McSweeny, the Superfish software slowed Internet browsing, specifically downstream traffic by 25 percent and uploads by as much as 125 percent. In addition to simply slowing browser speeds, VisualDiscovery also used an insecure method to replace digital certificates, exposing users to risk and preventing their browsers from warning them that the website they were visiting could have been spoofed. And on every e-commerce site, VisualDiscovery's software would display ads.
According to McSweeny, VisualDiscovery and its Superfish software “would alter the very Internet experience for which most consumers buy a computer,” she wrote. “I believe that if consumers were fully aware of what VisualDiscovery was, how it compromised their system, and how they could have opted out, most would have decided to keep VisualDiscovery inactive.”
VisualDiscovery used a pop-up window that introduced Superfish the first time that a user visited an e-commerce website, McSweeny wrote. Then Superfish broke the norms of conventional software: “But clicking to close that window opted consumers into the program,” McSweeny wrote (emphasis hers).
If that sounds familiar, it should. A year or so later, Microsoft was busy trying to encourage consumers to upgrade to Windows 10, through a series of increasingly annoying nagware screens. In May 2016, it went too far: A popup pushing Windows 10 would opt consumers into Windows 10 if they clicked the “X” at the top of the window to dismiss it. That behavior prompted complaints on Reddit and other sites, and neatly encapsulated Microsoft’s strong-arm tactics to force its user base onto Windows 10.
At the time, we all thought that was a new low. According to the FTC, Microsoft was simply copying VisualDiscovery.
Updated at 9:33 AM on Sept. 6 with a statement from Lenovo.