In 2014, Lenovo began bundling a third-party adware program called “Superfish” into its consumer PCs. Now, nearly three years later, the company is facing the consequences. Today, Lenovo settled a lawsuit by the Federal Trade Commission over the Superfish adware, agreeing to get affirmative consent for any future adware programs, as well as audited security checks of their software for the next 20 years.
Installed on Lenovo laptops between September 2014 and January 2015, Superfish was granted root certificate access, allowing it to insert ads into even HTTPS-protected webpages. Unfortunately, that also meant hackers could forge Superfish’s certificate to break HTTPS protections entirely, an attack that occurred shortly after the program became public.
According to the FTC’s indictment, breaking HTTPS presented a clear risk to consumers — but because it was classified as an initial violation, Lenovo isn’t going to have to pay for putting customers at risk. Instead, the settlement requires Lenovo to give clear notice to customers of any data collection or ad-serving programs bundled on their laptops, and get affirmative consent before the software is installed. Lenovo also agreed to conduct an ongoing security review of its bundled software, running regular third-party audits for the next 20 years.
That doesn’t mean Lenovo’s getting off entirely clean. Lenovo will also pay $3.5 million as part of a separate state-level settlement, which also includes notice-and-consent provisions.
Lenovo isn’t the only company that’s used certificate-breaking adware. A few months after Superfish became public, a similar program was discovered in two models of Dell laptops, although the software was less widespread.
“This case sends a very important message that everybody in the chain needs to pay attention,” acting FTC chairman Maureen Ohlhausen told reporters in a call. “If you are going to preinstall this kind of software, you need to pay attention to what you’re collecting and what you’re telling consumers.”
Update 9/6 11:42AM ET: A previous version of this piece stated that Lenovo would not pay monetary damages for Superfish, based on the lack of damages in the FTC settlement. The piece has been updated to reflect the subsequent settlement with the coalition of state attorneys general.