The Wizard of Oz was right: “Pay no attention to the man behind the curtain.” That’s because according to an FTC settlement, computer company Lenovo should have been paying attention to the “man in the middle.” In this case, the “man in the middle” was preloaded ad-injecting software that put consumers’ personal information at risk from harmful man-in-the-middle attacks.
When people first browsed a shopping site with their new Lenovo computers, they got a one-time pop-up notice that said, “Explore shopping with VisualDiscovery: Your browser is enabled with VisualDiscovery which lets you discover visually similar products and best prices while you shop.” What was VisualDiscovery? It was adware customized to Lenovo’s specifications by Palo Alto developer Superfish. And what did VisualDiscovery do? Anytime a consumer hovered over a product image on a shopping site, VisualDiscovery would deliver pop-up ads of similar looking products sold by Superfish’s retail partners. But that’s not all.
At Lenovo’s direction, Superfish modified VisualDiscovery so it would work on all browsers, including browsers that consumers installed after purchase. To do that, the software incorporated a tool that compromised security precautions used by sites with encrypted connections. (Consumers recognize an encrypted connection by the “s” in the https:// URL.) You’ll want to read the complaint for details, but here’s the shorthand version of why that proved to be a fateful decision.
Https:// websites use digital certificates as a form of electronic credentials that are presented to consumers’ browsers to help verify that the site is authentic and not an imposter. VisualDiscovery, however, replaced the digital certificates for https:// websites with its own certificates. The software’s certificates tricked both the site and the browser into believing there was a direct, encrypted connection when, in fact, the software was setting itself up as a man-in-the-middle. That gave the software access to all the sensitive information a consumer transmitted over the internet, including on encrypted sites. What’s more, the software sent to Superfish the URLs of sites consumers visited, IP addresses, and a unique identifier assigned to each laptop. And all that happened without consumers’ knowledge or consent.
The complaint alleges that the software’s man-in-the-middle status created two serious security vulnerabilities. First, when a consumer visits a site with an untrusted connection – for example, one where hackers can intercept sensitive data – the consumer should get a warning. But all that finagling with the certificates meant that consumers didn’t get the usual alert, thereby putting their data at risk and rendering useless a fundamental form of protection offered by browsers.
The software created an additional risk that put consumers’ personal data in harm’s way. To facilitate the desired functionality, Superfish licensed a tool from a third party. Rather than using a unique password for each laptop, the tool used the same private encryption key with the same easy-to-guess password on every laptop installed with VisualDiscovery. Once the bad guys cracked the password, they could target all Lenovo owners with VisualDiscovery installed on their laptops with man-in-the-middle attacks to intercept highly sensitive information like Social Security and account numbers, medical data, login credentials, and email. The vulnerability also made it easier for attackers to trick consumers into downloading malware onto any affected Lenovo laptop. Just how easy was the password to crack? It was the name of the company that sold the tool, a choice so obvious that security researchers were able to figure it out in less than an hour.
Count One of the complaint alleges that Lenovo deceptively failed to disclose that VisualDiscovery would act as a man-in-the-middle between consumers and sites with which they communicated, including sensitive communications on encrypted https:// sites. That count also alleges that it was deceptive not to disclose that software would send consumers’ browsing data to Superfish. Count Two charges that it was an unfair practice for Lenovo to preinstall man-in-the-middle software without giving consumers adequate notice and getting their informed consent. Count Three alleges that Lenovo’s failure to take reasonable steps to assess and address security risks created by the pre-installed software was an unfair practice, too.
The proposed order prohibits Lenovo from making misrepresentations about a host of features for certain preinstalled software, including whether it will display advertising, including pop-up ads, or transmit consumers’ personal information. The order also bars Lenovo from pre-installing certain kinds of software without first getting consumers’ affirmative express consent. In addition, Lenovo will have to put a comprehensive software security program in place. You can file a public comment about the proposed settlement by October 5, 2017.
What can other companies learn from the Lenovo lawsuit?
When it comes to the privacy of consumers’ personal information, transparency is the best policy. According to the complaint, Lenovo got in trouble because it didn’t tell consumers – and it didn’t get their consent – that VisualDiscovery would intercept all of their internet communications, including on sensitive websites, and would transmit certain browsing information to Superfish. Some might ask why consumers didn’t just disable VisualDiscovery. The problem was that Lenovo never clearly explained to consumers what was going on behind the scenes – and behind the screens. Among other things, the proposed order requires Lenovo to have a mechanism for consumers to revoke their express consent by opting out or disabling covered software. Order provisions apply just to that company, of course, but for any business, explaining things clearly up front and offering easy-to-exercise options encourage consumer loyalty.
Consider the risks of modifying existing security features. As Start with Security makes clear, security protocols are in place for a reason and monkeying with them can be risky. Make sure any third-party software you include with your product doesn’t put consumers’ personal information at risk.
Oversee your software vendors. Even if you hire third-party vendors, the security of your products is ultimately your responsibility. The complaint alleges that Lenovo’s failure to take reasonable measures to assess and address the security risks created by its installation of third-party software was an unfair practice. What’s the takeaway tip for your business? Do your due diligence. Before you hire vendors, make sure they’re capable of maintaining reasonable security. Include provisions in your contract to address security. And either conduct your own testing or insist that your vendors provide you with rock-solid documentation confirming that they’ve done their own appropriate testing.