On September 5, 2017, the Federal Trade Commission (FTC) announced that it and 32 state attorneys general had settled charges with Lenovo regarding the company’s practice of pre-loading software on its laptops that compromised consumers’ cybersecurity and privacy.1 As part of the settlement, Lenovo agreed to pay $3.5 million in penalties to the states,2 and per an agreement with the FTC, Lenovo will be required to implement a comprehensive software security program for most consumer software preloaded on its laptops for the next 20 years. The settlement highlights the ongoing interest by the FTC and state attorneys general regarding cybersecurity vulnerabilities in software and makes clear the FTC’s position that hardware manufacturers have an obligation to evaluate the security of third-party software they preinstall on their devices.
Beginning in August 2014, as part of its standard pre-installed software packages on its laptops, Lenovo included VisualDiscovery, developed by Superfish, Inc. VisualDiscovery was an advertising software solution that delivered pop-up ads from retail partners when users hovered their cursor over similar items on websites. According to the FTC’s complaint, the software worked by using what is commonly termed a “man-in-the-middle” technique. “Man-in-the-middle” refers to inserting software between a user and the websites the user visits, allowing the software to view all of the data transmitted between the user and the website. Such a technique allows the software potentially to collect all information transmitted over the web, including sensitive information transmitted over secure connections, such as passwords, social security numbers, payment information, and the contents of private communications, like emails.
According to the FTC’s complaint, VisualDiscovery collected and transmitted to Superfish’s servers a limited amount of information, such as the websites the user browsed and the consumer’s IP address, but the software had the ability to collect much more information. In addition, the FTC alleged that the software also used an insecure method to replace digital certificates on encrypted websites without adequately verifying the websites’ digital certificates, and the software used the “same, easy-to-crack password on all affected laptops,” leaving users’ laptops subject to attack and undermining the ability of web browsers to warn users of potentially insecure websites.
These activities were allegedly conducted without consumers’ knowledge or consent. The FTC complaint also alleged that Lenovo did not discover or address these vulnerabilities because it did not adequately evaluate third party software it pre-installed on its laptops. Specifically, the FTC alleged that Lenovo failed to take reasonable measures to assess and address security risks created by pre-installed third party software, including: (1) failing to adopt relevant written security standards; (2) failing to request or review Superfish’s data security policies, procedures, and practices; (3) failing to require Superfish by contract to adopt and implement reasonable security measures; (4) failing to assess VisualDiscovery’s compliance with reasonable security standards; and (5) failing to provide adequate security training for employees responsible for testing third-party software.
Under the terms of the settlement, Lenovo is required to implement a comprehensive software security program for the next 20 years for most consumer software preloaded on its laptops, and the program will be subject to third-party audits. This type of specific security program is new to FTC data security settlements, which in the past have required much broader programs covering all of the company’s activities involving consumer information.
As is standard for these types of settlements, Lenovo is also prohibited from misrepresenting any features of software preloaded on laptops that will inject advertising into consumers’ Internet browsing sessions or transmit sensitive consumer information to third parties. In addition, Lenovo must also get consumers’ affirmative consent before pre-installing this type of software.
Lenovo also agreed to pay $3.5 million to the 32 states that brought suit.
This settlement makes clear the FTC’s position that hardware manufacturers are responsible for the software that they pre-install on their products, including ensuring that the software complies with privacy policies. The settlement also highlights the FTC’s scrutiny of practices that may have the effect of compromising secure Internet communications.3 Additionally, the FTC’s settlement once again connects its privacy mandate with cybersecurity, noting that cybersecurity vulnerabilities can result in the exposure of otherwise private or sensitive data.
According to the FTC’s complaint and consent order with Lenovo, hardware companies that use third-party software on their devices should have a program in place to evaluate the security and privacy policies of the third-party software. Companies should not only inquire about privacy policies and the data that is collected and stored, but also how the software operates and the potential risks and vulnerabilities created by the software. Companies should also consider not simply relying solely on the representations of third-party software companies, but also implementing their own security program that evaluates third-party software.
The settlement also once again emphasizes the importance of using unique—not default—passwords in the development of both hardware and software devices that can be changed and that are not easily hacked.
Finally, while Acting Chairman Maureen Ohlhausen and Commissioner Terrell McSweeny (currently the only two FTC commissioners) both voted to issue the FTC’s administrative complaint and accept the consent agreement, they also took the unusual approach of issuing dueling concurring statements. Specifically, they disagreed over the appropriate scope of the FTC’s authority to bring deceptive omission cases, with Commissioner McSweeny asserting that the complaint’s deception count should have included additional advertising-related conduct that Lenovo failed to disclose. Meanwhile, Acting Chairman Ohlhausen took the position that Lenovo’s silence about VisualDiscovery’s ad placement and effect on web browsing, while perhaps irritating to consumers, did not rise to the level of a deceptive omission. How this disagreement plays out in future cases may prove significant.