Anyone who has ever purchased a PC or laptop knows that it comes pre-loaded with a bunch of stuff you will never use. Unfortunately, laptop maker Lenovo got caught installing adware on their machines that could have compromised the security of user information. After a legal battle involving the Federal Trade Commission and 32 states, the company has agreed to pay $3.5 million in fines.
The adware, called VisualDiscovery and created by - now defunct - Superfish, was found to act as a "man-in-the-middle" piece of software that could open a user's system up to attempts to gather personal information despite secure connections, and even spy on encrypted communications. The adware was installed on hundreds of thousands of systems when the laptops were produced in August 2014, with Lenovo finally admitting the problem in early 2015 and stopping the shipment of units. It also created a tool to help remove the bloatware.
In addition to the fines, Engadget reports that Lenovo must also jump through a few FTC hoops in the future before any pre-installations can occur.
"As part of the settlement with the FTC, Lenovo is prohibited from misrepresenting any features of software preloaded on laptops that will inject advertising into consumers' internet browsing sessions or transmit sensitive consumer information to third parties," the FTC said.
It also required that users must agree to any installation of software before it is loaded. Moreover, Lenovo was tasked with creating a "comprehensive software security program for most consumer software preloaded on its laptops." The program will be required for the next 20 years and will be subject to an audit by authorized third-parties.
“Lenovo compromised consumers’ privacy when it preloaded software that could access consumers’ sensitive information without adequate notice or consent to its use,” acting FTC Chairman Maureen Ohlhausen said in a statement. “This conduct is even more serious because the software compromised online security protections that consumers rely on.”
Lenovo denied any wrongdoing, and said in its own statement that it was unaware of any third parties "exploiting the vulnerabilities to gain access to a user's communications." However, the company was happy to have two and a half years of legal issues behind it.