Jessica N. Bennett v. Lenovo (United States), Inc., and Superfish, Inc., No. 15-CV-00368 (S.D. Cal. filed Feb. 19, 2015)
Lenovo is facing backlash from security experts for pre-installing adware called Superfish on some of its computers. Superfish detects advertisements on websites and replaces them with targeted images based on the user’s browsing habits, AnAndTech reports. Lenovo explained that it pre-installed Superfish to help its users make more informed choices by replacing advertisements with ones that potentially offer lower prices. However, Superfish threatens users’ privacy and data security, ArsTechnica describes in detail here and here.
On February 19, 2015, plaintiff Jessica N. Bennett filed a class action lawsuit in federal court for the Southern District of California against Lenovo and Superfish for pre-installing Superfish on a Lenovo-made laptop that she purchased. Ms. Bennett’s complaint states claims against both defendants for violations of California’s Invasion of Privacy Act, the Federal Wiretap Act, and California’s Unfair Competition Law; and for common law trespass to personal property. MaximumPC reports on the lawsuit.
Lenovo stated in a press release and security advisory that it installed Superfish on certain consumer notebooks shipped between September 2014 and February 2015. Due to users’ negative reaction, Lenovo disabled Superfish’s server-side interactions and stopped installing the software in January 2015. Lenovo stated that it does not plan to install Superfish in the future and provided instructions to remove Superfish.
According to AnAndTech, Lenovo’s pre-installation of Superfish on its laptops is concerning for four reasons. First, by replacing pre-existing advertisements with different advertisements, Superfish can potentially redirect users to servers that benefit Lenovo. Second, by actively scanning the websites that users are browsing, Superfish may violate their privacy rights. Third, as adware, Superfish imposes unwanted advertisements to generate revenue. Finally, and perhaps most troublingly, by intercepting any HTTPS-encrypted webpage with advertisements, Superfish introduces unsecure content that can allow malicious software programs to steal personal and financial information.
Superfish leaves affected Lenovo users exposed to hackers by pre-installing a self-signed root HTTPS certificate on their machines. More specifically, to capture information from HTTPS-protected websites, Superfish uses its pre-installed certificate to decrypt the protected webpages. In other words, when a user visits an HTTPS-encrypted website, Superfish signs the website’s certificate and falsely represents itself as the website’s trusted certificate issuer. Even more problematically, Superfish seemingly reuses the same fake certificate — and the same private encryption key — across every Lenovo computer on which it is installed. According to ArsTechnica, at least a dozen software applications other than Superfish have been found that use the same HTTPS-decrypting code, which hackers can use to easily penetrate encrypted websites and potentially hijack users’ computers. In fact, ArsTechnica reports that it took a mere three hours for Errata Security CEO, Rob Graham, to determine that the Superfish certificate’s private encryption key is “komodia” — the name of the Israeli company that produces the problematic code.
Lenovo’s installation of Superfish offers a lesson to hardware companies to be wary of pre-installing software programs that threaten their users’ privacy and data security. Jan Dawson of TechOpinions contends that the root problem of this situation is Lenovo’s (and other PC manufacturers’) failure to differentiate their brands with their own software, as Apple does. Although Mr. Dawson recognizes that it can be difficult for hardware companies to develop their own software, he suggests that Lenovo should acquire software technology so that it can install fully compatible software on its hardware that truly adds value for its users.
Jenny Choi is a 2L at Harvard Law School and is interested in privacy and data disclosure issues.