A federal court has approved a super-sized payout fund for Lenovo, which will be required to create a $7.3 million reservoir, set aside for settling a class action lawsuit over surreptitious adware installations.
Last week, the U.S. District Court for the Northern District of California granted preliminary approval for the settlement, which will pay out on 27 class action lawsuits that were consolidated in June 2015 into a single action. The settlement does not include attorneys’ fees, so it’s likely that Lenovo will see its costs edge even further upward.
The Chinese PC giant came under fire in 2014 for pre-loading the code, which powered something called VisualDiscovery. This was meant to help shoppers by analyzing images on the web and presenting similar product offers with lower prices—thus “helping users search for images without knowing exactly what an item is called or how to describe it in a typical text-based search engine.”
However, it turned out that the adware was signed with the same root certificate on all machines – and it was a certificate that it issued to itself; Superfish essentially acted as its own root certificate authority.
In 2014, Errata CEO Rob Graham was able to crack the private key for the certificate, effectively breaking HTTPS security for all of the affected laptops.
In turn, that meant that hackers could technically launch man in the middle (MITM) attacks against any of the affected laptops via public Wi-Fi, without signs of any wrongdoing.
“The consequence is that I can intercept the encrypted communications of SuperFish’s victims (people with Lenovo laptops) while hanging out near them at a cafe WiFi hotspot,” Graham wrote at the time.
The discovery of the vulnerability thrust Superfish into the limelight, and backlash was swift, given that the adware was pre-installed on machines without any disclosure on the part of Lenovo. VisualDiscovery was installed on nearly 800,000 Lenovo laptops sold in the United States between September 1, 2014 and February 28, 2015, according to Lenovo.
Aside from the MITM potential, the software presented privacy issues, which is what landed Lenovo in legal trouble.
Last year, 32 states won the class-action case to resolve allegations that the company violated state consumer protection laws. They claimed that consumer information, including sensitive communications with encrypted web sites, could be collected and transmitted to Superfish, while making their information susceptible to hackers. According to court documents, the adware “could access customer Social Security numbers, financial data and sensitive heath information.”
Now, the court has finally approved the payout.
Lenovo stopped shipping laptops (as many as 28 different models) with VisualDiscovery preinstalled in February 2015, though some states alleged that it persisted in machines sold in retail stores as late as June 2015.
“We thought the product would enhance the shopping experience, as intended by Superfish,” Lenovo said in the aftermath. “It did not meet our expectations or those of our customers. In reality, we had customer complaints about the software.”
In 2017, the FTC officially required the company to get explicit consent to install any adware programs, and mandated regular third-party audits of its bundled software through 2037.