Lenovo has been warned by the American Federal Trade Commission (FTC) for pre-installing the insecure Superfish adware on its laptops. Lenovo has settled with the FTC, the government agency reports on its website.
The company will pay a fine of $3.5 million to a coalition of 32 American states and has to take several measures to prevent similar issues.
In 2015, it became known that Lenovo pre-installed the Superfish adware on its laptops since 2014. The software could track surfing behavior of users and show advertisements based on that data. The adware not only violated user’s privacy, but it also added vulnerabilities to the security of the laptops.
Superfish could, in theory, watch all encrypted internet traffic, e.g. during internet banking.
“Lenovo compromised consumers’ privacy when it preloaded software that could access consumers’ sensitive information without adequate notice or consent to its use,” according Acting FTC Chairman Maureen K. Ohlhausen in a statement on the FTC website. “This conduct is even more serious because the software compromised online security protections that consumers rely on.”
Lenovo has to perform extensive security tests on the laptops it sells for the next 20 years. An independent company will monitor those security tests. Lenovo is prohibited from installing similar adware on its laptops while pretending the software serves another cause and it will have to explicitly ask for permission from users before such software can be installed.
Each violation of the orders of the FTC may result in a civil penalty of up to $40,654.