The U.S. District Court for the Northern District of California agreed to allow a settlement between Lenovo and the consumer group that filed a class action lawsuit against the company over its installation of the “Superfish” adware on its customers’ laptops.
A group of consumers filed a class action lawsuit against Lenovo soon after researchers discovered the Superfish installation in 2015. The lawsuit was settled earlier this year and Lenovo agreed to pay a total of $7.3 million, money which would be split among all the Lenovo customers affected by the issue. The company developing the Superfish adware that Lenovo installed on its customers’ laptops had to pay another million dollars to the same settlement fund.
In 2017, Lenovo also made another settlement with the FTC and agreed to be monitored by the federal agency for the next 20 years. Google and Facebook have previously agreed to the same type of “monitoring” by the FTC. However, this type of monitoring failed to prevent recent privacy scandals in which both companies were involved, including the Cambridge Analytica scandal. The audits are done by third-parties paid by the firms that are under monitoring, so they are not as stringent as they may first seem.
Lenovo also had to pay $3.5 million over the Superfish scandal to some state authorities under a separate deal. Lenovo has also been involved in other similar privacy scandals in the past few years. The company was accused of installing unremovable "bootkits" on its laptops that would persist even if users wiped Windows off their drives and re-installed a clean version of the operating system. This piece of Lenovo software was taking advantage of a UEFI capability that Microsoft gave OEMs, so the operating system vendor was at least partially to blame for it.
Back in 2015, researchers found that Lenovo had been installing Superfish on customers’ laptops. At the time, Lenovo denied that the installation of Superfish, which collected user’s data, and the installation of a Lenovo digital certificate that allowed the company to collect traffic data from HTTPS websites also caused security issues.
However, security researchers have shown that malicious parties could take advantage of the Superfish-caused security vulnerabilities to steal users’ banking credentials at local coffee shops. At the time Lenovo promised to stop sending its customers ads via Superfish or collect their information, but those customers who already had the Superfish digital certificate installed remained vulnerable to attacks.