Beware of the Man-in-the-Middle: Lessons from the FTC’s Lenovo Settlement

Jan 10, 2018

By Linda Henry


See all of Our JDSupra Posts by Clicking the Badge Below

View Patrick Law Group, LLC

The Federal Trade Commission’s recent approval of a final settlement with Lenovo (United States) Inc., one of the world’s largest computer manufacturers, offers a reminder that when it comes to consumers’ sensitive personal information, transparency is key, and failure to assess and address security risks created by third-party software vendors may be deemed an unfair act or practice under Section 5 of the FTC Act.

Lenovo’s problems began in August 2014 when Lenovo began selling laptops to consumers with preinstalled “man-in-the-middle” software provided by a third-party vendor, Superfish, Inc.  The software delivered pop-up ads notifying consumers of similar products sold by Superfish’s retail partners when consumers hovered over a product image on a shopping website.

In order to inject pop-up ads into encrypted connections, the software replaced the digital certificates for websites visited by consumers with Superfish’s own digital certificate, which had been installed in the laptop’s operating system.  As a result, there was no longer a direct, encrypted connection between the websites visited by consumers and their Internet browsers.  Superfish’s software was acting as a man-in-the-middle, and was decrypting and then re-encrypting the information traveling between the browsers and the websites. Consequently, Superfish’s software provided access to all personal information transmitted by consumers over the Internet, including login credentials, Social Security numbers, medical information, and financial information.  The FTC noted that although Superfish collected a more limited subset of consumer information, the software had the ability to collect additional information at any time.

In addition, the Superfish software replaced websites’ digital certificates without sufficiently verifying that the websites’ certificates were valid, and Superfish used the same insufficiently complex encryption key password on all laptops.  As a result, potential attackers could intercept consumers’ communications with websites by hacking the encryption key’s password “Komodia” (the name of the vendor that provided the code used by Superfish in its software).

The FTC’s complaint alleged that Lenovo’s failure to disclose the fact that pre-installed software would act as a man-in-the-middle between consumers and all websites with which consumers communicated, and that the Software would also collect and transmit consumer Internet browsing data to Superfish, was an unfair or deceptive act or practice.  The FTC also maintained that Lenovo had engaged in an unfair act or practice by failing to adequately assess (and then address) security risks created by the Superfish software Lenovo pre-loaded on consumer laptops.

“Lenovo compromised consumers’ privacy when it preloaded software that could access consumers’ sensitive information without adequate notice or consent to its use,” said Acting FTC Chairman Maureen Ohlhausen. “This conduct is even more serious because the software compromised online security protections that consumers rely on.”

The FTC’s subsequent commentary on the Lenovo settlement, together with past guidance provided by the FTC, offers several takeaways:

  • Be transparent.  Transparency is always the best policy when considering the privacy of consumers’ personal information.  Lenovo failed to adequately disclose to consumers (let alone get their consent) that a third-party would be able to intercept all of their online communications, or that man-in-the-middle software would transmit browsing data to a third party.  The FTC has made clear that businesses must clearly explain to consumers how their data will be used and provide an easy way for consumers to opt out of data use or collection practices involving their personal information.
  • Disclosures must be conspicuous and complete.  On the Lenovo laptops, a consumer did see a one-time popup window the first time the consumer visited a shopping website.  The popup window included the following message: “Explore shopping with VisualDiscovery: Your browser is enabled with VisualDiscovery which lets you discover visually similar products and best prices while you shop.”  Although the pop-up window did include a small opt-out link, it was not conspicuous and thus easy for consumers to miss.  If a consumer clicked anywhere on the screen, or on the “x” button to close the pop-up, the consumer was automatically opted in to the software.

The FTC found that this initial pop-up window did not adequately disclose that the pre-installed software would act as a man-in-the-middle between consumers and the websites they visited, and consumers would have found the collection and transmittal of their sensitive information through this software a material fact when deciding whether to opt-into the pre-installed software.  In addition, had a consumer clicked on the opt-out link, although the consumer would have successfully opted-out of receiving the pop-up ads, the software would continue to act as man-in-the-middle, and thus would continue to expose consumer information despite the election to opt out.  The FTC also noted that neither the End User License Agreement nor the Privacy Policy for the Superfish software included a disclosure regarding the collection and use of consumers’ sensitive information.

  • Undertake adequate due diligence and include security requirements in Agreements. Companies are ultimately responsible for their third-party vendors and are expected to ensure that service providers implement reasonable measures to address security risks. As the FTC noted in its Stick with Security guide published in 2017, companies should take a “trust, but verify” approach to their service providers and undertake adequate due diligence to confirm that their service providers have sufficient security controls in place to maintain the security of sensitive data.  Companies should also include appropriate security requirements in their agreements with service providers.  The FTC may view a company’s failure to hold service providers to specific security requirements as a missed opportunity to take reasonable steps to safeguard customers’ data.
  • Verify compliance.  Although due diligence and contractual requirements with service providers are important components of a company’s data security policy, a company should also verify that its service providers are complying with contractual requirements.

As part of the settlement, Lenovo is prohibited from pre-installing similar software unless Lenovo (i) obtains a consumer’s affirmative, express consent, (ii) provides instructions as to how a consumer can revoke consent, and (iii) provides an option for consumers to opt-out, disable or remove the software or its offending features.  In addition, for the next twenty years, Lenovo must maintain a comprehensive software security program that is reasonably designed to address software security risks related to the development and management of new and existing application software, and protect the security, confidentiality, and integrity of sensitive information.  Acting Chairman Ohlhausen noted that the Lenovo settlement sends a message that “everyone in the chain really needs to pay attention.”

OTHER THOUGHT LEADERSHIP POSTS:

IoT Device Companies: COPPA Lessons Learned from VTech’s FTC Settlement

By Jennifer Thompson See all of Our JDSupra Posts by Clicking the Badge Below In “IoT Device Companies:  Add COPPA to Your "To Do" Lists,” I summarized the Federal Trade Commission (FTC)’s June, 2017 guidance that IoT companies selling devices used by children will be...

Beware of the Man-in-the-Middle: Lessons from the FTC’s Lenovo Settlement

By Linda Henry See all of Our JDSupra Posts by Clicking the Badge Below The Federal Trade Commission’s recent approval of a final settlement with Lenovo (United States) Inc., one of the world’s largest computer manufacturers, offers a reminder that when it comes to...

#TheFTCisWatchingYou: Influencers, Hashtags and Disclosures 2017 Year End Review

Influencer marketing, hashtags and proper disclosures were the hot button topic for the Federal Trade Commission (the “FTC”) in 2017, so let’s take a look at just how the FTC has influenced Social Media Influencer Marketing in 2017. First, following up on the more...

Part III of III | FTC Provides Guidance on Reasonable Data Security Practices

By Linda Henry See all of Our JDSupra Posts by Clicking the Badge Below This is the third in a series of three articles on the FTC’s Stick with Security blog. Part I and Part II of this series can be found here and here. Over the past 15 years, the Federal Trade...

Apple’s X-Cellent Response to Sen. Franken’s Queries Regarding Facial Recognition Technologies

By Dawn Ingley See all of Our JDSupra Posts by Clicking the Badge Below Recently, I wrote an article outlining the growing body of state legislation designed to address and mitigate emerging privacy concerns over facial recognition technologies.  It now appears that...

Pros and Cons of Hiring a Security Rating Agency

By Jennifer Thompson See all of Our JDSupra Posts by Clicking the Badge Below One can hardly check out any news outlet today without reading or hearing about a security breach.  Experts frequently advocate performing internal assessments to identify security...

Part II of III | FTC Provides Guidance on Reasonable Data Security Practices

By Linda Henry See all of Our JDSupra Posts by Clicking the Badge Below This is the second in a series of three articles on the FTC’s Stick with Security blog. Part I and Part III of this series can be found here. Over the past 15 years, the Federal Trade Commission...

Part I of III | FTC Provides Guidance on Reasonable Data Security Practices

By Linda Henry See all of Our JDSupra Posts by Clicking the Badge Below This is the first in a series of three articles on the FTC’s Stick with Security blog. Part II and Part III of this series can be found here. Over the past 15 years, the Federal Trade Commission...

Data Scraping, Bots and First Amendment Rights

By Linda Henry See all of Our JDSupra Posts by Clicking the Badge Below A recent case involving a small workforce analytics startup fighting for its right to extract data from the largest professional networking site on the Internet may set a precedent for applying...

When 2017 Becomes 1984: Facial Recognition Technologies – Face a Growing Legal Landscape

By Dawn Ingley See all of Our JDSupra Posts by Clicking the Badge Below Recently, Stanford University professor and researcher Michal Kosinski caused a stir of epic proportions and conjured up visions of George Orwell’s 1984 in the artificial intelligence (AI)...