Beware of the Man-in-the-Middle: Lessons from the FTC’s Lenovo Settlement
The Federal Trade Commission’s recent approval of a final settlement with Lenovo (United States) Inc., one of the world’s largest computer manufacturers, offers a reminder that when it comes to consumers’ sensitive personal information, transparency is key, and failure to assess and address security risks created by third-party software vendors may be deemed an unfair act or practice under Section 5 of the FTC Act.
Lenovo’s problems began in August 2014 when Lenovo began selling laptops to consumers with preinstalled “man-in-the-middle” software provided by a third-party vendor, Superfish, Inc. The software delivered pop-up ads notifying consumers of similar products sold by Superfish’s retail partners when consumers hovered over a product image on a shopping website.
In order to inject pop-up ads into encrypted connections, the software replaced the digital certificates for websites visited by consumers with Superfish’s own digital certificate, which had been installed in the laptop’s operating system. As a result, there was no longer a direct, encrypted connection between the websites visited by consumers and their Internet browsers. Superfish’s software was acting as a man-in-the-middle, and was decrypting and then re-encrypting the information traveling between the browsers and the websites. Consequently, Superfish’s software provided access to all personal information transmitted by consumers over the Internet, including login credentials, Social Security numbers, medical information, and financial information. The FTC noted that although Superfish collected a more limited subset of consumer information, the software had the ability to collect additional information at any time.
In addition, the Superfish software replaced websites’ digital certificates without sufficiently verifying that the websites’ certificates were valid, and Superfish used the same insufficiently complex encryption key password on all laptops. As a result, potential attackers could intercept consumers’ communications with websites by hacking the encryption key’s password “Komodia” (the name of the vendor that provided the code used by Superfish in its software).
The FTC’s complaint alleged that Lenovo’s failure to disclose the fact that pre-installed software would act as a man-in-the-middle between consumers and all websites with which consumers communicated, and that the Software would also collect and transmit consumer Internet browsing data to Superfish, was an unfair or deceptive act or practice. The FTC also maintained that Lenovo had engaged in an unfair act or practice by failing to adequately assess (and then address) security risks created by the Superfish software Lenovo pre-loaded on consumer laptops.
“Lenovo compromised consumers’ privacy when it preloaded software that could access consumers’ sensitive information without adequate notice or consent to its use,” said Acting FTC Chairman Maureen Ohlhausen. “This conduct is even more serious because the software compromised online security protections that consumers rely on.”
The FTC’s subsequent commentary on the Lenovo settlement, together with past guidance provided by the FTC, offers several takeaways:
- Be transparent. Transparency is always the best policy when considering the privacy of consumers’ personal information. Lenovo failed to adequately disclose to consumers (let alone get their consent) that a third-party would be able to intercept all of their online communications, or that man-in-the-middle software would transmit browsing data to a third party. The FTC has made clear that businesses must clearly explain to consumers how their data will be used and provide an easy way for consumers to opt out of data use or collection practices involving their personal information.
- Disclosures must be conspicuous and complete. On the Lenovo laptops, a consumer did see a one-time popup window the first time the consumer visited a shopping website. The popup window included the following message: “Explore shopping with VisualDiscovery: Your browser is enabled with VisualDiscovery which lets you discover visually similar products and best prices while you shop.” Although the pop-up window did include a small opt-out link, it was not conspicuous and thus easy for consumers to miss. If a consumer clicked anywhere on the screen, or on the “x” button to close the pop-up, the consumer was automatically opted in to the software.
- Undertake adequate due diligence and include security requirements in Agreements. Companies are ultimately responsible for their third-party vendors and are expected to ensure that service providers implement reasonable measures to address security risks. As the FTC noted in its Stick with Security guide published in 2017, companies should take a “trust, but verify” approach to their service providers and undertake adequate due diligence to confirm that their service providers have sufficient security controls in place to maintain the security of sensitive data. Companies should also include appropriate security requirements in their agreements with service providers. The FTC may view a company’s failure to hold service providers to specific security requirements as a missed opportunity to take reasonable steps to safeguard customers’ data.
- Verify compliance. Although due diligence and contractual requirements with service providers are important components of a company’s data security policy, a company should also verify that its service providers are complying with contractual requirements.
As part of the settlement, Lenovo is prohibited from pre-installing similar software unless Lenovo (i) obtains a consumer’s affirmative, express consent, (ii) provides instructions as to how a consumer can revoke consent, and (iii) provides an option for consumers to opt-out, disable or remove the software or its offending features. In addition, for the next twenty years, Lenovo must maintain a comprehensive software security program that is reasonably designed to address software security risks related to the development and management of new and existing application software, and protect the security, confidentiality, and integrity of sensitive information. Acting Chairman Ohlhausen noted that the Lenovo settlement sends a message that “everyone in the chain really needs to pay attention.”