Beware of the Man-in-the-Middle: Lessons from the FTC’s Lenovo Settlement

Jan 10, 2018

By Linda Henry


See all of Our JDSupra Posts by Clicking the Badge Below

View Patrick Law Group, LLC

The Federal Trade Commission’s recent approval of a final settlement with Lenovo (United States) Inc., one of the world’s largest computer manufacturers, offers a reminder that when it comes to consumers’ sensitive personal information, transparency is key, and failure to assess and address security risks created by third-party software vendors may be deemed an unfair act or practice under Section 5 of the FTC Act.

Lenovo’s problems began in August 2014 when Lenovo began selling laptops to consumers with preinstalled “man-in-the-middle” software provided by a third-party vendor, Superfish, Inc.  The software delivered pop-up ads notifying consumers of similar products sold by Superfish’s retail partners when consumers hovered over a product image on a shopping website.

In order to inject pop-up ads into encrypted connections, the software replaced the digital certificates for websites visited by consumers with Superfish’s own digital certificate, which had been installed in the laptop’s operating system.  As a result, there was no longer a direct, encrypted connection between the websites visited by consumers and their Internet browsers.  Superfish’s software was acting as a man-in-the-middle, and was decrypting and then re-encrypting the information traveling between the browsers and the websites. Consequently, Superfish’s software provided access to all personal information transmitted by consumers over the Internet, including login credentials, Social Security numbers, medical information, and financial information.  The FTC noted that although Superfish collected a more limited subset of consumer information, the software had the ability to collect additional information at any time.

In addition, the Superfish software replaced websites’ digital certificates without sufficiently verifying that the websites’ certificates were valid, and Superfish used the same insufficiently complex encryption key password on all laptops.  As a result, potential attackers could intercept consumers’ communications with websites by hacking the encryption key’s password “Komodia” (the name of the vendor that provided the code used by Superfish in its software).

The FTC’s complaint alleged that Lenovo’s failure to disclose the fact that pre-installed software would act as a man-in-the-middle between consumers and all websites with which consumers communicated, and that the Software would also collect and transmit consumer Internet browsing data to Superfish, was an unfair or deceptive act or practice.  The FTC also maintained that Lenovo had engaged in an unfair act or practice by failing to adequately assess (and then address) security risks created by the Superfish software Lenovo pre-loaded on consumer laptops.

“Lenovo compromised consumers’ privacy when it preloaded software that could access consumers’ sensitive information without adequate notice or consent to its use,” said Acting FTC Chairman Maureen Ohlhausen. “This conduct is even more serious because the software compromised online security protections that consumers rely on.”

The FTC’s subsequent commentary on the Lenovo settlement, together with past guidance provided by the FTC, offers several takeaways:

  • Be transparent.  Transparency is always the best policy when considering the privacy of consumers’ personal information.  Lenovo failed to adequately disclose to consumers (let alone get their consent) that a third-party would be able to intercept all of their online communications, or that man-in-the-middle software would transmit browsing data to a third party.  The FTC has made clear that businesses must clearly explain to consumers how their data will be used and provide an easy way for consumers to opt out of data use or collection practices involving their personal information.
  • Disclosures must be conspicuous and complete.  On the Lenovo laptops, a consumer did see a one-time popup window the first time the consumer visited a shopping website.  The popup window included the following message: “Explore shopping with VisualDiscovery: Your browser is enabled with VisualDiscovery which lets you discover visually similar products and best prices while you shop.”  Although the pop-up window did include a small opt-out link, it was not conspicuous and thus easy for consumers to miss.  If a consumer clicked anywhere on the screen, or on the “x” button to close the pop-up, the consumer was automatically opted in to the software.

The FTC found that this initial pop-up window did not adequately disclose that the pre-installed software would act as a man-in-the-middle between consumers and the websites they visited, and consumers would have found the collection and transmittal of their sensitive information through this software a material fact when deciding whether to opt-into the pre-installed software.  In addition, had a consumer clicked on the opt-out link, although the consumer would have successfully opted-out of receiving the pop-up ads, the software would continue to act as man-in-the-middle, and thus would continue to expose consumer information despite the election to opt out.  The FTC also noted that neither the End User License Agreement nor the Privacy Policy for the Superfish software included a disclosure regarding the collection and use of consumers’ sensitive information.

  • Undertake adequate due diligence and include security requirements in Agreements. Companies are ultimately responsible for their third-party vendors and are expected to ensure that service providers implement reasonable measures to address security risks. As the FTC noted in its Stick with Security guide published in 2017, companies should take a “trust, but verify” approach to their service providers and undertake adequate due diligence to confirm that their service providers have sufficient security controls in place to maintain the security of sensitive data.  Companies should also include appropriate security requirements in their agreements with service providers.  The FTC may view a company’s failure to hold service providers to specific security requirements as a missed opportunity to take reasonable steps to safeguard customers’ data.
  • Verify compliance.  Although due diligence and contractual requirements with service providers are important components of a company’s data security policy, a company should also verify that its service providers are complying with contractual requirements.

As part of the settlement, Lenovo is prohibited from pre-installing similar software unless Lenovo (i) obtains a consumer’s affirmative, express consent, (ii) provides instructions as to how a consumer can revoke consent, and (iii) provides an option for consumers to opt-out, disable or remove the software or its offending features.  In addition, for the next twenty years, Lenovo must maintain a comprehensive software security program that is reasonably designed to address software security risks related to the development and management of new and existing application software, and protect the security, confidentiality, and integrity of sensitive information.  Acting Chairman Ohlhausen noted that the Lenovo settlement sends a message that “everyone in the chain really needs to pay attention.”

OTHER THOUGHT LEADERSHIP POSTS:

GDPR Compliance and Blockchain: The French Data Protection Authority Offers Initial Guidance

By Linda Henry See all of Our JDSupra Posts by Clicking the Badge Below The French Data Protection Authority (“CNIL”) recently became the first data protection authority to provide guidance as to how the European Union’s General Data Protection Regulation (“GDPR”)...

D-Link Continues Challenges to FTC’s Data Security Authority

By Linda Henry See all of Our JDSupra Posts by Clicking the Badge Below On September 21, 2018, the FTC and D-Link Systems Inc. each filed a motion for summary judgement in one of the most closely watched recent enforcement actions in privacy and data security law (FTC...

Good, Bad or Ugly? Implementation of Ethical Standards In the Age of AI

By Dawn Ingley See all of Our JDSupra Posts by Clicking the Badge Below With the explosion of artificial intelligence (AI) implementations, several technology organizations have established AI ethics teams to ensure that their respective and myriad uses across...

IoT Device Companies: The FTC is Monitoring Your COPPA Data Deletion Duties and More

By Jennifer Thompson See all of Our JDSupra Posts by Clicking the Badge Below Recent Federal Trade Commission (FTC) activities with respect to the Children’s Online Privacy Protection Act (COPPA) demonstrate a continued interest in, and increased scrutiny of,...

Predictive Algorithms in Sentencing: Are We Automating Bias?

By Linda Henry See all of Our JDSupra Posts by Clicking the Badge Below Although algorithms are often presumed to be objective and unbiased, recent investigations into algorithms used in the criminal justice system to predict recidivism have produced compelling...

My Car Made Me Do It: Tales from a Telematics Trial

By Dawn Ingley See all of Our JDSupra Posts by Clicking the Badge Below Recently, my automobile insurance company gauged my interest in saving up to 20% on insurance premiums.  The catch?  For three months, I would be required to install a plug-in monitor that...

When Data Scraping and the Computer Fraud and Abuse Act Collide

By Linda Henry See all of Our JDSupra Posts by Clicking the Badge Below As the volume of data available on the internet continues to increase at an extraordinary pace, it is no surprise that many companies are eager to harvest publicly available data for their own use...

Is Your Bug Bounty Program Uber Risky?

By Jennifer Thompson See all of Our JDSupra Posts by Clicking the Badge Below In October 2016, Uber discovered that the personal contact information of some 57 million Uber customers and drivers, as well as the driver’s license numbers of over 600,000 United States...

IoT Device Companies: COPPA Lessons Learned from VTech’s FTC Settlement

By Jennifer Thompson See all of Our JDSupra Posts by Clicking the Badge Below In “IoT Device Companies:  Add COPPA to Your "To Do" Lists,” I summarized the Federal Trade Commission (FTC)’s June, 2017 guidance that IoT companies selling devices used by children will be...

Beware of the Man-in-the-Middle: Lessons from the FTC’s Lenovo Settlement

By Linda Henry See all of Our JDSupra Posts by Clicking the Badge Below The Federal Trade Commission’s recent approval of a final settlement with Lenovo (United States) Inc., one of the world’s largest computer manufacturers, offers a reminder that when it comes to...