Plaintiff Bennett will find strong support for her "spyware" claim from the US-CERT security advisory over the Superfish / Lenovo / Komodia spyware. As that's precisely the language that the US Government advisory used:
"Starting in September 2014, Lenovo pre-installed Superfish VisualDiscovery spyware on some of their PCs. However, Superfish was reportedly bundled with other applications as early as 2010. This software intercepts users’ web traffic to provide targeted advertisements. In order to intercept encrypted connections (those using HTTPS), the software installs a trusted root CA certificate for Superfish. All browser-based encrypted traffic to the Internet is intercepted, decrypted, and re-encrypted to the user’s browser by the application – a classic man-in-the-middle attack. Because the certificates used by Superfish are signed by the CA installed by the software, the browser will not display any warnings that the traffic is being tampered with. Since the private key can easily be recovered from the Superfish software, an attacker can generate a certificate for any website that will be trusted by a system with the Superfish software installed. This means websites, such as banking and email, can be spoofed without a warning from the browser."
As much as I dislike class action law-suit trolling - I'll make an exception when it comes to multi-billion dollar companies installing spyware as part of their bloat-ware add-ons, particularly when it injects MitM attacks on the browsers SSL links, particularly when it does so in a way that jeopardizes the data confidentiality/integrity of individuals trying to use that computer.
Ideally, the next time a laptop/desktop vendor is looking at the bloatware they are going to load onto a system, they'll do a cost-benefit analysis against the (potential) punitive damages associated with a lawsuit, and decide not to install the stuff.
I'm willing to pay the extra $0.65 for the laptop (or whatever tiny amount the vendors are paid to include this crud) in order to avoid that sort of exposure, I suspect most consumers (these days) are as well.
There exists a large group of people who were sold a product which did not perform its primary function of "doing what its owner told it to do". It turns out that this was intentional on the part of the manufacturer. The nature of the problem is such that returning the product for a refund will not suffice, so the consumers should sue. The most effect way to handle a large body of plaintiffs against a single defendant is with a class action suit.
Lenovo will inevitably settle or go to trial and be found guilty, there is no other possible outcome. I personally hope that this erases their profits from Superfish, and quite a bit more for the flagrant and willful violation of consumer trust.
I'm mainly responding to the first part: "As much as I dislike class action law-suit trolling", as in I don't like their methods but I like the results in this particular situation. I also don't see how I have simply re-iterated the same post, OP and I are looking at different angles of the same issue. Fundamentally I think we do agree: Lenovo did a shitty thing and should pay for it.
I simply don't think there is anything wrong with the method or the result here. This is exactly what a class action lawsuit is intended for, there's no trolling about it.
> I'm mainly responding to the first part: "As much as I dislike class action law-suit trolling"
Yeah I got that. My point was that first part was just setting himself up to explain why he thought this lawsuit was a good idea - which you were arguing as well. ie you're focusing on the wrong part of his post and thus arguing against his post while agreeing with the majority of it.
> "I also don't see how I have simply re-iterated the same post, OP and I are looking at different angles of the same issue. Fundamentally I think we do agree: Lenovo did a shitty thing and should pay for it."
Hence why I said "near-reiteration" rather than "simply reiterated". You still argued the same points and came to the same conclusion regardless of your differing starting point with regards to class action lawsuits.
> I simply don't think there is anything wrong with the method or the result here. This is exactly what a class action lawsuit is intended for, there's no trolling about it.
Again, nobody is suggesting otherwise. You're preaching to the converted. ;)
Yes - I understood where you were coming from. My original comment had a reference to patent trolling, which I felt just sidelined what I was trying to say. I completely agree with you - sometimes class action lawsuits are entirely appropriate - this is one of those cases.
We'll leave it for another discussion as to when patent lawsuits are appropriate.
> Ideally, the next time a laptop/desktop vendor is looking at the bloatware they are going to load onto a system, they'll do a cost-benefit analysis against the (potential) punitive damages associated with a lawsuit, and decide not to install the stuff.
Ideally they wouldn't do that cost-benefit analysis and just do the right moral thing to do.
Companies will tend to make better moral choices in a world where consumers have the time, resources (physical/practical, and reserves of willpower), and desire to dig deeply in to all of the products and brands in their lives and make economic decisions based at least in part on the business practices they find there, day after day, with practically everything that they buy, not as the occasional rare half-assed boycott campaign that gets almost no buy-in.
So, not our world. Here a poor moral compass is a competitive advantage, most of the time. Go around choosing morals over cold hard cash and pretty soon a competitor without your hang-ups will replace you.
Proving damages will be a major hurdle in this case.
The LinkedIn data breach lawsuit, which pertained to the 2012 compromise of 6.5 million user passwords because the company didn't salt stored passwords, was dismissed because the plaintiffs couldn't prove any concrete damages from the password disclosures: https://nakedsecurity.sophos.com/2013/03/08/linkedin-lawsuit....
A related LinkedIn lawsuit, based on California consumer protection law, did go forward and end up settling, though for a very small sum. The theory in that case was that LinkedIn advertised that they used "industry standard security" in their privacy policy, and that people wouldn't have purchased Premium had they known that LinkedIn ignored industry-standard practices like salting their passwords. But only about 20,000 people actually read the privacy policy, meaning that damages were fairly nominal.
So are there any damages to support a class action lawsuit here? Did anyone in fact get their PC's compromised as a result of the pre-installed software? It seems like Windows Defender has been removing the software within a few days after the vulnerability was disclosed. Business users might have a stronger case based on their costs of having to remove the software and check that nothing was compromised as a result. But they probably didn't buy the consumer-grade Lenovos this was installed on in the first place.
Domestic users also have to spend effort to check that nothing was compromised by this malware. That is in fact quite hard, and people will spend a substantial amount of time on it.
Presumably anyone with a computer with spyware can get their money back under consumer protection laws as a bare minimum?
USA law really can't consider that there should be no compensation if a company secretly MitM people's bank transactions as long as there is no provable financial damages, can it?
Cost of replacing the computer is an actual damage as is administration of that. Lenovo should also be liable for costs of having a financial audit (to make sure no breeches have followed the MitM of banking transactions) and cost of a full security audit of any computer equipment connected that might also be affected. Plus the cost of changing all passwords used on the computer. The need to get these done is actual damage, the payout should be predicated on costs that reasonably are incurred to recover from the tortuous actions (that also means poor people don't get stiffed).
IMO punishment for this sort of contemptuous action by corporations should be of the order that threatens to shut down the company. Like the average of all profits from the past 5 years is taken and a fine is levied to that amount and paid in to the public purse. Each customer's purchases should be refunded in full and paid damages as above and paid compensation.
The FBI should be at Lenovo headquarters now taking copies of hard-drives so they can put the directors responsible in court to answer for this crime. AFAIK Superfish can be charged too under supply clauses of 18 USC 1030.
This wasn't an accident. It didn't require someone else to commit a crime to become a problem, LinkedIn were negligent but this action by Lenovo's directors was a wilful criminal act; it's nothing like the LinkedIn breach.
LinkedIn did the equivalent of leaving your details open in a file on their desk, but only using a Yale on the door so that someone was able to break in and get your details. Lenovo have done the equivalent of breaking in to your home, finding your files marked "private", copying them and then posting them in public so that everyone can get them. Sure criminals may not have read the details about your bank accounts or whatever but that making them available was OK.
Why is it called a snafu when a large international company installs malware into customers devices, and a cyber attack if its the Russian mafia? The mafia might also use stronger attacks than just installing adware, but adware is still one of the more common way binaries are infected with malware.
It would be interesting to hear from a anti-virus company on how much resources is spent yearly on adware research.
Because the Russian Mafia is an external party to the transaction, while the large international company is the one selling the computer in the first place. As unfortunate as it may be, it's accepted as normal these days that discount consumer laptops will come bundled with crap software that the computer manufacturer was paid to install. This particular piece of software crossed the line, but it's a difference in degree, not kind.
This might just be my view, but I don't think it has ever been accepted as normal. It's simply that the sticker price fails to represent the actual price of the product, a common practice throughout history. Once, it was common practice for handymen, construction firms, and automotive repair shops to hide additional costs in contracts. That practice went away quite fast as soon as consumer protection laws required that the cost was upfront and known to the customer. We can also see the exact same pattern with banking and travel, where hidden fees and surcharges was common practice everywhere until companies was forced to start informing customers.
If Lenovo laptops informed the customer prior to sale, then this would be a trade. They could have told the customer about the additional advertisement they would show on the sold device, how much they would earn, what private data they would transfer away from the device and sell. That to me is a difference in kind to what we have here, as I do not see an informed customer willingly accepting the adware deal. I would very much like to see the court judge if there has been a "fraud in the factum", that is, if there has been any "meeting of the minds" between the seller and the customer regarding this "discount consumer laptop".
I wouldn't. Modern judges have done a terrible job of keeping up with technology. It's as likely as not that the judge would rule something crazy like all EULAs are binding contracts and then we'd all be fucked.
That's the point where you take out the EULA from your pocket that says "This EULA applies when X is brought before any judge. If you intend to declare against X then you forfeit all goods, rights, chattels and possessions to X. By bringing X before you you are agreeing to release him without charge. By not destroying this EULA you accept it's terms as binding on pain of death." ...
They'd still put you away, or whatever, you'd just then have confirmation that the rule of law doesn't apply in that jurisdiction.
Not at all. I'm entirely for the rule of law - EULAs are clearly wrong and should be held to be entirely unenforceable. IMO the suggestion that their unilateral terms are legal requirements should instead be met with a severe penalty, it's deception.
Until there is a serious reform of the courts, either by active effort or by sufficient replacement with younger judges, taking things to court is likely only going to bring about the opposite.
"situation normal": OEMs looking for a way to make a quick greasy buck.
"All fked up": self-explanatory.
Not "cyber-attack": despite conspiracy theories I've heard about the Chinese government, my belief is that the intent behind this debacle was the aforementioned quick greasy buck, not backdooring users' computers for subsequent criminal or military exploitation. It's the distinction between murder and manslaughter.
It is most likely a quick greasy buck, but I would guess that many entry level criminals start by infecting binaries with adware and then spread them through download sites. I would not be surprised if a significant portion of revenue for the Russian mafia does come from adware, just because its so easy to do and has almost no risk associated with it.
This is why I suspect the police would call it a cyber-attack if they busted a ring that earned money this way. A computer security researchers might find a distinction between a trojan, a virus, and adware, which is why I wondered how much resources a anti-virus company spends on adware alone. That number would provide a good hint as to the seriousness of such malware.
The problem with this software is, sadly, not that it was adware at all, but that it was adware which contained a critical security flaw that compromised the computers Lenovo was selling.
If Lenovo had sold the machines with secure adware, there'd be no real problem.
I would expect even more aggressive approaches in nations with better privacy protections than the US. If systems effected by this were sold in Sweden or Germany or other places with relatively strong privacy laws I would not be surprised to see a criminal investigation.
I also wouldn't be unhappy to see such an approach. This is such a serious breach of trust that it really shouldn't be taken casually, lest other companies take it as consent to do the same (while fixing the glaring security bug, but keeping the basic premise of hijacking traffic for profit). If Lenovo doesn't go home thoroughly bloody from this fight (figuratively speaking), then they didn't get what they deserve, and it's likely we will be dealing with it again from them or another unscrupulous company in a few short months or years.
It wasn't so long ago that Sony did something similar. And Samsung, as far as I know is, still shipping TVs that silently spy on their owners. Not a reassuring trend.
> If systems effected by this were sold in Sweden or Germany or other places with relatively strong privacy laws
How is this a privacy issue? Was lenovo collecting information about you? This is more a case of knowingly releasing software that was a security liability on an unacceptable level.
I think the real outcome will be the judicial environment available for the plaintiff. In a lot of eurozone countries, courts don't give out big punishing settlements like we do in the US and are, from my understanding, very, very big business friendly. If anything, the eurozone will be worse than the US if you want a punitive settlement. I know there's a lot of "herp-derp the US is a lawless nightmare of NSA spies" but the reality is that you have a better chance winning here than elsewhere. Look at the Sony rootkit scandal.
Superfish was (well, not me specifically, but customers who bought infected laptops). In the first HN thread about this, someone posted a snippet of the JavaScript injected into every page by Superfish which contained user tracking and retargetting data being sent to Superfish, despite denial by Lenovo of doing exactly that.
"In a lot of eurozone countries, courts don't give out big punishing settlements like we do in the US and are, from my understanding, very, very big business friendly. If anything, the eurozone will be worse than the US if you want a punitive settlement."
That's disappointing. I'd always been led to believe the US was more friendly to corporations than most of western Europe. I am certainly no expert. I did a bunch of research in the past, when considering opening an encrypted mail service, and looked at various privacy discussions, and it seemed like Sweden and Germany were among the best western nations for individual privacy, but maybe that only applies to government spying. Guatemala was pretty solid on privacy, too, but it simply isn't large enough to take on Lenovo.
"California and Texas took Sony to task, not Brussels."
Good for California and Texas. I should go talk to my AG (I live in Austin, Texas), though I guess it'd be better coming from someone who was directly effected.
Why would this be an issue of privacy laws? It's more just a case of faulty merchandise.
The complaint is not that Lenovo shipped adware, it's that they shipped computers which were unable to make secure network connections over HTTPS. That's like selling a car whose brakes don't work, not a privacy issue.
"The complaint is not that Lenovo shipped adware, it's that they shipped computers which were unable to make secure network connections over HTTPS"
The thing is, the computers are capable of making those https connections. It's that they shipped with extra software on them that gets in the middle of those connections, undermining the security of the laptop in the process, to allow Lenovo and Superfish an extra revenue stream.
"That's like selling a car whose brakes don't work, not a privacy issue"
That's not how I see it. I think of it like a courier service. You're getting a letter from your bank that's sent through Lenovo Couriers Ltd (or any other courier service) that's sealed and private. Lenovo Couriers Ltd allow (and gain financially, presumably, from allowing) a third-party, who we'll call Superfish to get access to that letter. Superfish open it, read it and see if there's anything in the contents that could allow them to upsell a.n.other product to you. Then, they seal it all up again and deliver it to your door pretending to be from the bank. To me, that's a breach of privacy.
Not sure I agree with a lawsuit here though. I'd be happy to see AV firms rate all these types of applications as spyware / PUPs and get rid of them accordingly.
The computer is not capable of making a secure HTTPS connection. The connection can be decoded by anyone with the SuperFish key, which is the same for every computer loaded with SuperFish. So I would argue that, no, they are not capable of making HTTPS connections, because the entire S part is practically non-existent.
The problem with that analogy is one of choice. Your bank doesn't select what computer you use to interact with them, you do. You bought a Lenovo machine, and it was cheaper because it came with Superfish. Just like magazines are cheaper because they contain ads. It may not be a pleasant business model, but it isn't fundamentally wrong. You can, after all, pay a premium to get a crapware-free laptop from the Microsoft store. we can argue informed choice and more, but fundamentally there's no reason people shouldn't be able to buy laptops which monitor usage and provide contextual ads.
Instead of a bank-chosen courier, it's a little more like: you've chosen to have your interactions with your bank mediated through a valet service. They open your bank mail, help file it for you, and so on. You bought the service specifically so that it would help you ease your interactions with your bank, and obviously you trust the valet service to be professional and respect your privacy.
Now, imagine that valet service offers a discount if you allow them to, based on the content of your bank statements, occasionally share product recommendations for which they are compensated. You might be nervous about the arrangement, and you might choose not to buy it, but if the discount is good and the service still trustworthy, you might still consider it. It probably shouldn't be illegal for them to offer that service, certainly.
That's what Lenovo thought they were doing. Leveraging the trust in them which their customers place by buying a computer from them to transact their personal business, Lenovo partnered with an organization that allowed them to offer their computers more cheaply, in exchange for, in theory, relevant product recommendations.
It may be a bit sleazy, but it's not fundamentally wrong.
Now, what they screwed up on was how the organization they partnered with worked. Not with what they were supposed to do, but with they way in which they did it. They were sloppy, and they opened Lenovo's customers to enormous risks. That's on Lenovo.
It's as if the valet service employed a mail handler without adequately supervising how they did their work, and the mail handler, through sheer incompetence, was easily able to, while looking at your mail from your bank to see if it matched up with any paid recommendations, be confused into believing that letters from people other than your bank were from your bank - and then pass those on to you.
Note that neither the Lenovo valet service or the incompetent mail handler are actually maliciously trying to harm you - they've just claimed to provide a trustworthy service which they have manifestly demonstrated they are unable to actually provide. But that doesn't mean they couldn't have provided the service securely if they had been more competent.
Your mail analogy is useful here, but I come to the opposite conclusion you do.
In the US, in order to accept mail for someone else, and open that mail, they would have to be your registered agent for that purpose. This requires a signed and notarized form (1583; "Application for Delivery of Mail by an Agent"). A contract won't actually enable that to happen legally.
So, your example of Lenovo having a click-through EULA for this breaks down if you want to compare it to mail handling in the US. If SSL communication were subject to the same protections as mail (as I think it should be, though computer privacy law is much messier and less well-defined at this point in history), what Lenovo is doing would be illegal even with a signed contract, and given that click-through EULAs are questionably binding in some jurisdictions, it becomes very shaky ground. Of course there is no legal form for being a registered agent for SSL communications, and that would complicate things like proxies at businesses (though the expectation of privacy while at work as been tested in court a few times and there are some reasonably stable expectations, and proxies are fine).
In short, I believe we're in a state of flux because none of this stuff has been tested in court and the legislature at various levels simply don't have the expertise to cope with the new landscape. But, while you're taking a pro-business libertarian approach, I'm taking a pro-individual civil libertarian approach. If the state has a legitimate purpose (and I'm not necessarily arguing that it does), it is to defend individuals from more powerful people and groups. Corporations and rogue state entities (including those in the US) are the "gangs" we currently have to contend with, and I think law should reflect that reality. A contract between entities with vastly different power to negotiate is less valid, in my eyes, than a contract between equals. i.e. a contract between a sharecropper and the land owner should probably be viewed with suspicion, as the land owner often holds vastly more power over the sharecropper than vice versa (for example, land owners had sheriffs in their employ, enabling the use of semi-legal force to impose their will).
This stuff is complicated, and I don't believe one can simplify it out of existence by saying, "The buyer of this laptop agreed to it, so it's on them." I'm pretty confident that Lenovo didn't advertise this "feature", so buyers would only find out after they'd bought it. And, I'm also confident (based on research) that almost nobody reads the EULA, and Lenovo were betting on that fact. They knew this was shady as fuck, and chose to do it anyway. 95% of their customers had no clue what was happening to them, because Lenovo and Superfish went to lengths to hide it from them.
"It may be a bit sleazy, but it's not fundamentally wrong."
I disagree.
"Note that neither the Lenovo valet service or the incompetent mail handler are actually maliciously trying to harm you"
I disagree with this as well. Lenovo and Superfish are behaving with malicious intent, even without the gaping security flaw.
Unless they put it in clear wording on the packaging and the website and in the product description that this product is subsidized by user-tracking ads (as the Amazon Kindle offers two versions of their product, one with ads one without, at different prices), they are misleading consumers.
While this makes for good copy I find it difficult to believe anyone could prove actual harm from the installation. I am not a lawyer so I certainly may have missed a big chunk of commercial law but the only thing I could find was would be around incidental damages which no doubt are expressly disclaimed and agreed to by buyers of the gear (software always disclaims all warranties). So these plaintiffs would seem to have two very large hurdles, one to prove some actual damage, and two to prove some sort of liability even if there was damage.
When I first heard about Komodia it seemed pretty clear to me that anyone who employed their software was just asking for trouble. That advice about "Imagine this was on the front page of the NY Times" was pretty helpful.
From what I understand in individual "hacking" cases just circumventing the security and accessing data without copying/selling it would be enough to get someone in trouble.
It is at least nice to fantasize how large companies would be held to such "standards" as well.
In a civil cases I also wonder if banks, governments or other large institution would be able to file lawsuits as well, claiming perhaps that breaches that have occurred recently occurred because their clients/workers had been unknowingly running one of the this Komodia software installed by Lenovo.
Lenovo earns $600M/yr. Regardless of how small the damages are, the punitive damages if awarded would be in context of earnings, the severity of the situation, and what it would take to effectively punish them.
I'm wondering if charges of criminal negligence come into play (1) only for cases of physical harm (all the examples on Wikipedia are people dying but I don't see why that would be necessary) and (2) only if actual harm comes to pass. If not, some kind of negligence certainly seems plausible to me.
(2) intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains—
(A) information contained in a financial record of a financial institution, or of a card issuer as defined in section 1602 (n) [1] of title 15, or contained in a file of a consumer reporting agency on a consumer, as such terms are defined in the Fair Credit Reporting Act (15 U.S.C. 1681 et seq.);
(B) information from any department or agency of the United States; or
(C) information from any protected computer;
California's statute (applicable to Superfish) is CPC 502
The statute's verbose, but much of the following looks promising:
-------------------------------------
(c) Except as provided in subdivision (h), any person who commits
any of the following acts is guilty of a public offense:
(1) Knowingly accesses and without permission alters, damages, deletes, destroys, or otherwise uses any data, computer, computer system, or computer network in order to either (A) devise or execute any scheme or artifice to defraud, deceive, or extort, or (B) wrongfully control or obtain money, property, or data.
(2) Knowingly accesses and without permission takes, copies, or makes use of any data from a computer, computer system, or computer network, or takes or copies any supporting documentation, whether existing or residing internal or external to a computer, computer system, or computer network.
(3) Knowingly and without permission uses or causes to be used computer services.
(4) Knowingly accesses and without permission adds, alters, damages, deletes, or destroys any data, computer software, or computer programs which reside or exist internal or external to a computer, computer system, or computer network.
(5) Knowingly and without permission disrupts or causes the disruption of computer services or denies or causes the denial of computer services to an authorized user of a computer, computer system, or computer network.
(6) Knowingly and without permission provides or assists in providing a means of accessing a computer, computer system, or computer network in violation of this section.
(7) Knowingly and without permission accesses or causes to be accessed any computer, computer system, or computer network.
(8) Knowingly introduces any computer contaminant into any computer, computer system, or computer network.
(9) Knowingly and without permission uses the Internet domain name or profile of another individual, corporation, or entity in connection with the sending of one or more electronic mail messages or posts and thereby damages or causes damage to a computer, computer data, computer system, or computer network.
-------------------------------------
I'd say the US and CA AGs should be reviewing relevant statutes and priming action.
Almost all of those have the phrase "and without permission", which I think is going to be one of the crucial points here. According to Lenovo, Superfish is not installed if the user doesn't accept its license agreement, so depending on what exactly that agreement says (I haven't seen it), showing a lack of permission might be difficult.
The "computer contaminant" clause is interesting, however, because it doesn't have that phrase.
Just because the computer industry loves to throw contracts of adhesion around doesn't make them legal. This kind of "gotcha" contract is the stuff of scams that hope to take advantage of the customer.
The customer paid money for a laptop, and that carries certain expectations, such as the laptop being safe to use. The customer may have agreed to some conditions, but it will be very hard to argue that there was a "meeting of the minds" with regards to the customer giving permission to disable some of the most important security features.
There's also a reason why every contract has a severability clause. There are certain things you cannot legally do, even if you have a contract saying you can do them. This is pretty close to that border IMO, but such situations really come down to the judge.
I'm also curious as to why individuals cannot simply toss contracts of adhesion back at vendors.
A standard for this, in which a standard reference format links to your terms, on an "included by reference" basis, stating what terms are and are not accepted, might create some interesting courtroom drama.
In the early days, damages was counted based on engineers time to investigate, clean and fix the computer intrusion. Say the time to remove the adware cost 2hrs, 4hrs time spent to report a compromised credit card as a result of MiTM connection and get a new one. If its a work computer, add an addtional 48hrs to handle the potential of compromised work documents and emails, then the damages count can go quite high. It depend on the specifics that the person arguing for damages provides to the court.
But to my knowledge, the laws around computer crime was mostly changed from civil to criminal in order to address the question of damages.
Unlikely to be relevant here, then. Any business customers would likely have been buying Thinkpads, which were unaffected, and using their own images, not the ones with Lenovo's bundled crapware.
I don't think "snafu" quite cuts it. This is a fuckup of epic proportions. They screwed up quite badly by installing this crap and then made it worse by lying about it and pretending that it's not a security issue ...
This is the reason for which we have always done clean OS installs on any Windows machine we buy (mostly just laptops as every single desktop we have was self-built). It is unfortunate that the PC world hasn't shaken off this practice of adding crapware to store-bought machines.
Microsoft could bring this into the realm of the sensible by adding a clause in their licencing agreement that requires a clean install and allows a single popup that prompts the user for authorization to install various add-ons along with full disclosure of their intent and function. In other words, "Welcome to your new Windows N PC. Here's the crap you can choose to install and what it does." If the user selects "NO" everything is deleted and you get an absolutely clean OS install.
That would be fair. Give OEM's an opportunity to make some money and users the ability to purchase potentially useful stuff during first power-up. The point is to give users full control of the machine they just purchased and not be surprised with crapware they were not looking for.
My guess is this is settled quickly: a few million for the attorneys, a few thousand for the lead plaintiff, and either a coupon for each of the class members or nothing at all (cy pres).
Appellate courts have been cracking down on cy pres awards recently: http://www.forbes.com/sites/wlf/2014/11/26/seventh-circuit-c.... As the Seventh Circuit recently clarified in overturning an approved settlement, a cy pres award is only proper if it's impractical to find and compensate the class members directly. Here, there will be sales records to allow easy identification of affected purchasers.
That aside, a permanent injunction and a coupon would be a reasonable result here. Civil lawsuits aren't intended to punish people, they're intended to compensate people for their injuries. Who was actually harmed here?
Would there be huge problems caused by requiring something like a $10 (actual cash) minimum to settle on behalf of the class? Or something other modest amount, I'm not stuck on $10.
The problem I see is that the class lawyers and lead plaintiff have an incentive to settle regardless of the benefit to the rest of the class. I think I've actually gotten checks for less than $1.
I guess an easy one is that sometimes the harm comes from a service and scales based on how much the service was used, so some members might get a substantial claim at the same time others get $0.50. But those people probably aren't going to pursue anything, so I'm not sure how troublesome they are.
> The exorbitant legal fees are ultimately reflected in prices.
Prices are set by supply and demand. If companies had the market power to raise prices to pass on the costs of defending class action lawsuits, they would do so with or without the lawsuit.
Class action lawsuits don't usually uniformly increase costs to all suppliers--some companies get sued less than others and have an incentive to keep it that way. The exception is industry-wide actions like tobacco.
The fundamental problem is that it's really easy to get away with cheating people out of nickles here and there so long as you limit your scale enough to not attract the government's attention, and such activity is pervasive. The European approach has been strict consumer regulations and government enforcement, but compliance also has a cost, one that does fall uniformly on the industry as opposed to just on bad actors. The alternative to all that is to let things slide, but that's not wholly satisfactory either.
I guess I don't see a problem with a tri-furcated system: 1) substantial damages per individual -- opt-in tort system, 2) diffuse damages that collectively add up to substantial wrongdoing -- government fines, 3) diffuse damages that don't collectively add up substantially enough to attract government attention -- reputational damage.
Mid-career federal government lawyers in an expensive city make $130k a year. Class action attorneys generally get a significant fraction of the value of the settlement. And the value of the settlement is calculated in kind of a crazy way particularly when it comes to injunctive relief.
In the google buzz case, which resulted in no monetary relief to the class in general (representative plaintiffs were given a small award, the rest was cy pres) class plaintiffs were awarded over $2.1M plus expenses for 2550 billable hours* over the course of a calendar year.
*That's a little understated because the filing that number came from was near the end of the litigation, but not at the very end.
This is a valid point. However, technically, nothing is changing on the third party site. Those sites are changed locally on the user's laptop. I don't think that's much different from something like AdBlock. I'm not sure there's much any third party site could do about this.
Terrible news for the brand! I really would like to think highly of Lenovo and their products, but sadly they let themselves down time and again. I am hesitant to recommend their non thinkpad models on the basis of their construction - and this just adds to that on a different level.
"The software plugs product recommendations into search results"
One of the most interesting parts of this whole debacle is that what the software does is so far removed from the description of the company's software.
Or that is what they say. I don't expect they are facing a real DDOS, they are just facing so many embarrassing questions that it is convenient to call the flood a DDOS.
If Microsoft had any residues of a spinal cord, they should react with a steep increase in license fees for Lenovo, otherwise it's setting a precedent that any vendor can mess with OS internals as they like.
Fining vendors for which software they choose to bundle is a terrible precedent to set and a terrible idea in general. Firefox uses its own cert store too.
Lets hope the judge chooses the side of Lenovo, It would be devastating if windows/gnu/linux/apple gets sued every time they have a security flaw in a product.
There's a significant difference between Superfish, an intentionally installed application that deliberately mitigated security features in browsers to inject ads, and a security flaw that arose from poor design or a lack of good QA process. The latter are sloppy but ultimately an inevitable part of complex design; the former is an obnoxious lack of respect for your customer that deserves a serious penalty in damages and a complete reset of your brand's goodwill.
That said, I think there's an argument that customers being in a position to sue over security flaws might not be such a bad thing. It might push companies to make security and privacy important features rather than second-class add-ons.
Any argument you make will contradict itself, because you make it a subjective matter. So choosing superfish could be seen as a lack of good QA process.
....what? "windows/gnu/linux/apple" - what does any of these companies/products have to do with this? Lenovo put its customers at risk, if a judge sided with them it would be atrocious.
Citation Needed. I live in the Bay Area, and cannot find an x86 laptop with desktop Linux preinstalled at Central Computers, Frys or Best Buy. Is System 76 what you mean, or ordering online from Dell for the XPS 13? Because that is not my definition of easy, certainly not compared to walking into a retail store.
Ordering something online is far easier than going to a retail store. I can drive for a few minutes to get to a Best Buy, look around to see if what I want is in stock, tell the salesperson who has been hounding me for the past 10 minutes that I'd like to buy it, wait in line at the register, then drive home or I can go online and be done with it in a few clicks.
Thinking mainly of System 76 and the dozens of other similar companies around the world. Sure not quite as easy as walking into a retail store, but on the other hand I don't know anybody who bought their (non-Apple) laptop at a retail store.
I see a lot of calls for punishing Lenovo over this. However, I'd like to see a few more facts established before getting out the pitchforks.
First, did Lenovo commission the writing of Superfish, or did Superfish approach Lenovo (or most likely their marketing dept) with a request to be included?
Do vendors normally perform a full security audit of programs they include? Is there an expectation that they would give closer scrutiny to smaller outfits vs. top tier software vendors?
Also, is the bulk of the outrage over this incident due to the fact that Superfish serves no purpose that is in the interest of the users (i.e., its whole reason for being is to spam users with advertisements)? In other words, lets say that instead of adware, what if they included a malware detector that used the same https busting trick, yet was just as poorly designed (leaving the private key exposed) -- would there be just as much call for lawsuits and boycotts then?
> Do vendors normally perform a full security audit of programs they include? Is there an expectation that they would give closer scrutiny to smaller outfits vs. top tier software vendors?
OEMs absolutely should own up to responsibility for the crapware they load on their boxes. Saying "it wasn't built in-house" makes about as much sense as an automaker washing its hands of the airbags or other critical parts in the cars they build.
As for how deep of an audit, Komodia's own description of their product should have raised massive alarm bells. Anytime I see websites rewritten without my permission I get incredibly spooked, and that's when it's just HTTP over a network. Intercepting SSL/TLS is just not something any OEM should ever contemplate loading on a consumer machine. It's willful recklessness and engineering malpractice of the worst kind.
First, did Lenovo commission the writing of Superfish,
or did Superfish approach Lenovo (or most likely their marketing dept)
with a request to be included?
Lenovo can go sue Superfish all they want to coverup their expenses. Let the court figure out who cheated whom in a three way lawsuit.
I think the court case will answer all of these questions for you. Whether Lenovo is guilty or innocent here, it'd be great to establish a precedent to protect consumers from this type of thing.
https://www.us-cert.gov/ncas/alerts/TA15-051A
"Starting in September 2014, Lenovo pre-installed Superfish VisualDiscovery spyware on some of their PCs. However, Superfish was reportedly bundled with other applications as early as 2010. This software intercepts users’ web traffic to provide targeted advertisements. In order to intercept encrypted connections (those using HTTPS), the software installs a trusted root CA certificate for Superfish. All browser-based encrypted traffic to the Internet is intercepted, decrypted, and re-encrypted to the user’s browser by the application – a classic man-in-the-middle attack. Because the certificates used by Superfish are signed by the CA installed by the software, the browser will not display any warnings that the traffic is being tampered with. Since the private key can easily be recovered from the Superfish software, an attacker can generate a certificate for any website that will be trusted by a system with the Superfish software installed. This means websites, such as banking and email, can be spoofed without a warning from the browser."
(Emphasis added.)