I would expect even more aggressive approaches in nations with better privacy protections than the US. If systems effected by this were sold in Sweden or Germany or other places with relatively strong privacy laws I would not be surprised to see a criminal investigation.
I also wouldn't be unhappy to see such an approach. This is such a serious breach of trust that it really shouldn't be taken casually, lest other companies take it as consent to do the same (while fixing the glaring security bug, but keeping the basic premise of hijacking traffic for profit). If Lenovo doesn't go home thoroughly bloody from this fight (figuratively speaking), then they didn't get what they deserve, and it's likely we will be dealing with it again from them or another unscrupulous company in a few short months or years.
It wasn't so long ago that Sony did something similar. And Samsung, as far as I know is, still shipping TVs that silently spy on their owners. Not a reassuring trend.
> If systems effected by this were sold in Sweden or Germany or other places with relatively strong privacy laws
How is this a privacy issue? Was lenovo collecting information about you? This is more a case of knowingly releasing software that was a security liability on an unacceptable level.
I think the real outcome will be the judicial environment available for the plaintiff. In a lot of eurozone countries, courts don't give out big punishing settlements like we do in the US and are, from my understanding, very, very big business friendly. If anything, the eurozone will be worse than the US if you want a punitive settlement. I know there's a lot of "herp-derp the US is a lawless nightmare of NSA spies" but the reality is that you have a better chance winning here than elsewhere. Look at the Sony rootkit scandal.
Superfish was (well, not me specifically, but customers who bought infected laptops). In the first HN thread about this, someone posted a snippet of the JavaScript injected into every page by Superfish which contained user tracking and retargetting data being sent to Superfish, despite denial by Lenovo of doing exactly that.
"In a lot of eurozone countries, courts don't give out big punishing settlements like we do in the US and are, from my understanding, very, very big business friendly. If anything, the eurozone will be worse than the US if you want a punitive settlement."
That's disappointing. I'd always been led to believe the US was more friendly to corporations than most of western Europe. I am certainly no expert. I did a bunch of research in the past, when considering opening an encrypted mail service, and looked at various privacy discussions, and it seemed like Sweden and Germany were among the best western nations for individual privacy, but maybe that only applies to government spying. Guatemala was pretty solid on privacy, too, but it simply isn't large enough to take on Lenovo.
"California and Texas took Sony to task, not Brussels."
Good for California and Texas. I should go talk to my AG (I live in Austin, Texas), though I guess it'd be better coming from someone who was directly effected.
Why would this be an issue of privacy laws? It's more just a case of faulty merchandise.
The complaint is not that Lenovo shipped adware, it's that they shipped computers which were unable to make secure network connections over HTTPS. That's like selling a car whose brakes don't work, not a privacy issue.
"The complaint is not that Lenovo shipped adware, it's that they shipped computers which were unable to make secure network connections over HTTPS"
The thing is, the computers are capable of making those https connections. It's that they shipped with extra software on them that gets in the middle of those connections, undermining the security of the laptop in the process, to allow Lenovo and Superfish an extra revenue stream.
"That's like selling a car whose brakes don't work, not a privacy issue"
That's not how I see it. I think of it like a courier service. You're getting a letter from your bank that's sent through Lenovo Couriers Ltd (or any other courier service) that's sealed and private. Lenovo Couriers Ltd allow (and gain financially, presumably, from allowing) a third-party, who we'll call Superfish to get access to that letter. Superfish open it, read it and see if there's anything in the contents that could allow them to upsell a.n.other product to you. Then, they seal it all up again and deliver it to your door pretending to be from the bank. To me, that's a breach of privacy.
Not sure I agree with a lawsuit here though. I'd be happy to see AV firms rate all these types of applications as spyware / PUPs and get rid of them accordingly.
The computer is not capable of making a secure HTTPS connection. The connection can be decoded by anyone with the SuperFish key, which is the same for every computer loaded with SuperFish. So I would argue that, no, they are not capable of making HTTPS connections, because the entire S part is practically non-existent.
The problem with that analogy is one of choice. Your bank doesn't select what computer you use to interact with them, you do. You bought a Lenovo machine, and it was cheaper because it came with Superfish. Just like magazines are cheaper because they contain ads. It may not be a pleasant business model, but it isn't fundamentally wrong. You can, after all, pay a premium to get a crapware-free laptop from the Microsoft store. we can argue informed choice and more, but fundamentally there's no reason people shouldn't be able to buy laptops which monitor usage and provide contextual ads.
Instead of a bank-chosen courier, it's a little more like: you've chosen to have your interactions with your bank mediated through a valet service. They open your bank mail, help file it for you, and so on. You bought the service specifically so that it would help you ease your interactions with your bank, and obviously you trust the valet service to be professional and respect your privacy.
Now, imagine that valet service offers a discount if you allow them to, based on the content of your bank statements, occasionally share product recommendations for which they are compensated. You might be nervous about the arrangement, and you might choose not to buy it, but if the discount is good and the service still trustworthy, you might still consider it. It probably shouldn't be illegal for them to offer that service, certainly.
That's what Lenovo thought they were doing. Leveraging the trust in them which their customers place by buying a computer from them to transact their personal business, Lenovo partnered with an organization that allowed them to offer their computers more cheaply, in exchange for, in theory, relevant product recommendations.
It may be a bit sleazy, but it's not fundamentally wrong.
Now, what they screwed up on was how the organization they partnered with worked. Not with what they were supposed to do, but with they way in which they did it. They were sloppy, and they opened Lenovo's customers to enormous risks. That's on Lenovo.
It's as if the valet service employed a mail handler without adequately supervising how they did their work, and the mail handler, through sheer incompetence, was easily able to, while looking at your mail from your bank to see if it matched up with any paid recommendations, be confused into believing that letters from people other than your bank were from your bank - and then pass those on to you.
Note that neither the Lenovo valet service or the incompetent mail handler are actually maliciously trying to harm you - they've just claimed to provide a trustworthy service which they have manifestly demonstrated they are unable to actually provide. But that doesn't mean they couldn't have provided the service securely if they had been more competent.
Your mail analogy is useful here, but I come to the opposite conclusion you do.
In the US, in order to accept mail for someone else, and open that mail, they would have to be your registered agent for that purpose. This requires a signed and notarized form (1583; "Application for Delivery of Mail by an Agent"). A contract won't actually enable that to happen legally.
So, your example of Lenovo having a click-through EULA for this breaks down if you want to compare it to mail handling in the US. If SSL communication were subject to the same protections as mail (as I think it should be, though computer privacy law is much messier and less well-defined at this point in history), what Lenovo is doing would be illegal even with a signed contract, and given that click-through EULAs are questionably binding in some jurisdictions, it becomes very shaky ground. Of course there is no legal form for being a registered agent for SSL communications, and that would complicate things like proxies at businesses (though the expectation of privacy while at work as been tested in court a few times and there are some reasonably stable expectations, and proxies are fine).
In short, I believe we're in a state of flux because none of this stuff has been tested in court and the legislature at various levels simply don't have the expertise to cope with the new landscape. But, while you're taking a pro-business libertarian approach, I'm taking a pro-individual civil libertarian approach. If the state has a legitimate purpose (and I'm not necessarily arguing that it does), it is to defend individuals from more powerful people and groups. Corporations and rogue state entities (including those in the US) are the "gangs" we currently have to contend with, and I think law should reflect that reality. A contract between entities with vastly different power to negotiate is less valid, in my eyes, than a contract between equals. i.e. a contract between a sharecropper and the land owner should probably be viewed with suspicion, as the land owner often holds vastly more power over the sharecropper than vice versa (for example, land owners had sheriffs in their employ, enabling the use of semi-legal force to impose their will).
This stuff is complicated, and I don't believe one can simplify it out of existence by saying, "The buyer of this laptop agreed to it, so it's on them." I'm pretty confident that Lenovo didn't advertise this "feature", so buyers would only find out after they'd bought it. And, I'm also confident (based on research) that almost nobody reads the EULA, and Lenovo were betting on that fact. They knew this was shady as fuck, and chose to do it anyway. 95% of their customers had no clue what was happening to them, because Lenovo and Superfish went to lengths to hide it from them.
"It may be a bit sleazy, but it's not fundamentally wrong."
I disagree.
"Note that neither the Lenovo valet service or the incompetent mail handler are actually maliciously trying to harm you"
I disagree with this as well. Lenovo and Superfish are behaving with malicious intent, even without the gaping security flaw.
Unless they put it in clear wording on the packaging and the website and in the product description that this product is subsidized by user-tracking ads (as the Amazon Kindle offers two versions of their product, one with ads one without, at different prices), they are misleading consumers.
I also wouldn't be unhappy to see such an approach. This is such a serious breach of trust that it really shouldn't be taken casually, lest other companies take it as consent to do the same (while fixing the glaring security bug, but keeping the basic premise of hijacking traffic for profit). If Lenovo doesn't go home thoroughly bloody from this fight (figuratively speaking), then they didn't get what they deserve, and it's likely we will be dealing with it again from them or another unscrupulous company in a few short months or years.
It wasn't so long ago that Sony did something similar. And Samsung, as far as I know is, still shipping TVs that silently spy on their owners. Not a reassuring trend.