Why would this be an issue of privacy laws? It's more just a case of faulty merc...

mcwidget · on Feb 23, 2015

"The complaint is not that Lenovo shipped adware, it's that they shipped computers which were unable to make secure network connections over HTTPS"

The thing is, the computers are capable of making those https connections. It's that they shipped with extra software on them that gets in the middle of those connections, undermining the security of the laptop in the process, to allow Lenovo and Superfish an extra revenue stream.

"That's like selling a car whose brakes don't work, not a privacy issue"

That's not how I see it. I think of it like a courier service. You're getting a letter from your bank that's sent through Lenovo Couriers Ltd (or any other courier service) that's sealed and private. Lenovo Couriers Ltd allow (and gain financially, presumably, from allowing) a third-party, who we'll call Superfish to get access to that letter. Superfish open it, read it and see if there's anything in the contents that could allow them to upsell a.n.other product to you. Then, they seal it all up again and deliver it to your door pretending to be from the bank. To me, that's a breach of privacy.

Not sure I agree with a lawsuit here though. I'd be happy to see AV firms rate all these types of applications as spyware / PUPs and get rid of them accordingly.

jdmichal · on Feb 23, 2015

The computer is not capable of making a secure HTTPS connection. The connection can be decoded by anyone with the SuperFish key, which is the same for every computer loaded with SuperFish. So I would argue that, no, they are not capable of making HTTPS connections, because the entire S part is practically non-existent.

jameshart · on Feb 23, 2015

The problem with that analogy is one of choice. Your bank doesn't select what computer you use to interact with them, you do. You bought a Lenovo machine, and it was cheaper because it came with Superfish. Just like magazines are cheaper because they contain ads. It may not be a pleasant business model, but it isn't fundamentally wrong. You can, after all, pay a premium to get a crapware-free laptop from the Microsoft store. we can argue informed choice and more, but fundamentally there's no reason people shouldn't be able to buy laptops which monitor usage and provide contextual ads.

Instead of a bank-chosen courier, it's a little more like: you've chosen to have your interactions with your bank mediated through a valet service. They open your bank mail, help file it for you, and so on. You bought the service specifically so that it would help you ease your interactions with your bank, and obviously you trust the valet service to be professional and respect your privacy.

Now, imagine that valet service offers a discount if you allow them to, based on the content of your bank statements, occasionally share product recommendations for which they are compensated. You might be nervous about the arrangement, and you might choose not to buy it, but if the discount is good and the service still trustworthy, you might still consider it. It probably shouldn't be illegal for them to offer that service, certainly.

That's what Lenovo thought they were doing. Leveraging the trust in them which their customers place by buying a computer from them to transact their personal business, Lenovo partnered with an organization that allowed them to offer their computers more cheaply, in exchange for, in theory, relevant product recommendations.

It may be a bit sleazy, but it's not fundamentally wrong.

Now, what they screwed up on was how the organization they partnered with worked. Not with what they were supposed to do, but with they way in which they did it. They were sloppy, and they opened Lenovo's customers to enormous risks. That's on Lenovo.

It's as if the valet service employed a mail handler without adequately supervising how they did their work, and the mail handler, through sheer incompetence, was easily able to, while looking at your mail from your bank to see if it matched up with any paid recommendations, be confused into believing that letters from people other than your bank were from your bank - and then pass those on to you.

Note that neither the Lenovo valet service or the incompetent mail handler are actually maliciously trying to harm you - they've just claimed to provide a trustworthy service which they have manifestly demonstrated they are unable to actually provide. But that doesn't mean they couldn't have provided the service securely if they had been more competent.

SwellJoe · on Feb 23, 2015

Your mail analogy is useful here, but I come to the opposite conclusion you do.

In the US, in order to accept mail for someone else, and open that mail, they would have to be your registered agent for that purpose. This requires a signed and notarized form (1583; "Application for Delivery of Mail by an Agent"). A contract won't actually enable that to happen legally.

So, your example of Lenovo having a click-through EULA for this breaks down if you want to compare it to mail handling in the US. If SSL communication were subject to the same protections as mail (as I think it should be, though computer privacy law is much messier and less well-defined at this point in history), what Lenovo is doing would be illegal even with a signed contract, and given that click-through EULAs are questionably binding in some jurisdictions, it becomes very shaky ground. Of course there is no legal form for being a registered agent for SSL communications, and that would complicate things like proxies at businesses (though the expectation of privacy while at work as been tested in court a few times and there are some reasonably stable expectations, and proxies are fine).

In short, I believe we're in a state of flux because none of this stuff has been tested in court and the legislature at various levels simply don't have the expertise to cope with the new landscape. But, while you're taking a pro-business libertarian approach, I'm taking a pro-individual civil libertarian approach. If the state has a legitimate purpose (and I'm not necessarily arguing that it does), it is to defend individuals from more powerful people and groups. Corporations and rogue state entities (including those in the US) are the "gangs" we currently have to contend with, and I think law should reflect that reality. A contract between entities with vastly different power to negotiate is less valid, in my eyes, than a contract between equals. i.e. a contract between a sharecropper and the land owner should probably be viewed with suspicion, as the land owner often holds vastly more power over the sharecropper than vice versa (for example, land owners had sheriffs in their employ, enabling the use of semi-legal force to impose their will).

This stuff is complicated, and I don't believe one can simplify it out of existence by saying, "The buyer of this laptop agreed to it, so it's on them." I'm pretty confident that Lenovo didn't advertise this "feature", so buyers would only find out after they'd bought it. And, I'm also confident (based on research) that almost nobody reads the EULA, and Lenovo were betting on that fact. They knew this was shady as fuck, and chose to do it anyway. 95% of their customers had no clue what was happening to them, because Lenovo and Superfish went to lengths to hide it from them.

"It may be a bit sleazy, but it's not fundamentally wrong."

I disagree.

"Note that neither the Lenovo valet service or the incompetent mail handler are actually maliciously trying to harm you"

I disagree with this as well. Lenovo and Superfish are behaving with malicious intent, even without the gaping security flaw.

Unless they put it in clear wording on the packaging and the website and in the product description that this product is subsidized by user-tracking ads (as the Amazon Kindle offers two versions of their product, one with ads one without, at different prices), they are misleading consumers.