Last week, Lenovo Inc. agreed to pay $3.5 million to settle allegations that it installed monitoring and advertising software on its laptops. The lawsuit was brought by the Federal Trade Commission (“FTC”) and 32 state Attorneys General, who alleged that Lenovo, a Chinese computer hardware manufacturer, sold laptops with security vulnerabilities that risked consumers’' personal information. The $3.5 million settlement will go to the 32 states. Lenovo will also have to improve the disclosures and security of its preloaded software.

Consumers who bought a Lenovo laptop between August 2014 and June 2015 received a pre-installed adware program by Superfish called VisualDiscovery. In addition to overlaying related ads on shopping websites, the program collected and transmitted users' browsing information to Superfish. According to the FTC and state AGs, the software acted as a “man-in-the-middle” between consumers and secure websites, allowing VisualDiscovery to see any personal information transmitted by a user and creating additional security vulnerabilities. In early 2015, Lenovo stopped preloading the software and reached out to Superfish to disable the function of the preloaded product. Lenovo has stated that it is not aware of any actual instances of a third party exploiting any security vulnerabilities to date. The settlement has not yet been approved by the court, and is open for public comment until October 5, 2017.

While FTC Commissioners Maureen K. Olhausen and Terrell McSweeny agreed that Superfish failed to disclose VisualDiscovery’s  man-in-the-middle functionality and related security vulnerabilities, the Commissioners disagreed on whether Superfish’s injection of ads into shopping websites and slowing of web browsing qualified as a deceptive omission. When the VisualDiscovery software announced itself with a one-time pop-up window stating it would help users “discover visually similar products and best prices,” it did not disclose that it would slow web browsing or compromise security. Furthermore, closing the window operated as an opt-in. Commissioner McSweeny argued that this constituted a deceptive omission, because browsing speed is essential to consumers’ ordinary fundamental expectations of a computer. Acting Chairman Ohlhausen ultimately disagreed, however, noting that consumers would reasonably expect adware to affect their web browsing and be intrusive. Acting Chairman Olhausen cautioned against the overbroad application of the FTC’s authority to challenge companies under a “failure to disclose” theory, although she noted that Lenovo’s disclosure “could have been better.”  In addition to encouraging companies to be transparent when disclosing their privacy practices to consumers, the FTC noted that companies should be wary of modifying existing security protocols and should carefully evaluate security risks posed by third-party software vendors.