FTC finalizes settlement with Lenovo over SuperFish malware

The settlement between Lenovo and the American regulator FTC is final. The computer manufacturer must, among other things, have security checks performed for twenty years on software that is bundled with laptops.

The FTC has given its final agreement to the settlement. Agreements were made about the terms of the settlement in September last year, after which individuals had thirty days to submit a response. The FTC received and published ten responses to the settlement proposal. The responses, in which users ask, among other things, whether their laptop has been affected or how they can get their money back, have had no influence on the further course.

In the settlement it was agreed that Lenovo must make it clear to buyers of laptops if software is included that collects data or displays advertisements. Lenovo may no longer install such software without the express consent of the user. In addition, the manufacturer must have security audits performed on supplied software and those audits must be performed by a third party.

When the settlement was announced, it turned out that the SuperFish malware was on about 750,000 laptops. At the time, Inverse wrote that the FTC cannot fine Lenovo, but that the attorneys general of 32 states have fined it, and that the company must pay a total of $3.5 million as a result. For any future violation of the agreed settlement, Lenovo must pay a fine of $40,654.

The US regulator FTC and 32 states have sued Lenovo over the malware that came to light in 2015. The SuperFish adware was found to hijack SSL traffic with an SSL certificate whose private key could be retrieved. This meant that a man-in-the-middle attack could even lead to access to https traffic. The FTC agrees that this posed a real risk to users of laptops that contained the software.