Lenovo’s Unsecure Adware On Consumer PCs Prompts Class Action Lawsuits

King & Spalding
Contact
LinkedIn
Facebook
X
Send
Embed

Security experts recently discovered that about 50 different consumer PC models sold by Lenovo since September 2014 were shipped with adware known as Superfish Visual Discovery that could be exploited by hackers to spoof secure websites with fake certificates.  The discovery has prompted a number of class action lawsuits alleging violations of state and federal laws.

According to an Alert issued by the Department of Homeland Security’s U.S. Computer Emergency Readiness Team (“US-CERT”), Superfish is designed to monitor all web traffic for advertising purposes.  In order to read encrypted communications that use HTTPS (such as bank and email websites), Superfish decrypts the traffic and then re-encrypts it with its own certificate.  But since the certificate’s private key is stored locally in the Superfish software, hackers have access to the key and can use it to spoof secure websites.  Web browsers will not detect that websites are spoofed because the Superfish certificate is trusted by every computer that has the adware installed. 

On February 19, a Lenovo press release announced that it was disabling the backend server for Superfish, and it issued a Security Advisory to assist consumers in removing the adware.  Some media outlets are already reporting on surveys that reflect damage to Lenovo’s brand image.

Within hours of the Lenovo press release, the first class action suit was filed in California federal court, accusing Lenovo and Superfish of violating state and federal wiretap laws, trespassing on personal property and violating California’s unfair competition law.  See Bennett v. Lenovo (U.S.), Inc., et al., 15-cv-0368-CAB-RBB (S.D. Cal.).  Subsequent class action suits filed in California allege violations of the Computer Fraud and Abuse Act, the Stored Communications Act and the Electronic Communications Privacy Act, as well as common law fraud, unjust enrichment and negligent misrepresentation.  See Sterling International Consulting Group v. Lenovo (U.S.) Inc. et al., 5:15-cv-00807-RMW (N.D. Cal.); Hunter v. Lenovo (U.S.) Inc. et al., 5:15-cv-00819-NC (N.D. Cal.).  A fourth class action has been filed in North Carolina, alleging violations of federal wiretap laws and state unfair and deceptive practice statutes.  See Pick v. Lenovo (U.S.) Inc. et al., 5:15-cv-00068-D (E.D.N.C.) 

Many questions remain, including what the motivation was for pre-installing Superfish on consumer PCs and whether Lenovo was (or should have been) aware of how the software functioned.  It is also unclear if any hackers have, in fact, exploited the software to spoof secure websites.  These issues may have a bearing on whether the plaintiffs’ causes of action can be sustained, especially with respect to issues of standing and alleged harm.

Reporter, Mark H. Francis, New York, +1 212 556 2117, mfrancis@kslaw.com.

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© King & Spalding | Attorney Advertising

Written by:

King & Spalding
King & Spalding
Contact
more
less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

  • Increased visibility
  • Actionable analytics
  • Ongoing guidance

King & Spalding on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide