Lenovo agreed to settle charges with the Federal Trade Commission and a coalition of 32 states for giving customers preloaded "man-in-the-middle" software that pushed ads at the cost of security, the FTC announced Tuesday. As part of the agreement, Lenovo is required to implement a comprehensive software security program subject to third-party audits for 20 years. The company must also get customer permission before preinstalling such software and is forbidden from misrepresenting contents of preloaded product. Lenovo must also pay $3.5 million to the state coalition, according to an announcement from the office of Attorney General in New Jersey.
The FTC highlighted Lenovo’s case as a learning experience for other companies to remain transparent when handling consumers’ personal information, to oversee software vendors and to carefully weigh risks of security feature modification, as reported in an FTC blog post.
- In a statement, Lenovo noted that the preloaded Visual Discovery software was removed in early 2015, shortly after it was unearthed in late 2014. The company has since put in place measures to limit preloaded software and reviews security and privacy policies.
In the past, Lenovo’s claim to fame was its dominance in the computer manufacturing industry, but with the PC market in decline, Lenovo is expanding its reach into new markets, such as data center infrastructure, AI and high-performance computing, hyperscale systems and other data center services.
Legally settling a PC issue that arose nearly three years ago — and one which Lenovo made the fixes for nearly two years ago — is significant. The debate over handling customer privacy and personal information has raged on for years and shows no signs of letting up.
Other companies have recently felt their fair share of FTC enforcement. In August, Uber settled its second FTC dispute after failing to adequately protect consumer data. Earlier this year, the FTC filed a complaint against an IoT manufacturer for also failing to put security measures protecting customer privacy in place.
Lenovo’s new legal commitments under the settlement are important for judicial purposes, but the company already dealt with the Visual Discovery software in 2015 and instituted long-term policies to improve security. Lenovo and Uber have both pledged to make the FTC-issued improvements, but the reality is companies often deal with the problems on their own long before regulatory bodies can hand down a sentence.
As the de facto watchdog of businesses’ data security practices, the FTC must set regulatory precedents for customer protections in modern tech, especially with so many companies in the cloud. Given the years-long lag between an incident occurring and a settlement being decided, agency regulations often struggle to keep pace with modern technologies.