Lenovo chooses ad revenue over customer security by preloading adware (updated with response from Lenovo)

Joseph Finney

Lenovo chooses ad revenue over customer security by preloading adware

Hardware manufacturers constantly find new ways to cut corners in order to gain more profits. Pre-installed programs, commonly referred to as bloatware, provide an extra revenue stream to PC makers to gain more than the traditionally razor thin margins of PC OEMs. Recently Lenovo has gone a step farther and preloaded software which can inject ads into websites such as Google search results. While this is annoying and scummy for Lenovo to do, the software called Superfish also installs its own self signed security certificates which it can use to view secure content such as banking or healthcare websites visited by users.

Ruining good computers with bloatware has been a tried and true practice of PC and Android hardware makers, and users have always been bearing the burden of greedy executives. This new threat is different, and should worry Lenovo owners because this new behavior is evidence of a degrading moral compass among hardware makers. Lenovo is the biggest PC maker in the world, they own Motorola mobility, and recently purchased IBM’s server division, so they are without doubt one of the biggest forces in the technology world today. With such large volumes of PC shipments Lenovo chooses to sell their customers security to Superfish for a few more dollars per sale.

An example of the Superfish security certificate

Users of existing Lenovo products should research how to remove this software as soon as possible, and new owners of Lenovo products should hopefully have the software removed thanks to user complaints. Superfish seems to be able to inject ads into most websites, but the bogus security certificates only affect users of Chrome and IE. Firefox is safe from Superfish’s Man-In-The-Middle attack because Firefox operates their own certificate store. When setting up the laptop users are asked to agree to a user agreement, however there are several EULAs to sign when starting a computer for the first time it is unreasonable to expect users to sift through each one to find how their secure information can be stolen. Users have a reasonable expectation that if they buy a new computer from a reputable company and use default programs their data and information should be reasonably secure.

In the end companies like Microsoft will suffer because consumers will fear PC makers selling them out. This stupid move by Lenovo won’t create a massive exodus to Macintosh, but it simply reinforces the idea that Windows computers are cheap and not secure. Microsoft and Intel began a campaign to make great laptops with Ultrabooks, and Microsoft even entered the hardware game with Surface because device makers were slacking. So what does the largest PC maker do to help the image of the PC, they pre-install adware. Hopefully consumers will be wise and start buying signature PCs from Microsoft which have been wiped clean of scummy software, but in the mean time Microsoft needs to confront Lenovo about their sketchy revenue streams attached to Windows.

Update:  Lenovo has responded to the complaints, saying that Superfish was only installed on computers in a short window late last year, that Superfish has been disabled server-side since January, and that it’s no longer being pre-installed.  From their press release:

We have thoroughly investigated this technology and do not find any evidence to substantiate security concerns.  But we know that users reacted to this issue with concern, and so we have taken direct action to stop shipping any products with this software.  We will continue to review what we do and how we do it in order to ensure we put our user needs, experience and priorities first.