Did Lenovo/Superfish Break The Law?

from the certainly-can-make-an-argument-that-way dept

For many years, it’s been something of an open question if creating a major security or privacy vulnerability was illegal. For the most part, courts have ruled that without actual proven harm, it’s difficult to show real standing for the sake of a civil lawsuit. In practical terms, this has meant that if you just introduce a massive security risk, without it directly being abused (in a way that people know about), a company’s liability is fairly limited. Obviously, that could change quickly if there was an actual abuse. Not surprisingly, class action law firms still love to file these kinds of lawsuits after a major privacy/security breach just in case. So it was totally expected to see a class action firm jump in and sue Lenovo over the Superfish malware that we’ve been discussing for the past few days.

The folks over at CDT, however, have a very good discussion over whether or not enabling such HTTPS hijacking really is illegal. The article compares the Superfish story to the other recent story about in-flight Wi-Fi provider GoGo doing something similar, and explores whether or not these man-in-the-middle attacks run afoul of Section 5 of the FTC Act, which is the broad rules under which the FTC “protects consumers.” The rules basically say companies cannot do things that are “deceptive” or “unfair,” but the definitions of both of those words matters quite a bit.

Here’s the exploration of whether this kind of man-in-the-middle attack is “deceptive”:

At a technical level, these SSL-breaking technologies trick your browser by forging SSL certificates, implying that their service operates encrypted websites like YouTube.com and BankofAmerica.com. In fact, instead of passing encrypted traffic on to the appropriate destination, these technologies enact the previously described ?man-in-the-middle attack,? gaining access to potentially sensitive information that should rightly be kept between you and, for example, your bank or health care provider. Though these practices do not directly deceive the end user, they do effectively deceive the user?s software that acts as a ?user agent.?  It?s not settled that this is prohibited by deceptive practices authority; in the past, the FTC has been reluctant to pursue deceptive practices cases merely on the grounds of tricking a browser: the FTC declined to pursue companies that issued bogus machine-readable P3P policies to get around Internet Explorer privacy restrictions or against companies that evaded Apple Safari?s default cookie settings in order to place third party cookies.[3] On the other hand, six state Attorneys General did bring a deceptive practices claim under their own version of Section 5 against companies that tricked Safari browsers into accepting third-party cookies.

Alternatively, the FTC could argue that failure to disclose that encrypted transmissions were being intercepted constituted a material omission ? that is, failure to explain the practice would be a deceptive means to prevent a consumer from meaningfully evaluating the product. The FTC has brought a number of cases arguing that failure to disclose highly invasive or controversial practices either in a privacy policy or in clear, upfront language could constitute a deceptive practice.  For instance, the FTC has found that failure to disclose access to your phone?s contact information or precise geolocation could constitute a material omission.

From what I can tell, neither Gogo nor Lenovo went out of their way to tell users about these practices. If anything, Gogo?s privacy policy would lead users to think that their SSL-protected communications were safe from eavesdropping.

For Lenovo, a post to one of its user forums says that users had to agree to the Superfish privacy policy and terms of service. I don?t know what these documents said exactly, though the Superfish documents available on their website say nothing about these practices.  Even if Lenovo had disclosed in fine print what it does, regulators could make the case that SSL interception was so controversial that permission needed to be obtained outside of a boilerplate legal agreement. A service could certainly try to make a value proposition to consumers that some feature was worth the cost of breaking web encryption ? but that?s not what happened here.

What about the question of “unfair”? Apparently, the FTC prefers to use “unfair” in the cases it brings, rather than deceptive, so that is the more likely option.

In order to be ?unfair? under Section 5, a business practice has to meet three criteria ? it must:

  1. Cause significant consumer harm,
  2. Not be reasonably avoidable by consumers, and
  3. Not be offset by countervailing benefits to consumers.

If breaking encryption exposes consumers to significant security vulnerabilities, regulators will likely have a very strong case for an unfairness violation.

On causing significant harm, this seems fairly straightforward in Lenovo?s case: its partner Superfish configured its software to intercept all SSL requests ? using the same decryption key across all devices. This key was easily reverse engineered soon after the story broke, meaning that any malicious attacker could use this key to intercept any encrypted communication. That?s a huge security vulnerability, and at least as concerning as several other vulnerabilities that the FTC has previously alleged to have harmed consumers. Gogo?s SSL interception also raised security concerns ? it arguably inures users to security warnings and exposes them to attackers posing as Gogo?s network ? but the risk is probably not as great as in the Lenovo case. The FTC has brought actions against device manufacturers in the past for weakening security; in its case against phone manufacturer HTC, the FTC alleged that badly designed software that let app developers piggyback on HTC?s access to certain phone functionality without user permission was an unfair business practice.

On the second part of the unfairness test, it?s hard to argue how these practices are avoidable by ordinary consumers. They may have clicked though legalistic agreements, but as far as we can tell, none of these documents made any disclosure about these sorts of tactics ? or the vulnerabilities to which they exposed consumers. Certainly, neither Gogo nor Lenovo presented information outside of a legal document where consumers were likely to notice. As a result, consumers weren?t provided with actionable information that they could have used to avoid these problems.

Finally, it?s hard to see that the security vulnerabilities introduced by SSL-interception were outweighed by any benefits to the practice. Gogo used this tactic to block bandwidth-heavy video applications on planes with limited internet access ? a worthy goal, but one better accomplished through less destructive means. Lenovo allowed its partner to break encryption in order to view private communications for targeted advertising.  It is doubtful that many consumers would find this trade-off beneficial, even if it lowered prices significantly; in any event, Lenovo claims that they didn?t make much money from its deal with Superfish, and the pre-installed adware was simply designed to improve the user experience. Since exposure of these practices, both companies have backtracked and ended use of the encryption-breaking technologies.

But there’s a much bigger question: will the FTC actually bother? The fact that Lenovo reacted pretty quickly to this mess probably suggests that the FTC may not bother. Yes, Lenovo’s initial reaction wasn’t great, but it did change its tune within less than 48 hours, and has been pretty vocal and active in apologizing and fixing things since then. That may be enough reason for the FTC to think it’s not necessary to go after the company. Of course, it may feel differently about Superfish itself — since that company still denies there’s any problem and basically refuses to admit its role in this whole mess. It’s still standing by its bogus statement that it did nothing wrong and claiming that Lenovo will clear things up — even as Lenovo has clearly said otherwise.

Filed Under: , , , , , ,
Companies: komodia, lenovo, superfish

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Did Lenovo/Superfish Break The Law?”

Subscribe: RSS Leave a comment
26 Comments
Vidiot (profile) says:

No big deal for FTC; elsewhere, Federal offense

Let’s try that “unfair” test against someone standing outside my door, opening and reading my credit card statements.

First test – If they don’t use my credit card number to buy anything, I guess the FTC says, no harm, no foul, right? That can’t be right.

Second test – How can I reasonably avoid an intruder tearing sealed letters open?

Third test – Hard to imagine “countervailing benefits” for violating my privacy and security, unless they see all those charges for sex toys, and give me 20% discount coupons for Clorox Sex Toy Wipes.

No, it doesn’t play any better for old-school (postal) data communications than for HTML/SSL… except for one thing: It’s a federal offense to even touch someone else’s mail, likely for the same security and privacy reasons.

John Fenderson (profile) says:

Re: No big deal for FTC; elsewhere, Federal offense

The countervailing benefit, obviously, is that the snooper reading your mail for you gets to learn information about you that allows them to select advertising that is “more relevant” to your interests.

Clearly, having him recite an ad to you after reading your mail is a real benefit for you! At least, that’s the “logic” that so many nefarious advertising agencies follow.

Anonymous Coward says:

Re: No big deal for FTC; elsewhere, Federal offense

“It’s a federal offense to even touch someone else’s mail, likely for the same security and privacy reasons.”

A “right” that can be signed away.

For instance, the Scientology cult makes staff members sign a contract granting permission for the cult to tap their phones, open their mail, and even hold them prisoner for “spiritual treatment” or whatever they call it, cutting off all their access to the outside world until they “graduate” from the program … which can take years.

Anonymous Coward says:

Re: Obviously not

It wasn’t spelled out in the T&C, as Lenovo didn’t even realize what Superfish was really up to. Serving up ads was in the T&C, but forging your encryption certificates was something Lenovo was unaware of (which of course means they didn’t do due dilligence).

And for that matter, Superfish may not even have been fully aware of what was being done, as it was being done by the Komodia SDK they used to produce the software. Crazy that nobody thought to check HOW Komodia was intercepting SSL traffic.

Anonymous Coward says:

I’m going to assume that no laws were broken because their EULA gives them permission to do all the nasty things they do — and probably much more. Perhaps the EULA allows them to do anything they want without even explicitly saying so.

Most people don’t even bother reading EULAs; those who do and refuse to agree to their outrageous terms are free to send their computer back for a refund — minus a 20% restocking fee and shipping costs both ways.

Anonymous Coward says:

Re: Re: Re:

I’ve never seen a EULA that flat-out said “no refunds.”(period). These things are written by lawyers who always leave a way out — even if it exists only on paper.

I’ve bought software that said if I didn’t agree to the EULA (or whatever other reason) I should take it back to the retail store for a refund. I tried that, but the store would not give refunds if the box was opened, saying it had to be sent to the manufacturer (which pointed me right back to the store).

That was the day I became a software pirate. (I learned years later that the software did indeed work, but the printer driver installed on my PC made it malfunction.)

John Fenderson (profile) says:

Re: Re: Re: Re:

“I tried that, but the store would not give refunds if the box was opened, saying it had to be sent to the manufacturer”

This is actually the very thing that small claims court was intended for. If this happens to you again, you should try that. It’s cheap and easy, and requires no lawyers. On the downside, all you’d get would be a judgement in your favor, which amounts to a legal debt to you. It’d still be up to you to collect that debt (but with most companies, this isn’t really a problem.)

Anonymous Coward says:

Re: Re: Re:2 Re:

“This is actually the very thing that small claims court was intended for.”

I don’t think so, unless it’s a large sum of money or a purely symbolic victory you’re after. When you add up the cost of taking several trips downtown, scheduling time off work, waiting in lines, etc., will all that really be worth the $20 or $30 you hope to get back?

TasMot (profile) says:

and then there is HIPPA

Since Superfish intercepted ALL communications that the computers users thought were safely encrypted via SSL (as indicated by the green lock on the browser as users were taught to watch), Superfish could be intercepting Personally Protected Information (PII) that is protected by HIPPA and that protection can’t be overridden by a EULA. All they need to do is show that someone was accessing health information or Medicaid information on their computer that was being surreptitiously intercepted and looked at by Superfish to show that they were actively violating HIPPA.

Anonymous Coward says:

Re: Lenovo Superfish

Lenovo did not steal people’s bank information. Not even close. What they did do was make online banking less secure but Lenovo itself never copied/viewed anything that anyone did on their computers.

Microsoft also has made online backing less secure over the years, think of all the security patches you see from them each month.

Be careful what you ask for, you might find yourself in jail after making a bad decision about technology you barely understand.

ltlw0lf (profile) says:

Re: Re: Lenovo Superfish

Lenovo did not steal people’s bank information. Not even close. What they did do was make online banking less secure but Lenovo itself never copied/viewed anything that anyone did on their computers.

This. Lenovo’s crime here is getting greedy (in that they were paid by Superfish to install software that did bad stuff they weren’t aware of.) And unlike Superfish/Komodia, they eventually decided to change their business model.

Microsoft also has made online backing less secure over the years, think of all the security patches you see from them each month.

The intelligence agencies have, allegedly, actively done far more to make banking less secure, as well as computing less secure, in the last couple decades. Microsoft just sucks at programming, and is extremely slow at fixing stuff reported to them. Not defending Microsoft for their stupidity, but so long as computers are programmed by humans, we will continue to have these problems.

Mason Wheeler (profile) says:

But there’s a much bigger question: will the FTC actually bother? The fact that Lenovo reacted pretty quickly to this mess probably suggests that the FTC may not bother. Yes, Lenovo’s initial reaction wasn’t great, but it did change its tune within less than 48 hours, and has been pretty vocal and active in apologizing and fixing things since then.

It chaged its tune within less than 48 hours after getting caught and being publicly tarred and feathered in the media over it. But how long did this continue happening, unnoticed, before then?

No, that’s really not a good metric. If someone has to be exposed as doing something nefarious before they apologize, it really doesn’t matter how quickly they apologize after being exposed, since it’s reasonable to assume, extrapolating from past behavior, that had they not been exposed, they would never have apologized.

Anonymous Coward says:

Illegal when a consumer does it, but not a company?

We’ve seen articles here before about people being threatened with jail time for:
1) Changing your own MAC address
2) Trying URLs in your browser that aren’t linked to from Google
What else? I know there are others. Perhaps adding an entry to your hosts file? Editing your Windows registry?

Somehow, when a consumer does something that any computer savvy person or junior systems administrator may do on a daily basis, something that anyone with know-how understands is employing a basic technology in a way it is meant to work but that everyone else doesn’t understand, it is hugely suspect and potentially illegal enough to send you to prison for decades.

But when a large company does something these same computer savvy people say is eggregious, and probably illegal, where is the federal prosecutor?

Add Your Comment

Your email address will not be published.

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...
Loading...