Did Lenovo/Superfish Break The Law?

from the certainly-can-make-an-argument-that-way dept

For many years, it's been something of an open question if creating a major security or privacy vulnerability was illegal. For the most part, courts have ruled that without actual proven harm, it's difficult to show real standing for the sake of a civil lawsuit. In practical terms, this has meant that if you just introduce a massive security risk, without it directly being abused (in a way that people know about), a company's liability is fairly limited. Obviously, that could change quickly if there was an actual abuse. Not surprisingly, class action law firms still love to file these kinds of lawsuits after a major privacy/security breach just in case. So it was totally expected to see a class action firm jump in and sue Lenovo over the Superfish malware that we've been discussing for the past few days.

The folks over at CDT, however, have a very good discussion over whether or not enabling such HTTPS hijacking really is illegal. The article compares the Superfish story to the other recent story about in-flight Wi-Fi provider GoGo doing something similar, and explores whether or not these man-in-the-middle attacks run afoul of Section 5 of the FTC Act, which is the broad rules under which the FTC "protects consumers." The rules basically say companies cannot do things that are "deceptive" or "unfair," but the definitions of both of those words matters quite a bit.

Here's the exploration of whether this kind of man-in-the-middle attack is "deceptive":

At a technical level, these SSL-breaking technologies trick your browser by forging SSL certificates, implying that their service operates encrypted websites like YouTube.com and BankofAmerica.com. In fact, instead of passing encrypted traffic on to the appropriate destination, these technologies enact the previously described “man-in-the-middle attack,” gaining access to potentially sensitive information that should rightly be kept between you and, for example, your bank or health care provider. Though these practices do not directly deceive the end user, they do effectively deceive the user’s software that acts as a “user agent.”  It’s not settled that this is prohibited by deceptive practices authority; in the past, the FTC has been reluctant to pursue deceptive practices cases merely on the grounds of tricking a browser: the FTC declined to pursue companies that issued bogus machine-readable P3P policies to get around Internet Explorer privacy restrictions or against companies that evaded Apple Safari’s default cookie settings in order to place third party cookies.[3] On the other hand, six state Attorneys General did bring a deceptive practices claim under their own version of Section 5 against companies that tricked Safari browsers into accepting third-party cookies.

Alternatively, the FTC could argue that failure to disclose that encrypted transmissions were being intercepted constituted a material omission — that is, failure to explain the practice would be a deceptive means to prevent a consumer from meaningfully evaluating the product. The FTC has brought a number of cases arguing that failure to disclose highly invasive or controversial practices either in a privacy policy or in clear, upfront language could constitute a deceptive practice.  For instance, the FTC has found that failure to disclose access to your phone’s contact information or precise geolocation could constitute a material omission.

From what I can tell, neither Gogo nor Lenovo went out of their way to tell users about these practices. If anything, Gogo’s privacy policy would lead users to think that their SSL-protected communications were safe from eavesdropping.

For Lenovo, a post to one of its user forums says that users had to agree to the Superfish privacy policy and terms of service. I don’t know what these documents said exactly, though the Superfish documents available on their website say nothing about these practices.  Even if Lenovo had disclosed in fine print what it does, regulators could make the case that SSL interception was so controversial that permission needed to be obtained outside of a boilerplate legal agreement. A service could certainly try to make a value proposition to consumers that some feature was worth the cost of breaking web encryption – but that’s not what happened here.

What about the question of "unfair"? Apparently, the FTC prefers to use "unfair" in the cases it brings, rather than deceptive, so that is the more likely option.

In order to be “unfair” under Section 5, a business practice has to meet three criteria – it must:

  1. Cause significant consumer harm,
  2. Not be reasonably avoidable by consumers, and
  3. Not be offset by countervailing benefits to consumers.

If breaking encryption exposes consumers to significant security vulnerabilities, regulators will likely have a very strong case for an unfairness violation.

On causing significant harm, this seems fairly straightforward in Lenovo’s case: its partner Superfish configured its software to intercept all SSL requests — using the same decryption key across all devices. This key was easily reverse engineered soon after the story broke, meaning that any malicious attacker could use this key to intercept any encrypted communication. That’s a huge security vulnerability, and at least as concerning as several other vulnerabilities that the FTC has previously alleged to have harmed consumers. Gogo’s SSL interception also raised security concerns — it arguably inures users to security warnings and exposes them to attackers posing as Gogo’s network — but the risk is probably not as great as in the Lenovo case. The FTC has brought actions against device manufacturers in the past for weakening security; in its case against phone manufacturer HTC, the FTC alleged that badly designed software that let app developers piggyback on HTC’s access to certain phone functionality without user permission was an unfair business practice.

On the second part of the unfairness test, it’s hard to argue how these practices are avoidable by ordinary consumers. They may have clicked though legalistic agreements, but as far as we can tell, none of these documents made any disclosure about these sorts of tactics — or the vulnerabilities to which they exposed consumers. Certainly, neither Gogo nor Lenovo presented information outside of a legal document where consumers were likely to notice. As a result, consumers weren’t provided with actionable information that they could have used to avoid these problems.

Finally, it’s hard to see that the security vulnerabilities introduced by SSL-interception were outweighed by any benefits to the practice. Gogo used this tactic to block bandwidth-heavy video applications on planes with limited internet access — a worthy goal, but one better accomplished through less destructive means. Lenovo allowed its partner to break encryption in order to view private communications for targeted advertising.  It is doubtful that many consumers would find this trade-off beneficial, even if it lowered prices significantly; in any event, Lenovo claims that they didn’t make much money from its deal with Superfish, and the pre-installed adware was simply designed to improve the user experience. Since exposure of these practices, both companies have backtracked and ended use of the encryption-breaking technologies.

But there's a much bigger question: will the FTC actually bother? The fact that Lenovo reacted pretty quickly to this mess probably suggests that the FTC may not bother. Yes, Lenovo's initial reaction wasn't great, but it did change its tune within less than 48 hours, and has been pretty vocal and active in apologizing and fixing things since then. That may be enough reason for the FTC to think it's not necessary to go after the company. Of course, it may feel differently about Superfish itself -- since that company still denies there's any problem and basically refuses to admit its role in this whole mess. It's still standing by its bogus statement that it did nothing wrong and claiming that Lenovo will clear things up -- even as Lenovo has clearly said otherwise.

Reader Comments

Subscribe: RSS

View by: Time | Thread


  • icon
    Vidiot (profile), 27 Feb 2015 @ 7:17am

    No big deal for FTC; elsewhere, Federal offense

    Let's try that "unfair" test against someone standing outside my door, opening and reading my credit card statements.

    First test - If they don't use my credit card number to buy anything, I guess the FTC says, no harm, no foul, right? That can't be right.

    Second test - How can I reasonably avoid an intruder tearing sealed letters open?

    Third test - Hard to imagine "countervailing benefits" for violating my privacy and security, unless they see all those charges for sex toys, and give me 20% discount coupons for Clorox Sex Toy Wipes.

    No, it doesn't play any better for old-school (postal) data communications than for HTML/SSL... except for one thing: It's a federal offense to even touch someone else's mail, likely for the same security and privacy reasons.

    reply to this | link to this | view in chronology ]

    • icon
      John Fenderson (profile), 27 Feb 2015 @ 8:31am

      Re: No big deal for FTC; elsewhere, Federal offense

      The countervailing benefit, obviously, is that the snooper reading your mail for you gets to learn information about you that allows them to select advertising that is "more relevant" to your interests.

      Clearly, having him recite an ad to you after reading your mail is a real benefit for you! At least, that's the "logic" that so many nefarious advertising agencies follow.

      reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 27 Feb 2015 @ 8:50am

      Re: No big deal for FTC; elsewhere, Federal offense

      "It's a federal offense to even touch someone else's mail, likely for the same security and privacy reasons."

      A "right" that can be signed away.

      For instance, the Scientology cult makes staff members sign a contract granting permission for the cult to tap their phones, open their mail, and even hold them prisoner for "spiritual treatment" or whatever they call it, cutting off all their access to the outside world until they "graduate" from the program ... which can take years.

      reply to this | link to this | view in chronology ]

  • icon
    Coyne Tibbets (profile), 27 Feb 2015 @ 8:32am

    Obviously not

    The courts will pretty much tolerate anything today that's spelled out in the Terms and Conditions (and you can be sure it was) so I'm betting this is a moot question.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 27 Feb 2015 @ 10:18am

      Re: Obviously not

      It wasn't spelled out in the T&C, as Lenovo didn't even realize what Superfish was really up to. Serving up ads was in the T&C, but forging your encryption certificates was something Lenovo was unaware of (which of course means they didn't do due dilligence).

      And for that matter, Superfish may not even have been fully aware of what was being done, as it was being done by the Komodia SDK they used to produce the software. Crazy that nobody thought to check HOW Komodia was intercepting SSL traffic.

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 27 Feb 2015 @ 8:36am

    I'm going to assume that no laws were broken because their EULA gives them permission to do all the nasty things they do -- and probably much more. Perhaps the EULA allows them to do anything they want without even explicitly saying so.

    Most people don't even bother reading EULAs; those who do and refuse to agree to their outrageous terms are free to send their computer back for a refund -- minus a 20% restocking fee and shipping costs both ways.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 27 Feb 2015 @ 8:42am

      Re:

      Unless the EULA says no refunds.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 27 Feb 2015 @ 9:11am

        Re: Re:

        I've never seen a EULA that flat-out said "no refunds."(period). These things are written by lawyers who always leave a way out -- even if it exists only on paper.

        I've bought software that said if I didn't agree to the EULA (or whatever other reason) I should take it back to the retail store for a refund. I tried that, but the store would not give refunds if the box was opened, saying it had to be sent to the manufacturer (which pointed me right back to the store).

        That was the day I became a software pirate. (I learned years later that the software did indeed work, but the printer driver installed on my PC made it malfunction.)

        reply to this | link to this | view in chronology ]

        • icon
          John Fenderson (profile), 27 Feb 2015 @ 10:03am

          Re: Re: Re:

          "I tried that, but the store would not give refunds if the box was opened, saying it had to be sent to the manufacturer"

          This is actually the very thing that small claims court was intended for. If this happens to you again, you should try that. It's cheap and easy, and requires no lawyers. On the downside, all you'd get would be a judgement in your favor, which amounts to a legal debt to you. It'd still be up to you to collect that debt (but with most companies, this isn't really a problem.)

          reply to this | link to this | view in chronology ]

          • identicon
            Anonymous Coward, 27 Feb 2015 @ 11:08am

            Re: Re: Re: Re:

            "This is actually the very thing that small claims court was intended for."

            I don't think so, unless it's a large sum of money or a purely symbolic victory you're after. When you add up the cost of taking several trips downtown, scheduling time off work, waiting in lines, etc., will all that really be worth the $20 or $30 you hope to get back?

            reply to this | link to this | view in chronology ]

      • identicon
        DogBreath, 27 Feb 2015 @ 9:20am

        Re: Re:

        Ferengi Rule Of Acquisition #1:

        "Once you have their money, you never give it back."

        I'm sure many of the following rules can be found in EULAs, or were used in crafting them.

        reply to this | link to this | view in chronology ]

  • icon
    TasMot (profile), 27 Feb 2015 @ 8:55am

    and then there is HIPPA

    Since Superfish intercepted ALL communications that the computers users thought were safely encrypted via SSL (as indicated by the green lock on the browser as users were taught to watch), Superfish could be intercepting Personally Protected Information (PII) that is protected by HIPPA and that protection can't be overridden by a EULA. All they need to do is show that someone was accessing health information or Medicaid information on their computer that was being surreptitiously intercepted and looked at by Superfish to show that they were actively violating HIPPA.

    reply to this | link to this | view in chronology ]

  • identicon
    Mohammed, 27 Feb 2015 @ 9:25am

    Lenovo Superfish

    Please fire Lenovo CEO and head of consumer P.C. department immediately and put them in criminal trouble. Get them locked up in a jail for hacking into computers and stealing peoples bank information. I do not want Lenovo to have the same old CEO anymore, I want them in jail for years to come.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 27 Feb 2015 @ 10:16am

      Re: Lenovo Superfish

      Lenovo did not steal people's bank information. Not even close. What they did do was make online banking less secure but Lenovo itself never copied/viewed anything that anyone did on their computers.

      Microsoft also has made online backing less secure over the years, think of all the security patches you see from them each month.

      Be careful what you ask for, you might find yourself in jail after making a bad decision about technology you barely understand.

      reply to this | link to this | view in chronology ]

      • icon
        ltlw0lf (profile), 27 Feb 2015 @ 12:01pm

        Re: Re: Lenovo Superfish

        Lenovo did not steal people's bank information. Not even close. What they did do was make online banking less secure but Lenovo itself never copied/viewed anything that anyone did on their computers.

        This. Lenovo's crime here is getting greedy (in that they were paid by Superfish to install software that did bad stuff they weren't aware of.) And unlike Superfish/Komodia, they eventually decided to change their business model.

        Microsoft also has made online backing less secure over the years, think of all the security patches you see from them each month.

        The intelligence agencies have, allegedly, actively done far more to make banking less secure, as well as computing less secure, in the last couple decades. Microsoft just sucks at programming, and is extremely slow at fixing stuff reported to them. Not defending Microsoft for their stupidity, but so long as computers are programmed by humans, we will continue to have these problems.

        reply to this | link to this | view in chronology ]

  • icon
    Roger Strong (profile), 27 Feb 2015 @ 9:54am

    Whither Canada?

    Even if the US gives Lenovo a pass, it could still be illegal in Canada or elsewhere.

    Of course, stopping that sort of thing is what Investor-State Dispute Settlement (ISDS) proceedings are for.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 27 Feb 2015 @ 9:59am

    apart from like the invasion of privacy through such targeted advertising etc, is there not an 'unfair competition' aspect to look at here?

    reply to this | link to this | view in chronology ]

  • icon
    Mason Wheeler (profile), 27 Feb 2015 @ 10:34am

    But there's a much bigger question: will the FTC actually bother? The fact that Lenovo reacted pretty quickly to this mess probably suggests that the FTC may not bother. Yes, Lenovo's initial reaction wasn't great, but it did change its tune within less than 48 hours, and has been pretty vocal and active in apologizing and fixing things since then.

    It chaged its tune within less than 48 hours after getting caught and being publicly tarred and feathered in the media over it. But how long did this continue happening, unnoticed, before then?

    No, that's really not a good metric. If someone has to be exposed as doing something nefarious before they apologize, it really doesn't matter how quickly they apologize after being exposed, since it's reasonable to assume, extrapolating from past behavior, that had they not been exposed, they would never have apologized.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 27 Feb 2015 @ 10:39am

    Can someone explain why this isn't considered wiretapping? I am establishing a secure connection to a server and Superfish is injecting itself in a MITM attack in order to eavesdrop on my secure conversation. How does this not run afoul of wiretapping laws?

    reply to this | link to this | view in chronology ]

  • icon
    That Anonymous Coward (profile), 27 Feb 2015 @ 3:35pm

    "Lenovo claims that they didn’t make much money from its deal with Superfish"

    A rain drop is nothing to a human, to an ant it can be world ending.

    Also, it doesn't help the position very much to end up stating, your security mattered less than the "little" amount of money we made.

    reply to this | link to this | view in chronology ]

  • icon
    nasch (profile), 27 Feb 2015 @ 4:26pm

    Costing customers

    I was just asked to buy a new laptop this week and I definitely passed over anything that said "Lenovo". I wonder how many lost sales it would take to wipe out the money they got from Superfish.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 27 Feb 2015 @ 9:11pm

    Did the NSA ever break the law?

    reply to this | link to this | view in chronology ]

  • identicon
    Anon, 2 Mar 2015 @ 9:33am

    Not Understanding...

    I don't get it.
    If I am browsing a site, and my browser shows a green "locked" icon, indicating a secure certificated connection - and this is not the case - I am being deceived in all meanings of the word. Monkey in the middle is still deception.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 2 Mar 2015 @ 11:24am

    Illegal when a consumer does it, but not a company?

    We've seen articles here before about people being threatened with jail time for:
    1) Changing your own MAC address
    2) Trying URLs in your browser that aren't linked to from Google
    What else? I know there are others. Perhaps adding an entry to your hosts file? Editing your Windows registry?

    Somehow, when a consumer does something that any computer savvy person or junior systems administrator may do on a daily basis, something that anyone with know-how understands is employing a basic technology in a way it is meant to work but that everyone else doesn't understand, it is hugely suspect and potentially illegal enough to send you to prison for decades.

    But when a large company does something these same computer savvy people say is eggregious, and probably illegal, where is the federal prosecutor?

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 2 Mar 2015 @ 11:35am

      Re: Illegal when a consumer does it, but not a company?

      Are you DAFT? That might piss off a potential future employer, so no prosecution there. At the very most, a potential air-slap on the wrist.

      reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Use markdown for basic formatting. HTML is no longer supported.
  Save me a cookie
Follow Techdirt
Techdirt Gear
Shop Now: I Invented Email
Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.