Lenovo has agreed to a settlement as part of its Superfish adware controversy that first came to light in early 2015. At the time, Lenovo was found to have preinstalled a piece of adware developed by a firm known as Superfish on hundreds of thousands of laptops without its customers' knowledge. After some legal wrangling with the Federal Trade Commission and a 32-state coalition, Lenovo has agreed to $3.5 million in fines and additional stipulations (via Engadget).
The Superfish adware, known as VisualDiscovery, worked by inserting third-party advertisements into Google search results and other websites via a "man-in-the-middle" technique. The adware posed a number of security risks and was able to access potentially sensitive user information like social security numbers, payment information, and login credentials. While it doesn't appear, according to the FTC's statement, that this more sensitive information was transmitted to Superfish's servers, it still put customers at risk should the software have been compromised.
In addition to the $3.5 million fine, the FTC says Lenovo has agreed additional stipulations. From the FTC:
As part of the settlement with the FTC, Lenovo is prohibited from misrepresenting any features of software preloaded on laptops that will inject advertising into consumers' Internet browsing sessions or transmit sensitive consumer information to third parties. The company must also get consumers' affirmative consent before pre-installing this type of software. In addition, the company is required for 20 years to implement a comprehensive software security program for most consumer software preloaded on its laptops. The security program will also be subject to third-party audits.
For its part, Lenovo denied the allegations in a statement to Reuters, but said it was pleased that the matter is now settled:
While Lenovo disagrees with allegations contained in these complaints, we are pleased to bring this matter to a close after 2-1/2 years. To date, we are not aware of any actual instances of a third party exploiting the vulnerabilities to gain access to a user's communications.