Lenovo found itself in a bit of hot water when some customers started noticing weird sponsored links in the search results on their brand new PCs. The culprit it turns out was a little piece of adware called Superfish the company was shipping on laptops. The company listened to customer complaints and turned off the server-side portion of the app in January. It also stopped pre-installing Superfish on new machines around the same time. While Lenovo said originally that it had “temporarily removed” the software from new machines while its developers worked on an update to address concerns, it now says that it will not preload the software ever again.
– Kenn White (@kennwhite) February 19, 2015
The add-on analyzes images and offers up ads for the same or similar products at a lower price. This, in and of itself, is slightly troublesome. But what really set off alarms was when users discovered how it worked; It installs a “man-in-the-middle” certificate that would allow Superfish and other parties to look at data from secure sites. Pop up ads are annoying, but leaving your bank info vulnerable to prying eyes is downright dangerous.
Lenovo says that has not found “any evidence to substantiate security concerns.” Though, the tweet above which seems to show a certificate to bankofamerica.com issued by Superfish seems like plenty of cause for concern. Even if the software is safe and secure, Lenovo doesn’t seem interested in pissing off its customers. So Superfish won’t be making a comeback.
The manufacturer did want to make one thing abundantly clear in a statement given to Engadget:
“Superfish technology is purely based on contextual/image and not behavioral. It does not profile nor monitor user behavior. It does not record user information. It does not know who the user is. Users are not tracked nor re-targeted. Every session is independent.”
Make of that what you will. But installing any sort of adware on a machine before it even leaves the factory seems like an obviously bad idea, regardless of whether or not it violates a user’s privacy.