Computer manufacturer Lenovo has been hit with a potential class-action lawsuit for allegedly selling notebooks that came pre-loaded with adware from the company Superfish.
“Defendants sold new computers with harmful and offensive spyware,” San Diego resident Jessica Bennett alleges in a complaint, filed in U.S. District Court for the Southern District of California. She adds that the ad-serving program “invaded her privacy, and damaged her computer.”
Bennett, who says she works as a “blog writer,” alleges in her complaint that she began noticing pop-up ads on her computer soon after she purchased it late last year.
While writing a blog post for a client she allegedly noticed “spam advertisements involving scantily clad women” on the client's site. Several hours later, she allegedly saw the same ads on a different client's site.
Bennett says she “became extremely distressed that her new laptop contained spyware and thought that it may have been hacked.”
She contends that the company violated several laws, including a California privacy statute and the federal wiretap law.
Bennett's lawsuit came the same day that several mainstream media outlets reported on security flaws in Superfish -- a program that inserts ads into a variety of Web pages -- including secure HTTPS pages.
In order to accomplish this, Superfish tinkers with Windows' cryptographic security, according to numerous reports. But doing so also paves the way for hackers to intercept a host of encrypted information, including users' passwords and online banking credentials.
News of the technology drew widespread criticism last week from watchdogs including the Electronic Frontier Foundation, which characterized Lenovo's decision to embed Superfish as “catastrophically irresponsible.”
A Lenovo spokesperson said the company doesn't comment on pending legal matters. But late last week, the company said on its site that it didn't know until Thursday about the “potential security vulnerability” created by Superfish. Lenovo also said that it “ordered Superfish preloads to stop and had server connections shut down in January based on user complaints about the experience.”
Lenovo also posted instructions telling people how to remove Superfish. Lenovo also said it was working with McAfee and Microsoft to fix the security vulnerability created by the software.
Regardless of the fate of Bennett's lawsuit, regulators federal or state potentially could take action against Lenovo for shipping computers with Superfish, according to Justin Brookman, head of consumer privacy for the watchdog Center for Democracy & Technology.
He said in a blog post that breaking encryption could be a deceptive and unfair business practice -- at least absent clear disclosures to consumers. “Given the fundamental importance of web encryption ... this seems like an area where the FTC or others need to step in,” he wrote. “Otherwise, consumers won’t be able to trust the privacy of their online communications, resulting in a fundamental lack of trust in the Internet.”