Lenovo Will Pay $3.5 Million To States For Privacy-Invading Ad Software

Only hours after Lenovo got off with what amounted to a warning and a promise to not do illegal stuff going forward, the tech company has agreed to pay a total of $3.5 million to a coalition of 32 states to settle allegations that Lenovo knowingly sold laptops that came with ad-injection software that put all of their online data at risk.

California Attorney General Xavier Becerra announced the multi-state settlement with Lenovo this afternoon, closing the book on these states’ cases against Lenovo. (See final paragraph for full list of states involved in the settlement.)

As explained in the story about Lenovo’s settlement with the FTC, in 2014 the company sold laptops containing ad-injection software called VisualDiscovery. What this did was not only insert unwanted ads into users’ web browsers, it also secretly inserted itself as a “man in the middle” between your computer and any supposedly secure website.

So, rather than having a direct, encrypted connection to those sites, your data was being decrypted then re-encrypted by VisualDiscovery — all without you or the website knowing about it. Not only does this mean that the software had illegal, unauthorized access to your data, but any clever cybercriminal could have exploited this security loophole to siphon off your information.

Lenovo users were each only alerted once, via pop-up window, about the existence of the software on their computers. That pop-up window included a link to opt out of the VisualDiscovery program, but clicking that option only meant you wouldn’t see the annoying injected ads. Your data was still being filtered through the software’s server as it went back and forth between your computer and the various websites you visited.

Unlike the Federal Trade Commission, which is limited in its ability to seek civil penalties for unfair and deceptive business practices, state laws usually give attorneys general that authority to go after companies for violation of state consumer protection statutes.

The proposed settlement [PDF] would see $3.5 million going to the states that participated in the joint legal action against Lenovo. Additionally, Lenovo is required to “clearly and conspicuously disclose how pre-installed advertising software will operate on a consumer’s device, obtain a consumer’s affirmative consent before using such software on their device, and provide a reasonable and effective means for consumers to opt-out, disable or remove the software.”

In addition to California, the other states involved in the settlement are: Arizona, Arkansas, Colorado, Connecticut, Florida, Hawaii, Idaho, Illinois, Indiana, Iowa, Kansas, Louisiana, Maine, Minnesota, Missouri, Nebraska, Nevada, New Hampshire, New Jersey, New York, North Carolina, North Dakota, Oregon, Pennsylvania, Rhode Island, South Carolina, South Dakota, Tennessee, Texas, Vermont, and Washington.