Sometimes it's not enough to say you're sorry. Take Lenovo. The $40-billion-a-year Beijing, China-based tech company admitted it was wrong to pre-install third-party adware on some of its consumer notebooks last fall.
But it's not off the hook yet. Users and industry analysts claim the company betrayed its consumers by using a "virulent, evil adware" called Superfish Visual Discovery to attack secure connections, access sensitive data and inject advertising.
"Lenovo sold out their customers for some extra cash," said Marc Rogers, a 20-year tech security industry veteran, principal security researcher at San Francisco-based CloudFare and security blogger. "In doing that, it completely crippled one of the key security controls that customers rely on when using the Internet -- SSL."
'We Made a Mistake'
Lenovo spokesman Brion Tingler told CMSWire the company "made a mistake" and is "taking responsibility." He continued, "We are doing things to fix the vulnerability in the immediate term for users, and we are developing a plan that we will announce later this month to move forward so these kinds of things do not happen again."
No one at Palo Alto, Calif.-based Superfish responded to requests for comment from CMSWire.
In a company statement yesterday, Lenovo claimed it stopped preloading Superfish software in January. The problem surfaced last summer, when users began to complain about it in a Lenovo forum.
"So today I got some time to investigate and narrowed it down to a piece of software called Superfish," one user in the forum said. "I check the install date and it's 1 month before purchase when all the other Lenovo bloatware was installed. Lenovo why are you adding adware that hijacks search results on any browser? Is it not enough that customers buy a laptop from you?"
Twitter Mea Culpa
Lenovo has also taken to Twitter to admit its error and help users uninstall the Superfish software.
We're sorry. We messed up. We're owning it. And we're making sure it never happens again. Fully uninstall Superfish: http://t.co/mSSUwp5EQE— Lenovo United States (@lenovoUS) February 20, 2015
"We thought the product would enhance the shopping experience, as intended by Superfish," Lenovo officials said. "It did not meet our expectations or those of our customers. In reality, we had customer complaints about the software. We acted swiftly and decisively once these concerns began to be raised. We apologize for causing any concern to any users for any reason -- and we are always trying to learn from experience and improve what we do and how we do it."
Lenovo claims Superfish does not record user information. "It does not know who the user is," officials said. "Users are not tracked nor re-targeted. Every session is independent. Users are given a choice whether or not to use the product."
In addition to stopping Superfish preloads in January, Lenovo claims it also shut down the server connections that enable the software. "We are working directly with Superfish and with other industry partners to ensure we address any possible security issues now and in the future," the company indicated.
Meanwhile, the company that created the technology behind Superfish, Komodia.com, is offline. The company claims it’s been hit with a Distributed Denial of Service (DDoS) attack due to “recent media attention.”
Not So Fast ...
Industry analysts aren't biting the Superfish apology bait.
"This sort of behavior is associated more with spyware than with factory-shipped operating-system installs, and by itself would be a new low for Lenovo," blogged New York City-based David Auerbach, a writer and former Google and Microsoft software engineer. "But Superfish is more than just pesky. It’s the most virulent, evil adware you can find."
Is this mistake too much to overcome?
Julio Franco, executive editor at Miami-based TechSpot, a 17-year-old PC technology publication, told CMSWire that Lenovo probably saw this Superfish opportunity as another software bundle, aka bloatware.
He called it "an unfortunate practice in the PC world where OEMs, in order to make up for slim margins on hardware, try to monetize on offers of antivirus and other trial software on new machines sold."
Lenovo, however, didn't stop to think of the PR implications -- any form of adware is considerably worse than trial security software, he added.
Franco also cited Lenovo's potentially severely tarnished security reputation — a far cry from what it inherited from its connection with IBM. Lenovo acquired IBM's personal computer business in 2005 and bought its Intel-based server business last year.
IBM ThinkPad had a reputation as a solid, security-proven machine. "That decade-old inheritance just went out the window," Franco said.
Limiting the Pain?
Some, however, did find a silver lining in the Lenovo Superfish story: Lenovo's PR response.
Jeffrey Sharlach, CEO of New York City-based JeffreyGroup and adjunct associate professor of management communication at New York University's Stern School of Business, said Lenovo "acted quickly."
"These days companies can’t spend a lot of time on internal meetings deciding what to say while the conversation is happening around them -- with or without their input," Sharlach told CMSWire today.
Lenovo explained what they knew, Sharlach said, adding, "we can’t be sure there’s not more to come but so far they seem to have done a much better job than a certain anchorman in owning up to their mistakes."
Sharlach liked this Lenovo line: "In addition, we are going to spend the next few weeks digging in on this issue, learning what we can do better."
"They took the right tone," he said. "I love the line (above) since it seems clear they let the communications team rather than the lawyers work on the wording of the official statement. ... This is the brand’s reputation at stake and that requires equally important communications expertise. That why increasingly you see the top communications executives at many companies working directly with the CEO -- just like the general counsel."
Rob Enderle, principal analyst for San Jose, Calif.-based Enderle Group, called the Superfish chain of events a "nightmare that's not ending" for Lenovo. Enderle is on Lenovo's two enterprise counsels, a carryover from when IBM owned the groups.
He said Lenovo "disabled the feature that provided for a 'man in the middle attack' which is what the security folks were concerned about." But because the software was capable of such an attack, Lenovo got "painted with a broad brush."
"The software didn't work as expected anyway. The users didn't like it," Enderle told CMSWire. "And (Lenovo) got fried for the capability the software had. The lesson here is if you have to disable a feature in a piece of software, it's probably best not to install it in the first place. It's one of those lessons I think a few folks have had to learn."
Typically, companies like Lenovo and Superfish enter into some kind of "revenue sharing" agreement on this type of third-party software. But Lenovo claimed, Enderle said, it did not gain profits.
"It was a way to enhance the user experience for nothing," Enderle said, "but it often comes back that something you get for nothing probably isn’t worth the cost."
Rogers told CMSWire "nothing" about what Lenovo did here is "normal."
"While adware is a growing problem," he said, "it's unusual for a manufacturer to install it on their own customers. On top of that, this business with the weak SSL certificate is one of the most serious security issues I have seen in a long time."