Beware of Bloatware

March 11, 2015

By now you are probably all aware of the highly publicised ‘Superfish’ scandal in which Lenovo has found itself embroiled.

Lenovo pre-installed the Superfish adware application on all its Windows consumer laptops before they left the Lenovo factory.  The application installed a root certificate on consumers’ laptops which interrupted any secure SSL connections, thereby allowing Lenovo to replace the website’s security certificate with its own. The purpose was to allow Lenovo to insert targeted ads on consumers’ browsers. However, security experts soon realised that these Lenovo devices were compromised and vulnerable to ‘man in the middle attacks’ any time a consumer used a public Wi-Fi network.

Lenovo has stopped pre-installing this adware and has committed to reducing the preloaded software on its devices with the ultimate goal of delivering ‘bloatware free’ devices. Whilst this is a positive step, it does not mitigate the problems for existing Lenovo users.  

Whilst Superfish is installed only on consumer devices, the increased practice of employers operating a ‘bring your own device'(‘BYOD’) policy means that this is a concern for both consumers and businesses.

The security hole created by Superfish means that anyone accessing a HTTPS connection via a public network will expose the content to eavesdroppers. From a consumer’s perspective this leaves particularly sensitive and personal data open to exposure. Many of us access our GP’s systems or do online banking via a HTTPS connection; any of us using a Lenovo device to access such sites from a public connection are risking identity theft and financial loss amongst other exposures.  Businesses are at risk of operating in breach of the Data Protection Act 1998, they must also consider the information security risk and any associated confidentiality obligations they may have to employees, customers and suppliers.

The ICO’s BYOD guidance makes it clear that ‘an important component of any [BYOD] policy is audit and on-going monitoring of compliance’, all businesses that permit BYOD will need to review their BYOD policies following this Superfish scandal to ensure they are complying with their obligations as a data controller.  As HTTPS connections are compromised by this adware, the employer must be very clear on the types of Wi-Fi networks its employees can use when accessing the corporate system.  As a minimum, all businesses must inform their employees about the dangers of using public networks.

BYOD is a tricky issue for employers at the best of times – ultimately the employer is still the data controller in respect of the personal information processed by the employee on the employee’s device.  It is therefore essential that businesses consider this Superfish issue and are proactive in dealing with it.  Security experts have highlighted that it is not simply a case of uninstalling Superfish, as the relevant device will still remain compromised.  It is essential that the root certificate is removed from the device too.

It is apparent that there are some significant questions about Lenovo’s compliance with the DPA when they decided to pre-install Superfish on their consumer devices.  Under the DPA, data subjects must be informed about the purpose for which their personal information will be processed.  It is apparent that Superfish did not obtain sufficient permissions. 

The ICO has published guidance on a number of matters including guidance for mobile app developers,   commentary on the internet of things and protecting personal data in online services.  The common theme throughout these publications is the need to ensure compliance with the seventh data protection principle (ensuring appropriate technical and organisational measures are taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data), and that such measures are tested and updated regularly.

Lenovo have acted to resolve this issue by publishing an official removal tool.  The tool does remove the problematic certificate. However, it is apparent that some of the Superfish files remain on users’ computers. Why is this?

Lenovo are not the only company that have given rise to concerns with similar vulnerabilities discovered in other IP-cloaking and parental control software.  Whilst the draft General Data Protection Regulation continues to be delayed, it is apparent from reading the draft document that there will be greater protection for individuals and that the EU is determined to prevent organisations from using software similar to Superfish.

It is unclear if any enforcement action will be taken against Lenovo, however, their admission of responsibility and removal of the application are clearly pre-emptive steps to mitigate the impact of any future regulatory action.

This incident is yet another example showing that it is important for businesses and individuals alike to be vigilant and understand the vulnerabilities that exist especially as the law lags behind technological advances.

Chris Coughlan is a Solicitor at Ashfords