Lenovo Class Action Lawsuits Filed Over Pre-Installed “Superfish” Adware

The computer manufacturer Lenovo faces a growing number of class action lawsuits over software that came pre-installed on some of its laptops, which allegedly provides the devices with an easy opening for hackers. 

According to a motion to consolidate (PDF) filed this week with the U.S. Judicial Panel on Multidistrict Litigation (JPML), at least three Lenovo class action lawsuits have been brought throughout the federal court system, and additional complaints are expected.

All of the complaints involve similar allegations, indicating that some Lenovo laptops were sold with harmful adware software, known as Superfish Visual Discovery.

The request seeks to transfer all Lenovo Superfish lawsuits filed in U.S. District Courts throughout the country to one judge for coordinated pre-trial proceedings, as part of a multi-district litigation (MDL).

Given the similar allegations raised the cases, as well as future complaints that are expected, plaintiffs indicate that centralization would reduce duplicative discovery into common issues, avoid conflicting rulings from different judges and serve the convenience of the parties, witnesses and the courts.

The Lenovo Superfish software, which many are calling spyware, tracks web searches made by users and places ads on the sites they visit tailored to their habits. While it is designed to make advertising more effective, Superfish also adds a “root certificate” that can be exploited by hackers, critics say.

The problem is that the program essentially hijacks the connection between users and websites and opens up what should be encrypted connections. It does this by creating fake security certificates for trusted websites to fool the computer into allowing the program to alter what actually appears on the screen.

These connections allow hackers an easy access point to the computer, which could lead to viruses that damage user data and computers, and an increased risk of identity theft and other problems, according to cybersecurity experts condemning the Superfish software.

“The way the Superfish functionality appears to work means that they must be intercepting traffic in order to insert the ads,” Eric rand, a researcher at Brown Hat Security, is quoted as saying in one complaint (PDF) filed last week. “This amounts to a wiretap.”

Lenovo indicates that it has stopped installing the software on its devices and has apologized to its customers, admitting that Superfish was a mistake.

“We acted swiftly and decisively once these concerns began to be raised,” the company said in a statement. “We apologize for causing any concern to any users for any reason – and we are always trying to learn from experience and improve what we do and how we do it.”

The company said it stopped installing the software in January 2015, has provided information on superfish and details on how to safely uninstall the program, and provided a list of affected laptops and notebooks.