How in the Hell Did Lenovo Let Superfish Happen??

Money can make for strange bedfellows. Like, oh, I don’t know — major PC manufacturers and software companies that produce adware.

This weekend, news topped Twitter trends & tech sites that Lenovo PCs were shipped to consumers pre-installed with a product by Israeli start-up Superfish. The adware, according to Ars Technica installs a self-signed HTTPS certificate which intercepts encrypted web traffic (such as banking and e-commerce sites) & “falsely represents itself as the official website certificate”. If exploited by a hacker, someone attempting to check their bank account at, for instance, could be re-routed to a fake Chase website, set up purely to steal personal info. With Superfish installed on these computers, and signing their own security certificates, the consumer would be none the wiser.

And Superfish’s purpose? To show ads…. of course. 

TechCrunch reports that the adware’s primary function was to intercept Google search results (yes — even Google was vulnerable on infected machines) and show users even more ads. This is a far cry from the technology that Superfish itself claims to specialize in; “visual search“, similar to what Google has been trying out with its Goggles product.

Example of Superfish-powered ads on Google

Not helping themselves one bit, Lenovo’s original statement on Superfish (which, has since been retracted) claims the company has “thoroughly investigated this technology and do not find any evidence to substantiate security concerns”. Lenovo claims that the arrangement with Superfish was not “financially significant” — meaning, they figured PC users would actually benefit from having this adware pre-installed.

Now updated, the company has the following to say about the adware:

The goal was to improve the shopping experience using their visual discovery techniques.

In reality, we had customer complaints about the software. We acted swiftly and decisively once these concerns began to be raised. We apologize for causing any concern to any users for any reason – and we are always trying to learn from experience and improve what we do and how we do it.

We stopped the preloads beginning in January. We shut down the server connections that enable the software (also in January), and we are providing online resources to help users remove this software. Finally, we are working directly with Superfish and with other industry partners to ensure we address any possible security issues now and in the future.

Clearly, the real motive behind the Superfish installs is financial (regardless of claims to the contrary). Besides for the IT department-darling ThinkPads, Lenovo makes a whole host of lower-end models; which deliver low-margin revenues for the company. Adware deals, such as the one with Superfish, may not make or break the PC companies that sign them — but, they add an influx of outside income they wouldn’t make otherwise.

In this case, though, the Superfish deal will likely result in much more negative PR than positive cash flow for Lenovo. Though the company has detailed instructions on the removal of Superfish on their website, if I had purchased a machine with this adware pre-installed, I’d personally be asking for my money back.

Chances are, a slew of others will be, too.