Did Lenovo/Superfish Break The Law?
from the certainly-can-make-an-argument-that-way dept
For many years, it's been something of an open question if creating a major security or privacy vulnerability was illegal. For the most part, courts have ruled that without actual proven harm, it's difficult to show real standing for the sake of a civil lawsuit. In practical terms, this has meant that if you just introduce a massive security risk, without it directly being abused (in a way that people know about), a company's liability is fairly limited. Obviously, that could change quickly if there was an actual abuse. Not surprisingly, class action law firms still love to file these kinds of lawsuits after a major privacy/security breach just in case. So it was totally expected to see a class action firm jump in and sue Lenovo over the Superfish malware that we've been discussing for the past few days.The folks over at CDT, however, have a very good discussion over whether or not enabling such HTTPS hijacking really is illegal. The article compares the Superfish story to the other recent story about in-flight Wi-Fi provider GoGo doing something similar, and explores whether or not these man-in-the-middle attacks run afoul of Section 5 of the FTC Act, which is the broad rules under which the FTC "protects consumers." The rules basically say companies cannot do things that are "deceptive" or "unfair," but the definitions of both of those words matters quite a bit.
Here's the exploration of whether this kind of man-in-the-middle attack is "deceptive":
What about the question of "unfair"? Apparently, the FTC prefers to use "unfair" in the cases it brings, rather than deceptive, so that is the more likely option.At a technical level, these SSL-breaking technologies trick your browser by forging SSL certificates, implying that their service operates encrypted websites like YouTube.com and BankofAmerica.com. In fact, instead of passing encrypted traffic on to the appropriate destination, these technologies enact the previously described “man-in-the-middle attack,” gaining access to potentially sensitive information that should rightly be kept between you and, for example, your bank or health care provider. Though these practices do not directly deceive the end user, they do effectively deceive the user’s software that acts as a “user agent.” It’s not settled that this is prohibited by deceptive practices authority; in the past, the FTC has been reluctant to pursue deceptive practices cases merely on the grounds of tricking a browser: the FTC declined to pursue companies that issued bogus machine-readable P3P policies to get around Internet Explorer privacy restrictions or against companies that evaded Apple Safari’s default cookie settings in order to place third party cookies.[3] On the other hand, six state Attorneys General did bring a deceptive practices claim under their own version of Section 5 against companies that tricked Safari browsers into accepting third-party cookies.
Alternatively, the FTC could argue that failure to disclose that encrypted transmissions were being intercepted constituted a material omission — that is, failure to explain the practice would be a deceptive means to prevent a consumer from meaningfully evaluating the product. The FTC has brought a number of cases arguing that failure to disclose highly invasive or controversial practices either in a privacy policy or in clear, upfront language could constitute a deceptive practice. For instance, the FTC has found that failure to disclose access to your phone’s contact information or precise geolocation could constitute a material omission.
From what I can tell, neither Gogo nor Lenovo went out of their way to tell users about these practices. If anything, Gogo’s privacy policy would lead users to think that their SSL-protected communications were safe from eavesdropping.
For Lenovo, a post to one of its user forums says that users had to agree to the Superfish privacy policy and terms of service. I don’t know what these documents said exactly, though the Superfish documents available on their website say nothing about these practices. Even if Lenovo had disclosed in fine print what it does, regulators could make the case that SSL interception was so controversial that permission needed to be obtained outside of a boilerplate legal agreement. A service could certainly try to make a value proposition to consumers that some feature was worth the cost of breaking web encryption – but that’s not what happened here.
But there's a much bigger question: will the FTC actually bother? The fact that Lenovo reacted pretty quickly to this mess probably suggests that the FTC may not bother. Yes, Lenovo's initial reaction wasn't great, but it did change its tune within less than 48 hours, and has been pretty vocal and active in apologizing and fixing things since then. That may be enough reason for the FTC to think it's not necessary to go after the company. Of course, it may feel differently about Superfish itself -- since that company still denies there's any problem and basically refuses to admit its role in this whole mess. It's still standing by its bogus statement that it did nothing wrong and claiming that Lenovo will clear things up -- even as Lenovo has clearly said otherwise.In order to be “unfair” under Section 5, a business practice has to meet three criteria – it must:
- Cause significant consumer harm,
- Not be reasonably avoidable by consumers, and
- Not be offset by countervailing benefits to consumers.
If breaking encryption exposes consumers to significant security vulnerabilities, regulators will likely have a very strong case for an unfairness violation.
On causing significant harm, this seems fairly straightforward in Lenovo’s case: its partner Superfish configured its software to intercept all SSL requests — using the same decryption key across all devices. This key was easily reverse engineered soon after the story broke, meaning that any malicious attacker could use this key to intercept any encrypted communication. That’s a huge security vulnerability, and at least as concerning as several other vulnerabilities that the FTC has previously alleged to have harmed consumers. Gogo’s SSL interception also raised security concerns — it arguably inures users to security warnings and exposes them to attackers posing as Gogo’s network — but the risk is probably not as great as in the Lenovo case. The FTC has brought actions against device manufacturers in the past for weakening security; in its case against phone manufacturer HTC, the FTC alleged that badly designed software that let app developers piggyback on HTC’s access to certain phone functionality without user permission was an unfair business practice.
On the second part of the unfairness test, it’s hard to argue how these practices are avoidable by ordinary consumers. They may have clicked though legalistic agreements, but as far as we can tell, none of these documents made any disclosure about these sorts of tactics — or the vulnerabilities to which they exposed consumers. Certainly, neither Gogo nor Lenovo presented information outside of a legal document where consumers were likely to notice. As a result, consumers weren’t provided with actionable information that they could have used to avoid these problems.
Finally, it’s hard to see that the security vulnerabilities introduced by SSL-interception were outweighed by any benefits to the practice. Gogo used this tactic to block bandwidth-heavy video applications on planes with limited internet access — a worthy goal, but one better accomplished through less destructive means. Lenovo allowed its partner to break encryption in order to view private communications for targeted advertising. It is doubtful that many consumers would find this trade-off beneficial, even if it lowered prices significantly; in any event, Lenovo claims that they didn’t make much money from its deal with Superfish, and the pre-installed adware was simply designed to improve the user experience. Since exposure of these practices, both companies have backtracked and ended use of the encryption-breaking technologies.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: deceptive, ftc, https, malware, man in the middle, section 5, unfair
Companies: komodia, lenovo, superfish
Reader Comments
Subscribe: RSS
View by: Time | Thread
No big deal for FTC; elsewhere, Federal offense
First test - If they don't use my credit card number to buy anything, I guess the FTC says, no harm, no foul, right? That can't be right.
Second test - How can I reasonably avoid an intruder tearing sealed letters open?
Third test - Hard to imagine "countervailing benefits" for violating my privacy and security, unless they see all those charges for sex toys, and give me 20% discount coupons for Clorox Sex Toy Wipes.
No, it doesn't play any better for old-school (postal) data communications than for HTML/SSL... except for one thing: It's a federal offense to even touch someone else's mail, likely for the same security and privacy reasons.
[ link to this | view in thread ]
Re: No big deal for FTC; elsewhere, Federal offense
Clearly, having him recite an ad to you after reading your mail is a real benefit for you! At least, that's the "logic" that so many nefarious advertising agencies follow.
[ link to this | view in thread ]
Obviously not
[ link to this | view in thread ]
Most people don't even bother reading EULAs; those who do and refuse to agree to their outrageous terms are free to send their computer back for a refund -- minus a 20% restocking fee and shipping costs both ways.
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Re: No big deal for FTC; elsewhere, Federal offense
A "right" that can be signed away.
For instance, the Scientology cult makes staff members sign a contract granting permission for the cult to tap their phones, open their mail, and even hold them prisoner for "spiritual treatment" or whatever they call it, cutting off all their access to the outside world until they "graduate" from the program ... which can take years.
[ link to this | view in thread ]
and then there is HIPPA
[ link to this | view in thread ]
Re: Re:
I've bought software that said if I didn't agree to the EULA (or whatever other reason) I should take it back to the retail store for a refund. I tried that, but the store would not give refunds if the box was opened, saying it had to be sent to the manufacturer (which pointed me right back to the store).
That was the day I became a software pirate. (I learned years later that the software did indeed work, but the printer driver installed on my PC made it malfunction.)
[ link to this | view in thread ]
Re: Re:
"Once you have their money, you never give it back."
I'm sure many of the following rules can be found in EULAs, or were used in crafting them.
[ link to this | view in thread ]
Lenovo Superfish
[ link to this | view in thread ]
Whither Canada?
Of course, stopping that sort of thing is what Investor-State Dispute Settlement (ISDS) proceedings are for.
[ link to this | view in thread ]
[ link to this | view in thread ]
Re: Re: Re:
This is actually the very thing that small claims court was intended for. If this happens to you again, you should try that. It's cheap and easy, and requires no lawyers. On the downside, all you'd get would be a judgement in your favor, which amounts to a legal debt to you. It'd still be up to you to collect that debt (but with most companies, this isn't really a problem.)
[ link to this | view in thread ]
Re: Lenovo Superfish
Microsoft also has made online backing less secure over the years, think of all the security patches you see from them each month.
Be careful what you ask for, you might find yourself in jail after making a bad decision about technology you barely understand.
[ link to this | view in thread ]
Re: Obviously not
And for that matter, Superfish may not even have been fully aware of what was being done, as it was being done by the Komodia SDK they used to produce the software. Crazy that nobody thought to check HOW Komodia was intercepting SSL traffic.
[ link to this | view in thread ]
It chaged its tune within less than 48 hours after getting caught and being publicly tarred and feathered in the media over it. But how long did this continue happening, unnoticed, before then?
No, that's really not a good metric. If someone has to be exposed as doing something nefarious before they apologize, it really doesn't matter how quickly they apologize after being exposed, since it's reasonable to assume, extrapolating from past behavior, that had they not been exposed, they would never have apologized.
[ link to this | view in thread ]
[ link to this | view in thread ]
Re: Re: Re: Re:
I don't think so, unless it's a large sum of money or a purely symbolic victory you're after. When you add up the cost of taking several trips downtown, scheduling time off work, waiting in lines, etc., will all that really be worth the $20 or $30 you hope to get back?
[ link to this | view in thread ]
Re: Re: Lenovo Superfish
This. Lenovo's crime here is getting greedy (in that they were paid by Superfish to install software that did bad stuff they weren't aware of.) And unlike Superfish/Komodia, they eventually decided to change their business model.
Microsoft also has made online backing less secure over the years, think of all the security patches you see from them each month.
The intelligence agencies have, allegedly, actively done far more to make banking less secure, as well as computing less secure, in the last couple decades. Microsoft just sucks at programming, and is extremely slow at fixing stuff reported to them. Not defending Microsoft for their stupidity, but so long as computers are programmed by humans, we will continue to have these problems.
[ link to this | view in thread ]
A rain drop is nothing to a human, to an ant it can be world ending.
Also, it doesn't help the position very much to end up stating, your security mattered less than the "little" amount of money we made.
[ link to this | view in thread ]
Costing customers
[ link to this | view in thread ]
Re: Costing customers
[ link to this | view in thread ]
[ link to this | view in thread ]
Not Understanding...
If I am browsing a site, and my browser shows a green "locked" icon, indicating a secure certificated connection - and this is not the case - I am being deceived in all meanings of the word. Monkey in the middle is still deception.
[ link to this | view in thread ]
Illegal when a consumer does it, but not a company?
1) Changing your own MAC address
2) Trying URLs in your browser that aren't linked to from Google
What else? I know there are others. Perhaps adding an entry to your hosts file? Editing your Windows registry?
Somehow, when a consumer does something that any computer savvy person or junior systems administrator may do on a daily basis, something that anyone with know-how understands is employing a basic technology in a way it is meant to work but that everyone else doesn't understand, it is hugely suspect and potentially illegal enough to send you to prison for decades.
But when a large company does something these same computer savvy people say is eggregious, and probably illegal, where is the federal prosecutor?
[ link to this | view in thread ]
Re: Illegal when a consumer does it, but not a company?
[ link to this | view in thread ]