In Defense of Lenovo

Chinese computer manufacturer Lenovo has been caught preinstalling a bit of stealth spyware called Superfish on its consumer models, shipped between October and December of last year.

This news has provoked a torrent of outrage. But Superfish is listed by Forbes as America’s 64th most promising company, with revenue of $38 million and $20.4 million in venture capital investment.

What the Superfish case points out is that, with razor thin profit margins and consumer expectation for super-cheap computers and electronics, manufacturers have to find new and frankly devious ways of larding your inexpensive computer with tricky third-party methods to turn some kind of profit.

What did you expect, buying a $350 laptop? Your computer is literally a Trojan horse for money-making malware. That’s the only way that the Big 5 computer makers (HP, Lenovo, Dell, Asus and Acer, who account for 60% of the Windows PC market) can earn a buck anymore.

Profit margins for laptop manufacturers have budged slightly between 2010 and now, up from 2.55% to 2.73%. That downward pressure on computer prices is exactly what led to Lenovo’s deal with Superfish.

Most of the outrage over the Superfish case has been directed at Lenovo for trying to pull a fast one on consumers. Even more outrage was expressed over the fact that one of the consequences of Superfish turned out to be that not only did it serve Lenovo users ads, but it also had the effect of intercepting each user’s secure connections (https sites, or SSL connections), and making them vulnerable to hackers who could then spoof SSL sites, or otherwise compromise the integrity of any visit to any site.

Good going, Lenovo. But hats off especially to Superfish, for simply pushing against the unlocked door that separates a user’s increasingly naive expectation of privacy from the world of behavioural tracking and stealth marketing.

For its part, Lenovo has “temporarily” stopped preinstalling Superfish. But it initially responded to outraged consumers by pointing out that Superfish is perfectly legal, and is in fact providing a service to consumers.

“To be clear, Superfish comes with Lenovo consumer products only and is a technology that helps users find and discover products visually,” reads Lenovo’s statement. “The technology instantly analyzes images on the web and presents identical and similar product offers that may have lower prices, helping users search for images without knowing exactly what an item is called or how to describe it in a typical text-based search engine.”

If you’ve followed trends in marketing at all over the last couple of years, you won’t find any of that language shocking. There are plenty of products out there that “help users find and discover products visually”, even if the users aren’t aware that they’re using, or being used by, said product.

It’s all perfectly legal, because when a user clicks “agree” on an EULA while they, for example, download a piece of “free” software, they have given that third-party malware operator permission to hijack their computer for marketing purposes.

It might be Conduit, for example, or the notorious Ask.com toolbar, or any number of other browser hijackers that, if you were to interview their CEOs, are presented as “helpful” for “discovering products”.

Products of this ilk really do live up to their “vampire squid stuck onto the face of humanity” status.

Preinstalled marketing malware piggybacking on every device and download will slowly become the new normal, and no one will remember what it was like to just buy a computer with nothing phishy preloaded.

It’s become commonplace in tech circles to say that if you’re not paying to use a product, then you are the product.

With the Superfish scandal, you could say we’ve adjusted that old saw to mean that if you’re buying something that you think is a good value, or steeply discounted, then you are still the product anyway.

Pretty soon, unless legal steps are taken to stop software developers installing this stuff on computers, that border will be erased absolutely. Preinstalled marketing malware piggybacking on every device and download will slowly become the new normal, and no one will remember what it was like to just buy a computer with nothing phishy preloaded.

Browser hijackers are bad enough. You’re at least given the opportunity to click “no thanks” after reading through pages of fine print in the EULA.

In the SuperFish case, though, the malware comes preinstalled.

Outrage can only get people so far. You might think that users will be enraged enough to stop buying Lenovo products and demand limits on what the tech sector can do to snoop on and use their data.

Let the market decide. If people are really that bent out of shape about it, then Lenovo will suffer.

If you believe that’s how the world works, I have some Beatles reunion concert tickets to sell you.

If corporate welfare was actually dependent on consumer outrage, Facebook would have shut down a couple years ago and everyone would have joined Ello, after it became clear that the social network is essentially a marketing platform that thrives while selling your behavioural data to marketers.

Most people don’t think of technology in marketing terms, though. They just want a computer that works and a site with their name on it that allows them to swap vacation photos and birthday greetings.

There are marketing professionals out there who point out that it may very well be in each company’s own best long-term self-interest to treat their customers like human beings, instead of as data sets to be juiced for maximum short-term gain.

For those who just want to know how to get this thing off their computer, probably the most entertaining source of useful information to follow has been a security expert on Twitter trading under the name InfoSec Taylor Swift (@SwiftOnSecurity), a computer security expert with the country pop singer’s face for an avatar.

He is tonight “very tired from being a thought leader”. Indeed, finding yourself suddenly in demand as a thinkfluencer has got to be exhausting work.

After you’ve stopped chuckling through gritted teeth, you can check whether your computer has got Superfish here: https://filippo.io/Badfish/

Like a gift that keeps on giving, though, even if you follow instructions to remove Superfish, you still have to track down and delete the offending certificate in your Trusted Root Certification Authorities folder.

“To be clear, Superfish comes with Lenovo consumer products only and is a technology that helps users find and discover products visually…” – Lenovo statement

I personally was relieved to discover that Superfish only affected consumer laptops and not the ultrabook that I’m currently typing this on. I breathed a minor sigh of relief when I confirmed that my computer is clean.

That’s sort of a cheap form of relief, however, since what it means is that basically, you get what you pay for. If you have the means to pay Lenovo what a computer is actually worth, then they won’t bother you with marketing bloatware.

But if you buy a $350 laptop, you can pretty much expect that you’ll pay a “price” in some other way. It can be in the form of preinstalled “trial version” software, or in the case of Lenovo, a straight-up piece of marketing malware.

Your behaviour will be tracked, ads will be served, marketing will be accomplished, and whatever wellspring of good will might have existed between consumer and corporation is poisoned.

We have actually arrived at a point in our history where people pay a little extra to own a product that is less feature rich. If you want a clean, bare bones computer with nothing but an operating system and essential apps, sure, we’ll sell that to you, but it’ll cost extra.

Meanwhile, in Canada, we have a federal Privacy Commissioner who, while writing strongly worded statements about how “concerned” the government is about “potential privacy infringements” also broadcasts the fact that it has no teeth to enforce bad behaviour on the part of marketers in an essentially borderless jurisdiction.

“The Office of the Privacy Commissioner … has called on the advertising industry to better explain what behavioural advertising involves, and how people can opt out if they wish. The industry should also ensure that organizations obtain appropriate consent before tracking consumer.”

It sounds like it’s time we purchased our Privacy Commissioner a new set of teeth.

If we continue to allow compromises that encourage surrendering personal data and consumer information in exchange for cheap or “free” services, we probably deserve the “you are the product” punchline future that we’ve designed for ourselves.

Lenovo says they're not going to get into an "argument with the security guys." pic.twitter.com/ElMV1f3NJp

— SwiftOnSecurity (@SwiftOnSecurity) February 19, 2015