Update: Lenovo settles with U.S. regulator and 32 states over privacy and digital security flaws

UPDATE 9/6/2017: In a win for privacy and digital security, Lenovo settled with the U.S. Federal Trade Commission and 32 states over the company’s use of Superfish adware and the dangerous security flaws that affected the adware. The FTC settlement did not include a fine while the state settlement mandated a financial payment of $3.5 million. Together, the settlements require Lenovo to invite users to opt-in to any use of adware, and stipulate that customers with devices that already have the adware installed must be given a means of opting out. Even more important, Lenovo must also submit to 20 years of biennial security audits related to its adware. 

This week two important news stories broke about digital security. The first related to the installation of adware on Lenovo laptops that used a very insecure method of tracking the web browsing habits of users. The adware, which is called Superfish, exposed users to malicious man-in-the-middle attacks by hackers. The tool represents the worst form of privacy abuse; rather than inviting customers to opt-in to the tool, which few people would willingly have done, Lenovo’s Superfish operated at such a fundamental level that it was nearly impossible to opt-out.

The Intercept reported the second news story, which detailed how U.S. and UK intelligence operatives infiltrated one of the world’s largest SIM card manufacturers to steal the encryption keys of the chips used in cell phones. Called a “Ki,” these unique encryption codes allow your phone to make a handshake with your mobile carrier so that you can securely make a phone call. Gaining access to these keys would give intelligence agencies the ability to easily monitor both voice and data without the user ever becoming aware. This also removes any sort of legal due process, such as obtaining a warrant or subpoena, for the authorities to obtain user communications. Worse, the manufacturer, which is called Gemalto, produces some 2 billion SIM cards each year and works with major mobile carriers around the world.

What can we learn from this?

In the short term, ArsTechnica has released possible fixes to remove Superfish here, including the installation of a new Windows Defender security update. Non-Lenovo machines running Windows were not affected, nor were Lenovo machines using other operating systems such as Linux distributions.

We need to continue to demand true opt-ins for users, and authorities should hold Lenovo accountable for its privacy-invasive practices.

With respect to the NSA and GCHQ stealing SIM card information, you should use encrypted applications to communicate whenever possible. As The Intercept explains, there are secure ways of communicating: “Apps like TextSecure and Silent Text are secure alternatives to SMS messages, while Signal, RedPhone and Silent Phone encrypt voice communications.”

The lesson is that unchecked surveillance authority will encourage governments to attack users at the most vulnerable source—in this case, GCHQ stole the information by identifying the moment when the secret “Ki’s” were transferred digitally between the SIM card manufacturer and mobile carriers.

We need to place strong limits on the ability of governments to spy on others. Access will be filing an official comment about GCHQ practices—and you can too, by submitting on this website here. You can also visit this new website created by Privacy International that will allow you to find out if GCHQ is tracking you.

photo credit: Luciano Belvino