SACRAMENTO — California Attorney General Xavier Becerra today announced a $3.5 million multi-state settlement with Lenovo to resolve allegations that it illegally preinstalled ad-injecting software that compromised the security of its computers. California will receive $389,204 — the largest share of any of the 32 states involved in the settlement — based, in large part, on its size and leadership role in the multi-state investigation. This marks the first time that California has held a hardware manufacturer accountable for software preinstalled on its products. The settlement was negotiated and finalized in coordination with the Federal Trade Commission.
“What Lenovo did is inexcusable,” said Attorney General Becerra. “Companies should make every effort to develop secure software and protect consumers’ privacy. Today’s announcement should serve as a warning to any company that believes it can put profits ahead of people — we will hold you accountable and we will ensure that justice prevails.”
From July 2014 to January 2015, Lenovo preinstalled a program called “Visual Discovery” on its computers. The states alleged that the program not only viewed online browsing activity so that it could inject product recommendations and advertising based on the websites a consumer visited, but also acted as a “man-in-the-middle,” causing both the browser and the website to believe that they had established a direct, encrypted connection. In reality, the program was breaking the secured connection without the user’s knowledge so that, on certain websites such as email or bank websites, a consumer’s sensitive personal information became vulnerable to unauthorized viewing or — even worse — use by others.
Lenovo sold 750,134 computers in the United States that had the program preinstalled. The states alleged that Lenovo did not make any disclosures about the program prior to purchase, and that many consumers inadvertently became active users because the opt-out link was easy to miss, and even if selected, did not fully disable the adware from running on the computer.
As part of the settlement, Lenovo is also required to adopt advanced measures to prevent future misconduct. Specifically, Lenovo is required to clearly and conspicuously disclose how pre-installed advertising software will operate on a consumer’s device, obtain a consumer’s affirmative consent before using such software on their device, and provide a reasonable and effective means for consumers to opt-out, disable or remove the software. Lenovo is also required to implement and maintain a software security compliance program and must obtain initial and biennial assessments for the next 20 years from a qualified, independent, third-party professional that certifies the program’s effectiveness.
The settlement is embodied in a stipulated judgment submitted to the Los Angeles County Superior Court for approval. It is attached to the electronic version of this release at oag.ca.gov/news.