Superfish and the Sordid History of Selling Customers' Online Privacy Out From Under Them

Rob Pegoraro
·Contributing Editor
image

About the nicest thing you can say about Lenovo shipping some of its computers with Superfish adware that fatally compromised its online security is this: It wasn’t the first.

There’s a rich history of manufacturers who tried to eke out a few advertising bucks from products their customers had already paid for.

Lenovo merely failed at this ambition more catastrophically than most.

The Superfish flop
Superfish, if you missed the first round of stories, uses image-recognition software to identify pictures you’re looking at online and then presents ads for the same things. That alone might sound sketchy, and usually a browser would block this kind of snooping. Superfish got around this by using a security certificate it signed itself to fool your browser into letting it watch secure Web traffic.

The Department of Homeland Security’s Computer Emergency Readiness Team (CERT) labeled this tactic “a classic man-in-the-middle attack” that an attacker could easily exploit for eavesdropping.

That CERT alert warns that you’d get no warning from your browser if somebody tapped into Superfish and started peeking at your e-mail or online banking. It urges a prompt removal of Superfish. If you have a Lenovo laptop, you can check your computer for this vulnerability at https://filippo.io/Badfish/.

Lenovo’s response? After spending a few days saying it meant no harm and brushing off “theoretical concerns,” the company recognized its error and posted an uninstaller to yank the Superfish software and its dangerous security certificate. If your PC tests positive for Superfish, that uninstaller needs to be the next thing you run.

Did you do that? Good. Now enjoy this quote from Lenovo chief technical officer Peter Hortensius to Re/code’s Ina Fried: “We are taking our beating like we deserve on this issue.”

A Lenovo publicist didn’t respond to our own query.

Verizon’s “supercookie” crumbles
Lenovo should have gotten all the warning it needed when different advertising adventures at Verizon and AT&T’s wireless divisions came to light last fall: Both carriers had been silently attaching a tracking header to the unencrypted Web traffic of subscribers.

The idea was to let AT&T and Verizon Wireless offer better-targeted advertising, but other people could easily detect these headers themselves, then combine them with other tracking technologies like cookies to follow you across the Internet.

You can check to see if you got caught up in this scheme at  AmIBeingTracked, a site by the tech-policy group Access. If you use AT&T, you should get a confirmation that no such surveillance is afoot: The carrier abandoned this project within weeks.

Verizon, however, was more stubborn. Only at the end of January did that carrier say it would let customers opt out of this previously-mandatory program. A month later, there isn’t a date set for that opt-out, but spokeswoman Debra Lewis wrote that we should “think in terms of weeks, not months.”

Whenever that time arrives, if you use Verizon Wireless, you should flee this surveillance immediately.

image

Pay for privacy at AT&T?
A different set of AT&T customers now face a different choice: They can get a discount on gigabit fiber-optic service in Austin, Dallas, Kansas City, and elsewhere for having anonymized “Internet Preferences” data about their Web habits used to target ads.

Or they can pay more for extra privacy.

Now, letting customers choose an ad-enhanced option and get a lower price is a respectful step we didn’t see at Lenovo and Verizon. That consideration also went missing in Comcast hotspots that help market “Cable WiFi” from within your own home and Samsung connected TVs that errantly inserted ads into movies playing in third-party apps.

But I can’t credit AT&T too much here: Its presentation of this offer makes it easy to miss the fact that any such choice exists.

As GigaOM’s Stacey Higginbotham found and as I confirmed by plugging in a relative’s Kansas City-area address, AT&T’s site defaults to showing only the cheaper, tracking-included “Premier Offer.” To see the no-tracking “Standard Offer,” you have to click some of the smallest type on the page.

The page listing both Premier and Standard prices, $70 and $99, offers an extra benefit: Premier offers a waiver of a $99 setup fee and AT&T’s standard $7 “In-home WiFi Gateway Equipment Fee.” This means choosing the “standard” (as in, standard privacy for an Internet connection) costs you $36 a month.

Spokesman Jim Greer said that the Premier offer gets top billing because “we prefer to lead with our best price option” and that “the vast majority” of customers take the discounted rate.

“Ad-supported” doesn’t have to be annoying
I imagine the people at Lenovo, Verizon, AT&T, and elsewhere are only trying to cash in on the same free-stuff-for-ads phenomenon that provides e-mail, social networks, and other nice things online.

I get that. But sneaking ad schemes on customers, even when they don’t hide gruesome security or privacy flaws, is no way to do business. And better examples are available: See, for instance, how easily Amazon lets you compare regular and cheaper-with-ads “Special Offers” prices for Kindle e-book readers.

This shouldn’t be that hard. But I guess some companies have to be market leaders at everything, epic privacy fails included.

Email Rob at rob@robpegoraro.com; follow him on Twitter at @robpegoraro.