Last week, news broke that many Lenovo computers were shipped with a dangerous piece of Superfish adware, which made the computers vulnerable to malicious hacks. Now, with a class-action lawsuit looming and antivirus vendors pledging to root out the adware, Lenovo’s CTO has said his company is done with Superfish.
I spoke with Lenovo CTO Peter Hortensius this afternoon, and asked him about how the company’s relationship with Superfish. Hortensius has already said that the Superfish program was “adware with a security issue”, and has admitted that shipping it was a mistake. Lenovo has worked with anti-virus vendors to create an update that removes the program from Lenovo computers.
But the question on many consumers’ minds was how the company would deal with Superfish, their partner, who had deliberately installed what many are calling spyware. “We still have a commercial contract with them, but we have no intention of ever shipping a Superfish product,” Hortensius said. “A contract changes nothing — we will not ship more Superfish products.”
It seems that Lenovo has severed ties with Superfish for good.
Now it’s just a question of what Lenovo is doing to clean house. I asked Hortensius whether they had figured out who was responsible for setting up the Superfish deal, and whether they would be fired or disciplined for it. He replied that the company was “relooking at all our plans and policies in this area to understand [what happened] and are dealing with these issues internally.”
When I asked what precautions they would take to prevent another program like Superfish’s adware from being shipped, he said Lenovo was coming up with new policies about adware and would make an announcement about them by the end of the week.
If Lenovo hopes to regain customer confidence, however, they’re going to need to do more than promise not to ship Superfish products again. They need to end their contract with the company, and explain openly who set up the deal and how it happened. Finally, they need to do more than just promise not to ship adware that is so riddled with security flaws that the proposed class action lawsuit against Lenovo calls it “spyware”. Maybe they could start by getting security audits on their adware done by independent analysts.