PC MAKER Lenovo has been slapped on the wrists and handed a paltry $3.5m (£2.6m) fine for loading up its laptops with Superfish adware.
In 2014, it was revealed that Lenovo had started loading a third-party adware programme called 'Superfish' onto its consumer PCs.
While the company had argued that it wasn't that bad and could be switched off, it was later revealed that the software hijacked encrypted Web sessions that made users vulnerable to HTTPS man-in-the-middle attacks and shared user browsing data with third parties.
Almost three years later, Lenovo has settled a lawsuit by the Federal Trade Commission, which has seen the firm get away with a clip around the ear and escape being whacked by a massive fine.
Instead, Lenovo has to pay just pay $3.5 million in penalties for "deceptively failing to disclose VisualDiscovery's man-in-the-middle capabilities" and for "installing the software without adequate notice or consent and for failing to take reasonable steps to deal with the security risks created by their software.
The FTC has said that the company must get affirmative consent from users before pre-installing any adware on their devices, and Lenovo also agreed to conduct an ongoing security review of its bundled software, running regular third-party audits for the next 20 years.
"As part of the settlement with the FTC, Lenovo is prohibited from misrepresenting any features of software preloaded on laptops that will inject advertising into consumers' Internet browsing sessions or transmit sensitive consumer information to third parties," the FTC said."The company must also get consumers' affirmative consent before pre-installing this type of software,
"The company must also get consumers' affirmative consent before pre-installing this type of software."
In a statement, Lenovo said that - while 75,000 PCs were found to have shipped with the Spyfish adware onboard, it is "not aware of any actual instances of a third party exploiting the vulnerabilities to gain access to a user's communications."
"After learning of the issues, in early 2015 Lenovo stopped preloading VisualDiscovery and worked with antivirus software providers to disable and remove this software from existing PCs," the firm added.
Lenovo wasn't the only company that was found to be shoving dodgy third-party software into its laptops. Just a few months after the Lenovo scandal hit headlines, it was revealed Dell was shipping devices with an eponymous root certificate and private key called eDellRoot. µ
Archaic prototype shows Redmond has come a long way in hardware design
And woe betide if you're called Mohammed too
Lack of proper comms gets a frosty reception from Project Zero's Travis Ormandy
Wine 3.0 brings support for Windows apps to Google's mobe OS