Privacy and security concerns related to the “Superfish” scandal

February 23, 2015

Last week, news of Lenovo’s “Superfish” scandal hit the headlines, and many believe this could be one of the biggest mistakes any established tech company could make. From September 2014 to December 2014, Lenovo included this Superfish software, and many are outraged, claiming Superfish makes the computer user more vulnerable to security threats. Lenovo’s popularity in the United States has drastically increased since the company acquired IBM’s personal computer division in 2005. As of October 2014, Lenovo was the world’s largest PC maker, with about 20 percent of global PC sales. So, the question is why would a company as successful as Lenovo feel the need to quietly include this Superfish software on its computers?
Lenovo says Superfish “is a technology that helps users find and discover products visually.” But, privacy advocates have expressed concern that Superfish allows hackers or Lenovo itself to intercept encrypted traffic. The software itself is called “Superfish Visual Discovery” and it has been described as malware. Using Superfish, it is possible for third parties to use a self-signed certificate, which makes the computer believe the third party is a trusted party, giving rise to significant security and privacy concerns. A trusted party can feasibly see the computer’s traffic and alter the computer traffic. Though Lenovo’s claimed goal is to use this function to insert advertisements in the user’s Internet browser, it is not surprising that the capabilities of Superfish have led to the public backlash seen in the last few weeks.
In addition to personal security and privacy concerns, there are possibly some foreign-relations concerns surrounding the Superfish scandal. As of last year, it appeared the Chinese government owned a significant stake in Lenovo by way of the Chinese Academy of Sciences, a government-owned entity. Considering the Chinese government has been accused of using iCloud to access citizens’ cloud-stored data and using to monitor what its citizens read online, an inevitable question arises: is preloading Superfish a result of the ideology of the Chinese government, one of Lenovo’s largest shareholders? The link is tenuous and Lenovo seems to be trending toward a more capitalist style company, but one must consider the possibility.
Perhaps the biggest issue related to this is accountability: which entity would be held accountable for any negative effects related to preloading Superfish on Lenovo computers? The public may not have any recourse as users are able to disagree with the terms of Superfish, thereby disabling it. Superfish is blaming a partner for the code that creates the security concerns, arguing this code is also used on various applications other than Superfish and Superfish is not responsible for the security threats. Clearly, there is plenty of room for finger-pointing when it comes to the security threats surrounding Superfish.
After the public backlash, Lenovo disabled Superfish and plans to issue fixes to the software. The question remains, is Superfish merely a way to allow computer users to find and discover new products? Or is it software that should be used only with caution? Regardless the answer to those questions, there is a way for computer users to remove Superfish from their devices, so any security issues may be avoided by the average consumer