Lenovo and Superfish Are Giving Us Deja-vu

lenova superfishEver since Edward Snowden’s revelations about the NSA’s extensive spying program, security has been in the spotlight. Over the past several weeks, the adware known as Superfish has been the hot topic.

Back in 2014, China-based OEM admitted to pre-loading Superfish adware on Lenovo PCs during the second half of 2014. Two new lawsuits were filed on February 23, 2015 against Lenovo and adware maker Superfish in the federal courts of California for putting consumers at risk of information theft and hacker spying.

One plaintiff, David Hunter of NC, claims that both Lenovo and Superfish violated the U.S. Electronic Communications Privacy Act among other laws and has requested that the court demand for the firms to hand back any revenue acquired by selling consumer’s browsing data and also the money earned from the adware advertising.

Another plaintiff, Jessica Bennett, stated that her laptop was damaged as a result of Superfish. She further accuses Lenovo and Superfish of making money at the expense of invading her privacy.

Security researcher Marc Rogers wrote that it’s “quite possibly the single worst thing I have seen a manufacturer do to its customer base…I cannot overstate how evil this is.” The Superfish adware is said to be more than just pesky. It’s the most virulent, evil adware you could find.

By installing a single self-signed root certificate across all of Lenovo’s affected machines, Superfish intentionally pokes a gigantic hole into your browser security and allows anyone on your Wi-Fi network to hijack your browser silently and collect your bank credentials, passwords and anything else you might conceivably type there.

This can be even more of a nightmare for companies who risk their private information, and their employees, from being exposed.

Errata Security’s Robert Graham said, “I can intercept the encrypted communications of Superfish’s victims (people with Lenovo laptops) while hanging out near them at a café wifi hotspot.”

Our deja-vu comes from the Sony DRM rootkit scandal of 2005, in which Sony automatically installed malware onto users’ computers whenever someone loaded certain CDs. That rootkit malware could be hijacked by another hacker and in its greed, Sony did nothing to stop piracy and compromised the security of millions of users.

Lenovo claims it installed Superfish to “enhance our user’s shopping experience.”

 

Court upholds Privacy Policy Lawsuit Against Google, For Now..

In the tech world, Google may be the 800-pound gorilla that usually gets its way, but that doesn’t mean the federal court system is going to roll over and play dead when it comes to possible privacy concerns about tech behemoth’s actions when it uses personal data across its various platforms and tools.

A federal judge rejected the search engine giant’s request to dismiss a privacy lawsuit in California that alleged Google acted inappropriately when it decided to update different privacy policies from it’s wide range of products into one single unified policy, a policy that would allow Google to to merge user data gathered from multiple different tools, including the Android mobile operating system. The suit accuses Google of making this change without the consent of the users, many of whom had agreed to different privacy policies than the new one. According to the plaintiff’s attorneys, Google not only made this unauthorized change which would expose user’s information potentially to third parties without informed consent, but that Google still continues to provide no way for consumers affected by the change to “opt-out”.

While having one giant database of user data to crunch in an era of “big data” is no doubt appealing to companies like Google, there is getting to be more push back from angry consumers, some of it leading to litigation. Lawyers have had to be creative though, as the current state of the law is still trying to come to terms with how to value a person’s right to privacy when they have willingly engaged with a website. While some suits have had success in making companies like Amazon change their tracking behavior, Plaintiffs still face an uphill battle in getting compensated by the legal system for privacy issues.

Even when these cases are able to be filed in courts and survive summary judgment motions from the big tech companies, there is a perception problem of what actual “harm” they have suffered (especially in some less meritorious cases) when a website the user chose to go to didn’t alert them of cookie tracking, or provide an written Privacy Policy that the vast majority of website visitors will simply never view. Where no financial data is breached, and the “victim” can point towards no monetary loss, lawsuits are unlikely to be costly to these companies, and they have little incentive to change their behavior.

With this resistance by the courts to award more than nominal damages in such suits, privacy advocates are getting increasingly concerned by the courts’ “no harm done” view that arises because it is difficult for the “victims” to point towards actual economic damage when their personally identifiable information is at stake. in a post-Snowden era, consumers (and their attorneys) are showing far more resistance to violations of the privacy policies written by the very same tech companies that are now attempting to skirt them to maximize revenue.

American Bar Association cautions against file sharing lawsuits

downloadThe American Bar Association is urging its 400,000-lawyer membership to be more prudent and show restraint when it comes to lodging online file sharing lawsuits.

In a detailed whitepaper advising the US Government on how to best tackle online piracy, the association writes [PDF]: “Finally, while it is technically possible for trademark and copyright owners to proceed with civil litigation against the consuming public who affirmatively seek out counterfeited products or pirated content or engage in illegal file sharing, campaigns like this have been expensive, do not yield significant financial returns, and can cause a public relations problem for the plaintiff in addressing its consuming public.”

In conclusion the paper suggests to institute SOPA-like anti-piracy measures, including injunctions against companies that host servers with copyright infringing material. In an interesting turnaround, the association says that lawsuits against individual file-sharers are ineffective and counterproductive as a whole.

The Intellectual Property Law division of the group noted as Exhibit A the litigation campaigns of the RIAA (Recording Industry Association of America) and MPAA (Motion Picture Association of America).

This 113-page memo has been largely overlooked in the press. TorrentFreak was the first site to discover its existence. The ABA says that filing of lawsuits against individuals has been proven ineffective in the past and it is unlikely to curb piracy rates.

For instance, the Recording Industry of America (“RIAA”) initiated a campaign several years ago against consumers who engaged in illegal file sharing of copyrighted music. During that time, the RIAA initiated lawsuits against over 18,000 individual users, most of whom paid a few hundred dollars in settlements to avoid the potential for statutory damages of $150,000 per infringing use. More recently, the RIAA has abandoned its former policy of directly bringing cases against consumers in favor of expanding its focus on educating the consuming public about avoiding piracy. The Motion Picture Association of America (“MPAA”) followed in the RIAA’s footsteps with its own set of lawsuits directed against consumers who engaged in the illegal file sharing of copyrighted films and other video, though on a vastly smaller scale. It, too, later abandoned this approach.

 

With this said, the more preferable course of action seems to be in enacting legislation that targets infringing websites such as the torrent tracker, The Pirate Bay. Since its hard to prosecute site owners outside the US, a more indirect approach is suggested. Legislation that is aimed at cutting off funding, advertising and halting funds through cooperation of banks and payment processors. The whitepaper also calls for legislation that would allow injunction against hosting companies that store the websites on their servers. Interestingly enough, the association could not reach a consensus on doing the same for domain registrars and search engines.

Much of the suggestions have been previously included in the oft-criticized SOPA and PIPA bills.

NSA had overseen disposal of Snowden data at The Guardian

SurveillanceThe Associated Press has obtained a series of redacted emails and other documents which indicate that US intelligence officials knew beforehand about British intelligence agents’ effort to destroy data in possession of UK newspaper The Guardian. The emails shed light on the fact that former National Security Agency director General Keith Alexander had been briefed on the plan days before GCHQ analysts oversaw the covert destruction of a laptop at The Guardian’s offices in London, UK.

On July 19, 2013, Guardian editor Alan Rusbridger consented to destroy the data and the laptop it was stored on instead of handing it over to GCHQ. This response was seen as a follow-up after British officials had increased pressure on the newspaper using threats of police raid and prosecution under the Official Secrets Act of the United Kingdom. The AP documents obtained from the NSA under the Freedom of Information Act indicate that Richard Ledgett, then director of NSA’s Threat Operations Center, and one anonymous member of the NSA’s “Media Leaks Task Force”, had replied in an email to Alexander, hours within of Rusbridger’s confirmation to the destroyal of the data; the email was headed “Guardian data being destroyed.”

Ledgett wrote then “Good news, at least on this front” and forwarded an email from one of the redacted sources. In his turn NSA director Keith Alexander relayed the infromation to Director of National Intelligence James Clapper; “Jim- Here is the report I got.”

A day later, on July 20 2013, only a few hours after the destruction of the Guardian laptop and its contents, Clapper was briefed verbally by Alexander on the operation. He sent a thank-you e-mail to Alexander as a reply to the original e-mail thread.

One month later, on August 20, during a White House press briefing, press secretary Josh Earnest replied to a number of questions regarding on whether the US government had been foretold about the destruction of the data stating “I’ve seen the published reports of those accusations, but I don’t have any information for you on that… The only thing I know about this are the public reports about this.”