
Class action lawsuit filed against Lenovo over Superfish - jayess
https://www.unitedstatescourts.org/federal/cand/284981/1-0.html
======
bradleyjg
A year or eighteen months from now look for a settlement in the case. Each of
the affected class members will be entitled to a $5 discount on an anti-virus
product plus up to $25 if they can provide detailed documentation showing
actual economic losses. Any money left over after the coupons and payments are
made will be given to a charity hand picked by the plaintiff's attorney. There
will also be injunctive relief in the form of Lenovo promising never to do it
again, seriously this time guys. The representative plaintiffs will each be
awarded $5,000. The class attorneys will be awarded $4 million. $750,000 will
be set aside to pay a class action settlement processing company which will
put up a website, send out notices, and process claims.

After a pro-forma hearing a judge will approve the settlement as fair,
reasonable, and adequate.

~~~
btilly
This is true, but do you know why it happens?

The US has a protection against double jeopardy. If you've been sued once for
something, you cannot be sued again (and again, and again) for the same thing.
In most cases this is a good thing. It means that once the case is done, it is
really done.

But companies have learned how to take advantage of it. If they think they are
going to have to fight a class action lawsuit that they are likely to lose,
THE COMPANY will go to some lawyers, and say, "If you bring this lawsuit
against us, we will cooperate fully, cave in quickly, and we'll settle on
modest terms."

Said lawyers have every incentive to cooperate. It is easy money, and the more
reliable they are about following through, the more of this kind of work they
can get.

And companies have every incentive to do this. Because occasionally class
action lawsuits happen that the company _did not_ set up like this. That's
when you get huge claims like the ones that took down big tobacco, or the hot
coffee lawsuit that McDonalds faced a few years back.

~~~
rosser
Anyone who trots out _Liebeck v. McDonald 's_ as an example of a "bad" lawsuit
is just demonstrating that they're operating from a position based more on
opinion than fact.

Liebeck sued McDonald's for _actual costs_ of her medical treatment.
McDonald's refused to pay for her injuries or admit fault. The _jury_ awarded
the massive punitive damages ($160,000 in actual damages and $2.7M in
punitive) of their own volition, because the company's behavior was so
egregious, was just one incident in an ongoing chain of similar ones (and for
which they'd settled previous claims), and was obviously responsible for the
_third degree burns_ she suffered _beneath her clothing_.

Please check your facts next time.

[https://en.wikipedia.org/wiki/Liebeck_v._McDonald%27s_Restau...](https://en.wikipedia.org/wiki/Liebeck_v._McDonald%27s_Restaurants)

~~~
btilly
You have made a common mistake. You have pattern matched what I said to
commonly said things that you have an opinion on, and then have proceeded to
respond on the belief that I said something that I did not say.

I never stated an opinion either way on whether this was a bad lawsuit. My
statement was that it was a lawsuit launched without the cooperation of the
company. Which is definitely true in that case.

That said I did need to check my facts because I called it a class action
lawsuit when it wasn't. But that issue is completely unrelated to anything
that you said.

~~~
rosser
While I won't deny not having given your comment as careful a reading as I
perhaps could have, my motivation in posting my own had more to do with
staving off a torrent of follow-ups that all came from the place of "opinions
over facts" that I decried than it did criticism of your position.

My apologies for my ambiguity. I could have been far clearer about what I was
trying to say, and my motivations for having said it.

~~~
GFischer
I wanted to single out your comment as an example of a gracious apology and
what I presume is the desired level of discourse at the Hacker News community.

I see both parts of the discussion are among the older members of HN, glad to
see they're setting a good example :)

------
patcheudor
"Additionally, the large security hole created by the Superfish program can
easily be breached, because the security key for the single self-signed root
certificate used by the Superfish program has been broken and published on the
internet. It took one computer security researcher less than 15 seconds on-
line to obtain the security key for the Superfish root certificate."

It's interesting that they are sticking to the original narrative when the
situation was actually far worse as I originally disclosed here on HN & which
was later written about by Filippo Valsorda on his blog.

Original discovery:
[https://news.ycombinator.com/item?id=9078536](https://news.ycombinator.com/item?id=9078536)

Filippo's blog post: [https://blog.filippo.io/komodia-superfish-ssl-
validation-is-...](https://blog.filippo.io/komodia-superfish-ssl-validation-
is-broken/)

------
rshaban
"Notably, Lenovo did not preinstall the Superfish program on any of its
computer models that were marketed to businesses or more sophisticated
computer users."

That's a particularly damning accusation.

~~~
piyush_soni
I'm wondering how'd they figure out if a user (not business) is a 'more
sophisticated' computer user.

~~~
bpicolo
"models that were marketed to..."

------
belorn
Going through the list of complaints, it really sound as it should have been a
criminal procedure, not civil. One then wonder why that isn't the case here.

~~~
michaelhoffman
In the U.S., private prosecutions are not usually allowed. Additionally,
government officials with prosecutorial authority have some amount of
discretion in choosing which cases to prosecute and limited resources that
prevent them from prosecuting every possible case. A private citizen cannot
force prosecution, no matter how meritorious the case.

~~~
mfisher87
This is true, but one still wonders _why_ government officials haven't pursued
a criminal case.

~~~
roel_v
Because it's such a minor issue.

~~~
jellicle
Hacking several million computers is minor? What qualifies as major, then?

The Morris worm infected 2-3 orders of magnitude fewer computers...

[http://en.wikipedia.org/wiki/Morris_worm](http://en.wikipedia.org/wiki/Morris_worm)

~~~
tragic
Well, there are surely more than three orders of magnitude more computers
connected to the internet today than the 60,000 Paul Graham reports people
guessing at in 1988.

Put another way, as dreadful as it is, Superfish was never at risk of
partitioning the internet. The harm is restricted to those luckless
individuals who purchased a Lenovo laptop in the particular time frame at
issue; quite possibly a crime, but not, playing devil's advocate for reluctant
prosecutors, a 'something must be seen to be done or I'll be lynched' level
crime.

------
kazinator
The allegations here are of a _criminal_ nature. If true, people need to go to
jail here, in addition to any civil remedies arising out of the class action
suit.

~~~
tgbrter
Is it possible that the "cyber" laws are designed to be effective towards
individuals.

~~~
pavel_lishin
But corporations are individuals! Could two wrongs make a right?

~~~
seanp2k2
So put the corporation in jail; take its personal items and lock them away,
don't allow any outside communications except through visits, no access to
bank accounts, etc.

On a more serious note, what happens to the author[ing company] of the
software used to inject ads?
[http://www.komodia.com/about](http://www.komodia.com/about)

~~~
anonbanker
Or, direct 100% of net profits to the state, in order to pay the prisoner's
fines. The articles of incorporation should be sufficient to imprison.

Think this insane? Look up _in rem_ jurisdiction. You'll see cool lawsuits
such as "UNITED STATES V. $50,000 IN CASH". I'd consider that precedent.

------
wehadfun
Suprise that no market their computers as "crapware free".

~~~
acdha
Microsoft's trying to create a premium “Signature Edition” category with that
as the selling point:

[http://www.microsoftstore.com/store/msusa/en_US/cat/Signatur...](http://www.microsoftstore.com/store/msusa/en_US/cat/Signature-
Edition-Computers/categoryID.69916600)

~~~
Animats
That's funny. Take a look at that link. Microsoft, itself, is talking about
how crappy their own product is in its normally delivered form.

~~~
nivla
Its wasn't that they were totally oblivious to the fact that junk/crapware
were bundled with their OS, it was that they couldn't have a say in it because
then that would be deemed as an anti-trust violation. Antitrust laws are
really good to encourage competition but it also has side effects like this.

------
paul_langston
Laywers in a class-action should have to accept the same currency in the claim
as their "clients"\--they get a pile of discount vouchers instead of a pile of
cash.

------
lessthunk
.. reinstall any computer you get from scratch; Firmware Bios spying is of
course much harder to get rid from.

~~~
rubbingalcohol
Many of these computers don't even come with OS reinstallation media. They
tend to have recovery partitions on the hard drives which will only restore
the computer to its initial spyware-ridden state.

I downvoted your comment because of your implication that spyware wouldn't be
a problem if only everyone were as sophisticated as you.

~~~
tokenizerrr
You can just reacquire the installation media from elsewhere and reuse the
serial key.

~~~
dagw
Generally not. Unless Microsoft has changed their policy, you cannot use an
OEM key to install a retail copy of Windows.

------
jakewalker
There were a number of lawsuits that were filed against Lenovo as a result of
Superfish. I believe the Joint Panel For Multidistrict Litigation will soon
(May 28) hear argument about whether and where those cases should be
consolidated for pre-trial matters. See:
[http://www.jpml.uscourts.gov/sites/jpml/files/Hearing%20Orde...](http://www.jpml.uscourts.gov/sites/jpml/files/Hearing%20Order-5-28-15.pdf)

------
rebootthesystem
Rule #1 of buying any pre-packged Windows computer: Clean install the OS from
original MS disks, not from what might come with the computer. If you are
running a business the cost is insignificant when compared with the
aggravation and risk of crapware. This is also the reason we still build our
own desktop computers: You know exactly what's in them, you can service them
and generally get more performance and quality per dollar spent.

~~~
seanp2k2
It's also amusing to me how many of the people who do this will install
Windows from a "cracked" distro, as that is now more secure than what most
manufacturers provide out-of-the-box. Sad when random ISO from public torrent
tracker is more trustworthy than Official Disk Image from publicly-traded
corporation.

~~~
TeMPOraL
It's the same as with anti-piracy warnings and ads you can't skip on original
movies. The pirates don't have financial incentives to milk you, and they have
all the incentives to get the best version working as soon as possible. So
that's why you often get better stuff from them than you can buy.

------
rhino369
I wonder how the good the CFAA case will be.

The software was pre-installed on the machines. I guess it probably depends on
what the user terms were for it. The statue requires "without authorization."

I'm surprised there isn't a negligence or products liability claim in here.
Because one of the biggest problems, isn't' that they MTTM attacked HTTPS to
inject ads, but they did it in a way that was recklessly insecure.

------
Tharkun
Can we also get a class action lawsuit started for their insistence on making
keyboards WORSE with every new product release?

------
rshaban
I'm pretty curious about who this "Sterling International Consulting Group"
suing Lenovo is, their website ([http://www.sterling-
consulting.com/](http://www.sterling-consulting.com/)) 404s...

~~~
stanmancan
Link works fine for me. "Your source of Microsoft expertise and specialists in
Sharepoint"

~~~
verytrivial
Works for me too, but I wish it didn't after having that lady walk on the
bottom right every time I click a link.

------
superfished
I purchased a Lenovo laptop in December, and it was one of the ones with
SuperFish. They refused to give me a refund, because it was outside of their
30 day refund policy. It would be impossible to get a refund for SuperFish
because the info came out in February and they were only infecting systems
between September and December.

However, there is a happy ending to this story. I went through my credit card
company to get a refund, and it was taken care of no problem. The CC company
was incredibly responsive and shocked about SuperFish.

I'm quite pleased, as SuperFish aside, this is the worst computer I've ever
owned (Y50 UHD.)

~~~
walterbell
You filed a chargeback against Lenovo and kept the laptop, or returned it? Was
the laptop purchased from a dealer or direct?

~~~
superfished
It was purchased directly from Lenovo with a Mastercard. I purchased the
laptop in early December, though they did not deliver until after Christmas
(first strike against Lenovo on this laptop.)

The chargeback just went through successfully on Friday. I have not heard
anything from Lenovo yet regarding returning the laptop. I can keep you
updated on this if you like.

The woman at MasterCard was very helpful and knowledgeable. She was surprised
about SuperFish, but seemed to understand it. I use the laptop professionally
and do systems work, so I explained how I basically could not use the laptop
for work and had to spend time double-checking some of the work I had already
done for clients.

There are also annoying hardware issues with this laptop, various intermittent
problems causing crashes. I didn't get into that though, and just stuck with
the Lenovo omitting fraud / laptop unusable for work narrative.

I always heard good things about Lenovo, but the late delivery, SuperFish, and
hardware issues are enough to make me avoid the company like the plague.

~~~
walterbell
Thanks for sharing the details. If enough people do this, it will provide
visible feedback to Lenovo.

Historically, the Thinkpad brand was a gold standard in business notebooks,
but they have sadly devolved into poor followers of Apple. Hopefully the
Thinkpad brand can rediscover its innovative roots.

~~~
SamReidHughes
Thinkpads weren't affected by SuperFish.

~~~
walterbell
The Thinkpad comment was in reference to the GP comment about hardware issues.

~~~
SamReidHughes
The GP didn't buy a Thinkpad.

~~~
walterbell
Yes, the GP said:

 _> "I always heard good things about Lenovo, but the late delivery,
SuperFish, and hardware issues are enough to make me avoid the company like
the plague."_

"Good things about Lenovo" are usually in reference to the Thinkpad brand. The
GP's hardware issues are unrelated to the historical reputation of the
Thinkpad brand.

~~~
SamReidHughes
And they're unrelated to the present status of the Thinkpad brand, because
we're talking about an Ideapad.

~~~
superfished
For me, the reputation of the Thinkpad extended to Lenovo itself as a company.
Until this thread, I didn't realize I had an Ideapad instead of a Thinkpad.
Now, this might make me come off as a poorly informed consumer, and I'll admit
to that if you like. However, it was the reputation of the Thinkpad brand that
made me make this purchase, and I am now suspect of all of Lenovo's brands.

------
Double_Cast
I found this article surprisingly clear. I expected to find an unreadable
morass of legalese. Is the ill reputation towards legalese unjustified, or is
the clarity of this article uncommon?

------
bhartzer
Just bought a Lenovo laptop over the weekend for my wife. Sounds to me like
it's no longer being installed on the laptops, but will check it to make sure
Superfish isn't there.

~~~
stanmancan
I'd format it with a fresh version of whatever OS came on it just to be safe.
I actually have always done this when buying pre-built computers just to get
rid of all the junk that comes from the manufacturer.

~~~
rplnt
I wish we had this option for mobile (android) phones which are preloaded with
crapware (oftentimes permanently) even more than PCs are.

~~~
JupiterMoon
Well one can void one's warranty root and install cyanogen mod...

~~~
esMazer
and then have it freeze and restart every day -__- (I guess is just my
particular experience and might not apply to everyone)

~~~
JupiterMoon
To be fair. I didn't do this I'm running what came on it and mine freezes and
restarts several times a day anyway...

~~~
rplnt
Any Android 2.x I've touched was unusable piece of .. software. I seriously
don't see how they dared to sell it to people. Can't even imagine what 1.x
looked like. My experience with 4.x is much better in this regard.

------
api
Now can someone please do the same for Oracle and ask.com toolbar?

