Lenovo moves to calm sea of negativity after Superfish adware storm

Firm releases updated statement promising it didn't spy on customers

Lenovo has moved to calm concerns that it compromised laptop customers' privacy using the notorious Superfish adware.

The claims erupted on the Lenovo forum where a multitude of customers reported finding Superfish installed on their machines.

Superfish is adware that collects data such as web traffic information using fake, self-signed root certificates and then uses it to push advertisements to the user.

A Lenovo spokesperson moved to allay customers' concerns in a statement sent to V3, promising that only a small number of laptops have the adware installed and that the firm has stopped using it.

"Superfish was previously included on some consumer notebook products shipped in a short window between September and December to help customers potentially discover interesting products while shopping," read the statement.

"However, user feedback was not positive, and we responded quickly and decisively: Superfish has completely disabled server side interactions (since January) on all Lenovo products so that the product is no longer active.

"This disables Superfish for all products in the market. Lenovo stopped preloading the software in January [and] we will not preload this software in the future."

The spokesperson added that, even if machines did have Superfish installed, the user's privacy was never at risk.

"To be clear, Superfish technology is purely based on contextual/image and not behavioural. It does not profile or monitor user behavior. It does not record user information. It does not know who the user is. Users are not tracked or re-targeted," read the statement.

"Every session is independent. Users are given a choice whether or not to use the product. The relationship with Superfish is not financially significant; our goal was to enhance the experience for users. We recognise that the software did not meet that goal and have acted quickly and decisively."

An Information Commissioner's Office (ICO) spokesman told V3 that the organisation is aware of the customer complaints and will be contacting Lenovo, despite the firm's assurances.

"We are aware of the concerns that have been expressed about Lenovo's handling of consumers' information and will be making enquiries to establish the full details," he said.

User reaction to the news that Lenovo was using Superfish was similarly negative on the company's user forum.

"I just bought a Lenovo G50 Notebook. And as you might guess it's also 'infected' with PUP (a SuperFish Software [that's the one which displays ads on webpages])," wrote one angered customer.

Another added: "This is more serious than just a simple socket mess up. Superfish Inc aka VisualDiscovery aka similar products will hijack ALL your secure web connections (SSL/TLS) by using self-signed root certificate authority, making it look legitimate to the browser.

"[This is a] bluntant [sic] man-in-the-middle attack malware breaking any privacy laws. I have requested return of the laptop and refund as I find it unbelievable that ... Lenovo would facilitate such applications pre-bundled with new laptops."

Adware is an increasingly grey area in IT, and many security experts view popular adware as unwanted, if not malicious, software.

Security firm Lookout went so far as to begin blocking any adware it viewed as malicious in 2013.