Lenovo Is Getting a Crash Course in Calculating Damages for Privacy Violations

​It turns out that shipping computers that are preloaded with software that badly compromises their users' security is a bad PR move–and a potentially expensive one too.

Late last week, a class-action lawsuit wa​s filed against the computer company Lenovo and the software company Superfish, which made adware that came preloaded on certain Lenovo notebooks. The suit charges both companies with fraudulent business practices; making Lenovo PCs vulnerable to malware and malicious attacks; and using up bandwidth, power, and memory on laptops sold since January 2012. The lawsuit says over a million people were potentially affected.

Stephen G. Grygiel is an attorney who has litigated complex privacy rights cases and is one of the co-lead counsel for plaintiffs in a 2013 class action ​lawsuit against Google for slipping cookies—small pieces of tracking software—into web browsers. He directed me to the Federal Wiretap Act's provision outlining the types and amounts of damages Lenovo and Superfish could be looking at.

How do you calculate monetary compensation for a privacy violation? It's not like having your web browsing spied on can be easily converted to a dollar figure. For cases like the one alleged against Lenovo and Superfish, the Wiretap Act provides that "the court may assess as damages" whichever is the greater of the sum of damages suffered by plaintiffs and profits made by Superfish and Lenovo, or "statutory damages of whichever is the greater of $100 a day for each day of violation or $10,000."

Grygiel said that "the Wiretap Act's language, which says a district court 'may' assess statutory damages upon proof of a Wiretap Act violation, led to the spillage of a fair amount of legal ink about whether Wiretap Act damages are mandatory or discretionary."

However, he said, "many lawyers who practice in this area are keenly aware of the crucial practical point—if a court awards Wiretap Act statutory damages, the amounts can get very big very quickly. Depending on the number of violations and time period of the violation, civil damage exposure could pile up fast for Lenovo and Superfish."

In this case, the lawsuit is pursuing $5,000 per member for violating the California Invasion Privacy Act, and up to $10,000 per class member for the Wiretap count. The lawsuit states that the plaintiff doesn't know the exact number of people impacted but "Plaintiff believes that there are in excess of one million members of the Class located throughout the United States." In other words, the plaintiffs could be asking for as much as $10 billion in damages.

Superfish software intercepts all encrypted connections by replacing legitimate site certificates—the system your browser users to confirm that a website is secure—with its own fake ones. These fake certificates allow the software to monitor user activity and collect personal information, basically hijacking what should be a secure connection. The software is then able to insert more ads into the user's web browser.

The lawsuit cited a Lenovo user who explained how Superfish basically compromises every site. "It sits between you and whatever sites you visit to monitor your sessions and extract information (it says photos) to serve you advertisements for similar products you may be looking for," a user Randune wr​ote on a Lenovo community board in January. "What's even more concerning is that it does this for HTTPS [encrypted] connections that the user would expect to be private between themselves and the server they *believe* they are securely connecting to."

What's worse is that by using a single, self-signed root certificate—which fakes the site's secured certificate—Superfish compromises ​browser security really badly. Anyone with the very easily hacked key could hack any Superfish-afflicted Lenovo machines over Wi-Fi and silently spy on what you're doing.

Lenovo's CTO admit​ted to PC World that the company "messed up," and has released an easier way to uninstall​ the software, but it may be too late.

This was "unbelievably ignorant and reckless of [Lenovo]," Marc Rodgers, a security expert, wrote​ on his blog. "It's quite possibly the single worst thing I have seen a manufacturer do to its customer base."

The situation was bad enough for the US Department of Homeland Security to weigh in. The department's computer emergency team issued ​a statement Friday warning that Superfish's software contains "a critical vulnerability" and that "exploitation of this vulnerability could allow a remote attacker to read all encrypted web browser traffic (HTTPS), successfully impersonate (spoof) any website, or perform other attacks on the affected system."

The lawsuit against Google for sliding cookies into Microsoft and Apple browsers was thrown​ out because, as the judge wrote, "Google did not intercept contents as provided for by the Wiretap Act." Superfish, however, has admitted to intercepting at least images.

Companies like Lenovo are paid by companies like Superfish to preload software onto their laptops. But in this case, both may end up paying quite a bit.