A year or eighteen months from now look for a settlement in the case. Each of the affected class members will be entitled to a $5 discount on an anti-virus product plus up to $25 if they can provide detailed documentation showing actual economic losses. Any money left over after the coupons and payments are made will be given to a charity hand picked by the plaintiff's attorney. There will also be injunctive relief in the form of Lenovo promising never to do it again, seriously this time guys. The representative plaintiffs will each be awarded $5,000. The class attorneys will be awarded $4 million. $750,000 will be set aside to pay a class action settlement processing company which will put up a website, send out notices, and process claims.
After a pro-forma hearing a judge will approve the settlement as fair, reasonable, and adequate.
The US has a protection against double jeopardy. If you've been sued once for something, you cannot be sued again (and again, and again) for the same thing. In most cases this is a good thing. It means that once the case is done, it is really done.
But companies have learned how to take advantage of it. If they think they are going to have to fight a class action lawsuit that they are likely to lose, THE COMPANY will go to some lawyers, and say, "If you bring this lawsuit against us, we will cooperate fully, cave in quickly, and we'll settle on modest terms."
Said lawyers have every incentive to cooperate. It is easy money, and the more reliable they are about following through, the more of this kind of work they can get.
And companies have every incentive to do this. Because occasionally class action lawsuits happen that the company did not set up like this. That's when you get huge claims like the ones that took down big tobacco, or the hot coffee lawsuit that McDonalds faced a few years back.
Anyone who trots out Liebeck v. McDonald's as an example of a "bad" lawsuit is just demonstrating that they're operating from a position based more on opinion than fact.
Liebeck sued McDonald's for actual costs of her medical treatment. McDonald's refused to pay for her injuries or admit fault. The jury awarded the massive punitive damages ($160,000 in actual damages and $2.7M in punitive) of their own volition, because the company's behavior was so egregious, was just one incident in an ongoing chain of similar ones (and for which they'd settled previous claims), and was obviously responsible for the third degree burns she suffered beneath her clothing.
You have made a common mistake. You have pattern matched what I said to commonly said things that you have an opinion on, and then have proceeded to respond on the belief that I said something that I did not say.
I never stated an opinion either way on whether this was a bad lawsuit. My statement was that it was a lawsuit launched without the cooperation of the company. Which is definitely true in that case.
That said I did need to check my facts because I called it a class action lawsuit when it wasn't. But that issue is completely unrelated to anything that you said.
While I won't deny not having given your comment as careful a reading as I perhaps could have, my motivation in posting my own had more to do with staving off a torrent of follow-ups that all came from the place of "opinions over facts" that I decried than it did criticism of your position.
My apologies for my ambiguity. I could have been far clearer about what I was trying to say, and my motivations for having said it.
I wanted to single out your comment as an example of a gracious apology and what I presume is the desired level of discourse at the Hacker News community.
I see both parts of the discussion are among the older members of HN, glad to see they're setting a good example :)
>You have made a common mistake. You have pattern matched what I said to commonly said things that you have an opinion on, and then have proceeded to respond on the belief that I said something that I did not say.
I wouldn't call this a mistake. It is a very accurate heuristic not just in this particular case but in online discussions in general. There will be errors, but deploying a heuristic instead of a perfect algorithm makes great sense when dealing with the internet. Less acceptable for something like a scientific paper.
So you won't bother reading what other people are saying, and instead will resort to spewing retorts based on your preconceived notions of what other people are stating? You must be a fun person to discuss with.
I'd say actually reading may be a better approach rather than to use an heuristic.
>So you won't bother reading what other people are saying
Perhaps you should read what I wrote then, because what I wrote was about a heuristic to identify intentions based on what was read. Would you suggest that in face to face discussions body language should ignored when it disagrees with what a person says?
First off, the lawsuit was justified, but not because of the temperature of the coffee. The coffee was being served at industry standard temperatures (defined in terms of what _other_ companies in the industry serve their coffee at), despite what many claim. The primary problem is that their coffee cup design was defective, and was prone to collapsing.
In response to the lawsuit, McDonald's has not changed the temperature of their coffee. If you order a black coffee at a McDonald's today (or at many other shops), it may very well be just as hot as the coffee that disfigured Liebeck in 1994. So for the love of god, don't spill coffee on yourself! Coffee as cool as 140F can cause third degree burns in mere seconds. That is well below what anybody serves coffee at. Coffee is dangerous. It's just that simple.
Where did this meme of "Liebeck v. McDonald's was actually 100% reasonable, and anyone who thinks otherwise is a fool" come from?
In the immediate aftermath of the lawsuit, many Americans became extremely critical of any personal injury lawsuits. It appeared as though if it continued, the livelihoods of personal injury lawyers might be threatened. So an informal propaganda campaign was launched, featuring some selective truth (the burn photographs) and some lies (the idea that the coffee served to her was way hotter than coffee you and I are used to). These sort of lawyers are extremely good at being convincing, that is pretty much their job after all, and in a non-adversarial context it is not suprising that they are able to convince most people.
So an informal propaganda campaign was launched, featuring some selective truth (the burn photographs) and some lies (the idea that the coffee served to her was way hotter than coffee you and I are used to).
Exactly. The other effect is to move the Overton window. Prior to the propaganda campaign, those of us who would have said Liebeck wasn't even entitled to compensation for her actual medical costs would have been branded as unsympathetic and a bit cold-hearted. Now, we'd be considered baby-eating monsters with opinions too radical to be a part of public discourse.
These sort of lawyers are extremely good at being convincing, that is pretty much their job after all, and in a non-adversarial context it is not suprising that they are able to convince most people.
It's like the old adage, "Don't make enemies with people who buy ink by the barrel," taken to the next level. Lawyers ru(i)n almost everything in America.
I don't think the parent comment was referring to Liebeck v. McDonald's "as an example of a 'bad' lawsuit." I think they were using it as a point to demonstrate what happens when a company gets sued by a force outside of their control. I know it's easy to jump on someone over this often mis-quoted lawsuit, but please pay more attention to the context next time.
I accidentally gave you an upvote (I'm a noob at this UI) and I can't figure out how to take it back. Please read the thing you are replying to before replying next time.
That's not double jeopardy - double jeopardy is a criminal law concept, and we're talking about civil lawsuits.
You can be sued for the same act by multiple people, though you can't be sued BY THE SAME PARTY for that same act multiple times under a doctrine called res judicata.
You can usually opt out of a class action, and then sue again on your own - and you're entitled to your day in court to assert the claim against them. Though, since most people don't opt out, a class action does provide a way to settle the case with the vast majority of potential claimants.
If the defendant LOST the earlier case, they may even be precluded from re-litigating any issues resolved in it (and, by extension, prevented from defending themselves substantively). Though in some situations, like if it were easy for the claimant to join the earlier lawsuit, this may not be so. See Parklane Hosiery Co. v. Shore, 439 U.S. 322 (1979).
HBO ran a documentary on it and tort reform in general a few years ago; it wasn't just that she had been badly burned, but that there was a string of McDonald's coffee burn cases with smaller rewards and the jury felt that the company needed to be punished for negligence at that point. The award was many, many times larger than what Liebeck asked for.
Even if the coffee had kill her is still stupid; lets put it this way: making the coffee inhumanly hot is just as smart as cleaning the cups with cyanide, but we don't have a law that forbids cup cleaning with cyanide (or a silly message in every cup about it)
Coffee and tea are usually made with boiling or close-to-boiling water. Water in an open container at sea level simply can't get much hotter than 'boiling'. The argument that the coffee was 'too hot' seems specious. Instead, the design of the cup is the more important issue - the company was serving hot coffee in a cup that was prone to failure.
Nor do we have a law against hot coffee. But if you do something negligent or with foreseeable harm then you may be liable, as McDonald's was, in a tort.
It's just as stupid for people who believe in personal liberty and responsibility and it didn't make companies serve coffee any colder.They just put 'Hot Coffee' on the lids now, what a huge win.
Double jeopardy doesn't prevent someone from opting out of a class action lawsuit and suing separately.
Yes. But one individual probably does not have sufficient injury to represent a meaningful case for the company. The point is that you've blocked a second, larger, class action lawsuit. Which is what the company is actually scared of.
The hot coffee case wasn't a class action lawsuit.
They can be sued multiple times for multiple instances of the same injury type. This has been known to happen involving ADA accommodation & injury lawsuits where a state contracted provider doesn't learn their lesson the first time. The original lawsuit specifies plaintiffs, injury and covered time period, and usually requests an injunction to "prevent" future injury. The original lawsuit is settled, but the provider fails to take reasonable action, and so a new lawsuit is filed. The second lawsuit is usually not settled on "modest terms".
The "hot coffee" lawsuit was well justified, as the burns were serious and McDonalds did not learn from previous instances.
Disclaimer: I'm not a lawyer etc. please ask your lawyer for legal advice.
Right. The class action lawsuit is for all actions of the specified type over the specified period to members of the specified class who do not opt out. You do other wrong things, and you can get sued again.
I would love to see more information about the terms for the second lawsuit. Certainly you hear about cases with large settlements. But you don't hear about the routine cases. I don't know the mix.
That said, I do know that there are class action lawsuits which never really fix anything, no matter how many times they happen. As an example, consider printer ink. Every manufacturer has received class action lawsuits for their printers claiming to be out of ink when they are not. They have all settled them with coupons that are redeemable for amounts that are pretty meaningless. (About enough to cover one extra refill of ink.)
Did behavior change? I currently have a printer that was purchased last year, sees only light use (every month or two we'll print a few pages), and which has claimed to have run out of ink twice. It is on my mind because the second time last week. I know that there is no way it actually used up the magenta ink. But it is currently unusable.
And it works! No matter how bad my experience is, I'm not motivated to buy another printer because I have no reason to believe that any other consumer printer will be honest with me. And even with the printer lying to me, I simply don't do enough printing for it to be cost effective to buy an expensive printer that I would trust.
"This is true, but do you know why it happens?
"
Because class actions were not created as vehicles for consumer action, but for efficient justice.
They are a judicially created way of doing things to make 20-30 lawsuits involving the same thing, sane.
That's it.
Even the main justice who created them "could not conceive of a modern function or a coherent theory for representative litigation."
Even then, rule 48 was opt-in until 1966, when a federal court rule change (IE not a law, just the court rules made up by a few federal judges) changed to make them opt-out.
This is what sprung up the industry you see today.
The rest of what you describe is simply a symptom of not building a coherent platform for mass-action, but instead a way to simplify lawsuits that involved 40 or so people.
That's not double jeopardy; that's just how a class action works. In the US, the plaintiff class is allowed to represent you unless you specifically opt out.
But to an extent you are right: if you've already been compensated (in the form a $5 class action coupon) for the $??? privacy harm of a rooted computer? Then too bad - you should have opted out before your class settled.
> THE COMPANY will go to some lawyers, and say, "If you bring this lawsuit against us, we will cooperate fully, cave in quickly, and we'll settle on modest terms
Hmm. I wonder if the law firm bringing the case, specified in the docket as PRITZKER LEVINE LLP, has any history of doing this.
In 18 months no one will remember this. Honestly, corporations face basically no repercussions from customers because of doing stupid or outright malicious things.
Sony's been on my "do not buy" list since the rootkit debacle. They're missing out on sales of video games, cameras, and other consumer electronics (not to mention music and movies) for their misbehavior. And I know I'm not the only one who remembers.
That's good for you, and I fully support your decision, but I wish to posit an argument about Sony and their numerous "debacles" over the past decade starting from the CD Rootkit.
Do you remember when Sony went after GeoHot, George Hotz, and fail0verflow for his and their reverse engineering of the PS3 and the outrage and virtual pitchforks that were raised with others touting that they too would never purchase a SCEA/SCEI product again?
Remember even more outrage that was raised after PSN went down and it was revealed just how incompetent their internal network security was and how they allegedly stored unencrypted user information and used significantly insecure and broken cryptographic hashing algorithms?
In both instances, people said that they were done with Sony. Yet, the Xbox One has had significantly less adoption than the Sony PS4. Please note, I'm not going to argue that the people that said that they were no longer purchasing Sony products are the very same people that bought a PS4 over an Xbox One, but I am arguing that these people had a minuscule to nonexistent effect on the overall repercussions against Sony as to not matter.
Searching for "Xbox One PS4 Sales" brings up hundreds of articles ranging from just after launch up to this very day with month-by-month numbers landing from a 1.4 million unit difference in January of 2014, to a 1.7 million difference between the PS4 and Xbox One in the second quarter of 2014, and estimates at that time of 9 million PS4s sold globally versus 5 million for the Xbox One. An article from October of 2014 pegs the PS4 at a 40% lead over the Xbox One. This is a significant difference. Apparently, no one else cares how draconian or insecure a company treats their data, because only a few people remember the short term disasters over the long term entertainment value they receive from the products produced by these companies.
> Please note, I'm not going to argue that the people that said that they were no longer purchasing Sony products are the very same people that bought a PS4 over an Xbox One
Given the "currently playing" lists on e.g. Steam after a boycotted game releases? I'm going to make that argument. It seems most simply don't have the willpower to maintain a boycott until even, say, the first sale for a single game - nevermind a whole company long term. It's easily 90% noise. Talk is cheap.
> but I am arguing that these people had a minuscule to nonexistent effect on the overall repercussions against Sony as to not matter.
[citation needed]
While I'd be inclined to believe you're right based on the mentioned ancedata, that doesn't necessarily mean they'll have a minuscule effect on other companies, if consumers are ever sufficiently incensed enough to follow through on their word. Or avoid purchasing from them without making big fuss about it, as I'm currently doing with Lenovo for at least my next purchase.
I'd also note that laptops are a bit more "fungible" than consoles and gaming networks, in the sense that you can easily find similar laptops with similar specs for anything you might want from Lenovo's lineup. You'll hear gamers talk about how they "need" the latest COD, or a PS4, but they're more likely to pun about "Hell" (if only out of amusement) than talk about how they "need" another Dell. Or Lenovo. Better chance of making a difference?
...that said, I'm not seeing any kind of significant dip in Lenovo's stock price around the Superfish debacle. Superfish doesn't appear to be publicly traded, although their placeholdered homepage is a good sign for bad things having happened to them.
I bought a Dell Precision M3800 for personal use a few weeks ago. It's available without a Windows license which was a plus (I live in Ubuntu-land). Only drawbacks so far have been a) the available Linux drivers for the Broadcom wireless seem a bit wonky and b) a lot of apps have issues with the high DPI display.
Macbook Pros and run Windows in a VM (VMware). With the SSDs on my Mac, it's literally faster than the beefy machine with spinning disks I had running Windows 7.
With Mac's Spaces, I can switch to another screen running Windows with Control-Rightarrow (using a non-Mac keyboard here). It's really seemless and I've never found a single drawback to it.
I've got a Dell e7440 which is a really nice compromise between portability and power. It's built out of something metal and has survived me taking it everywhere so far. 16GB RAM, 1TB SSD and an i7 does the job.
Sometimes. It's been about 6 months since the last one and I don't remember the model, though. We've been moving to Macbook Pros, mostly, with the odd Dell thrown in here and there. I don't like the Dells, though. The wifi on them always sucks and we need to get USB wifi dongles to make wifi reliable.
I will continue to order as many Lenovo machines as I need. It is more important to me that the vendor serves my needs than what HN thinks about them. I'm not buying something crappy for my purposes because HN is mad.
This is a strange comment. Most people I see on HN like Lenovo because of the quality of their machines. Where I can see a purchasing manager or head of IT against them at the moment is because they surreptitiously installed software which caused a security risk.
If you're fine with your company's data possibly being compromised in the future then continue your ordering from Lenovo.
I will still buy from them because I always make it a habit to do a clean install whenever I get a new computer just because of all the crap every vendor adds to consumer PCs.
From what I know (admittedly not a ton), many IT people have custom OS images they install on bulk PC purchases. If this is the case, then any malware that ships with Lenovo would be a non-issue, especially because this was the consumer line of Lenovos, not the business line.
However I could be wrong, and perhaps there are companies that feel betrayed. Custom images may be a thing only large companies do.
As a consumer, I still view Lenovo as the best PC hardware and would buy again but would probably be suspicious of any new purchase (as in, wipe the HD and install a store-bought copy of Windows myself). That said, I use the Thinkpad line which was unaffected by Superfish from what I know.
Not really. The 'just because HN is mad' makes it sound like all the people here are boycotting Lenovo for irrational reasons. I don't think HN is 'mad' at the company, they just have some legitimate concerns.
Ah, I think it's possible HN to be rationally mad, but I still wouldn't weight that factor. I thought all pekk was saying is "I evaulate my needs, not HN's needs".
You are correct, but apparently this opinion is not okay to express on HN while it is always okay to say "I will never buy from Lenovo," even though the statements are mirror images of each other. There is a "right" opinion and a "wrong" one here.
people who actually cared about the superfish incident will remember this, and thats where it counts and where it will hurt. Everyday joe couldn't care less about superfish.
Lenovo doesn't care that your individual security minded person had an issue with it, Lenovo cares that their volume purchasers continue to purchase in volume. They weren't impacted and they don't care.
There are basically no long term downsides to Lenovo for doing what they did.
And you know that how? News articles in the normal media titled "Lenovo spreading Spyware" reach exactly those normal customers, and it is quite possible that this has an effect. And further, those users interested in the stuff are the ones recommending laptops to others.
We simply don't know the effect because we know no sale figures, or do we?
It's a relevant question whether enough people care. The Sony rootkit scandal was (almost) as bad as this, yet it didn't make a dent in their computer sales and the Playstation sold better than ever.
As someone who hasn't bought a Sony labelled product since the rootkit scandal, not sure how much I agree... they definitely would have gotten far more from me when I've bought a couple large TVs, and two stereo systems since then... I even held out on a Bluray player for a long time (I didn't buy sony labelled at least).
Though it's akin to avoiding Bank America Corp in practice, they have their hands in every pot.
Any yet their e-reader business failed. And they don't seem to have done so well on mp3 players (they were big money for other companies a few years ago). Their phone sales are weak compared to other companies with a similar product.
The thing these companies miss is that non-tech people ask their tech friends/family before purchasing new things... So piss off a few 100,000 of the techy people and that can translate over the next few years to millions of lost sales.
Probably, although I'll note that cy pres awards are under intense scrutiny these days in the various Courts of Appeal. Besides that, is the result unfair here? Did the average claimant even suffer $5 in economic losses?
Shouldn't the potential risk be taken into account as well? They basically disabled HTTPS for a large number of people for a significant amount of time, leaving them open to great financial risk due to compromised bank accounts and such. That roughly nobody took advantage doesn't change the fact that the risk was there.
I mean, if I fired a gun at your house but was lucky enough not to injure anybody, shouldn't my punishment still be more than the cost of fixing the bullet holes? Of course that's separate from the question of whether you should receive more than the cost of fixing the bullet holes.
That is essentially the difference between Criminal law and civil law. Civil suits are typically designed to make you whole. You get what you actually lost.
Sometimes putative damages can be awarded, which can look at the egregiousness of the actions of the plaintiff. I don't know if those are available here.
Then I guess the followup questions are: why aren't criminal charges being brought, and (if they're actually not) why aren't punitive damages being awarded?
Punitive damages would occur after any trial victory. This is just the very first step, essentially a legal accusation.
As to why the government hasn't tried to indict for criminal charges, there could be many reasons. The case might not be good. They might be waiting. They may think it's small fry stuff.
So who is responsible in the DoJ for deciding that it's OK to let company directors do arms length crimes and they're going to look the other way.
Is there any question as to what Lenovo actually did, are they denying they exceeded their authorisation in accessing computers and MitM-ing things like bank transactions? If the facts aren't in dispute there then surely the only thing the court would need to do is work out how long the directors who authorised/oversaw [or negligently didn't oversee] this are going to be put in prison for.
Well, the CFAA has a handy little "choose your own adventure" like section listing the various naughty activities, where you could be guilty of a.2.B or a.7.A, etc. Which combo do you think Lenovo is guilty of?
What a self-serving law. All it deals with is atomic data and financial institutions. How in the hell does this ever get applied to people downloading too many webpages?
What would the criminal charges be? The best outline for a prosecution I've seen goes something like "CFAA, mumble mumble, spying is bad." What specific law was broken? Lay out the case. For bonus points, pretend you're the defense attorney, and then outline the defense's case.
I'm not really familiar enough with the law to say.
Let's say that some company builds a bridge that doesn't match the spec, to the point that it's dangerous. Maybe it falls down if any truck weighing more than 10 tons goes over it, when it was supposed to hold 40 tons. And let's further say that this weakness was the result of intentional cost-saving measures and a complete failure to investigate their consequences. But then let's say that the fault with the bridge was discovered after a few months before any 11-40 ton trucks had gone over it, so nobody actually died.
Would that be illegal under some sort of negligence or endangerment law? It certainly seems like it ought to be. Lenovo's actions are basically equivalent, except that it was (probably) just property at risk, not lives.
It looks like endangerment is indeed a criminal offense, and it doesn't require that the harm actually happens, just that the potential was there and that it was foreseeable. Would that actually apply here?
Fair questions. Civil engineering projects may not be the best analogy, because there are some special laws in that space, but maybe consider automobile recalls. How many people went to prison because a car's brakes or ignition didn't work? Criminal product liability is pretty rare afaik.
Criminal proceedings against an entire company don't result in people going to jail, right? Holding people personally responsible is probably not appropriate with this, but holding the entire company criminally responsible and levying fines well in excess of actual damages seems reasonable.
Regarding automobile recalls, it looks like GM got hit with some fines for their ignition switch shenanigans, beyond actual damages. But it looks like this is a regulatory thing rather than a criminal thing. Maybe this is another place where special laws get in the way of generalizing.
They can be, but that allows criminal proceedings against the officer, it doesn't change that proceeding against the company, as such, cannot result in any individual going to jail, since the individual isn't the company (they are distinct legal persons) and one person can't be sent to prison based on another person being convicted of a crime.
COMPLAINT FOR:
1) VIOLATION OF COMPUTER FRAUD AND ABUSE ACT (18 U.S.C. § 1030, et seq.);
2) VIOLATION OF FEDERAL WIRETAP ACT (18 U.S.C. § 2510, et seq.);
3) VIOLATION OF THE STORED COMMUNICATIONS ACT (18 U.S.C. § 2701, et seq.);
4) VIOLATION OF CALIFORNIA INVASION OF PRIVACY ACT, PENAL CODE §§ 631, 637.2;
5) VIOLATION OF CALIFORNIA BUS. & PROF. CODE § 17200, et seq.;
6) TRESPASS TO CHATTELS;
7) COMMON LAW FRAUD; and
8) NEGLIGENT MISREPRESENTATION
Thanks, though I'm a little suspicious when I see this:
2) VIOLATION OF FEDERAL WIRETAP ACT (18 U.S.C. § 2510, et seq.);
3) VIOLATION OF THE STORED COMMUNICATIONS ACT (18 U.S.C. § 2701, et seq.);
You'd think one or the other, no? (AFAIK Superfish didn't touch anything even remotely covered by SCA). This looks like classic "all of the torts" shotgun filing. Which makes sense for a civil case, but it's not much of a guide as to what criminal cases would be viable.
>Which makes sense for a civil case, but it's not much of a guide as to what criminal cases would be viable.
But that is the guide book for criminal proceedings against individuals. The prosecutor dog piles on every single charge they can and then offers a scaled down plea bargain.
I know that outright cy pres settlements are on the outs, but are residual cy pres clauses also under the same scrutiny? If so, change that clause to the company keeps whatever is left in the compensation pool.
As for unfairness, I think the entrepreneurial class action system to punish very diffuse harms amounts to an inefficient regulatory regime and that inefficiency results in higher prices for everyone as compared to a more efficient system.
Is there a more efficient system? That's not a rhetorical question. Especially for cases like these where actual damages are either speculative or small enough that they wouldn't ring the bell of government prosecutors. I think a compelling answer is: do nothing, let the reputation economy handle the situation. But the reputation economy works on information, and litigation generates a lot of very good (vetted and authenticated) information.
Re: cy pres awards, while Pearson v. NBTY (out of the 7th Circuit) did not involve a residual award, it did strongly imply that they would be unreasonable when, as here, the class members could be individually identified and compensated directly. More generally, after the 7th Circuit's recent cases on the subject, cy pres awards are low hanging fruit for objectors and plaintiffs' counsel have an incentive to structure settlements to avoid such challenges.
Without writing an entire law review article in the comments, I'd say if no government (state or federal) can be bothered, given that they could almost certainly get a fine for less than $4 million (that's a lot of GS-11 man-hours) then reliance on the reputation economy seems like a good alternative.
And while discovery can be useful for getting information, in this case the information was publicized based on the workings of a different reputation economy (the security research community).
There may be some case that slip through the cracks, but I am unconvinced that the sui generis (to the US) opt-out class action mass tort system does more good than harm.
There is several different economic losses to calculate here, each surpassing $5.
There is the cost of removing the malware, and cleaning up any damages it caused. This is normally done by estimating how many hours a professional would spend on it, and the wages they would demand.
Second, is the for-profit claim of "TRESPASS TO CHATTELS". If someone goes and steal a car to run a taxi service, one would look at the ill-gotten gains as well as the potential economic loss the car owner might has sustained from not having access to the car. "borrowing" other peoples cars once the owner has parked it is not risk free, and the law recognize this beyond just looking at used up gasoline.
Didn't Lenovo release an update that removed the program? The relevant question for the court is probably, how many hundreds of dollars did the average Lenovo customer spend on professional Superfish removal? And the answer is probably zero.
Uninstalling Superfish doesn't remove the dodgy root certificate that it installed (which is the dangerous bit). As per Lenovo's guide[0] that still has to be done manually.
Having read several court cases, I can say I have never seen the court trying to answer the question about how much the average victim would spend on repairs. Its not a question easily answered or find evidence for, and the court do not have the ability to send out a survey.
What I do normally see is the court looking for guidelines regarding damages, and here the relevant question would be what a average person would have to pay in order to remove the malware and restore damages. A laywer could present rates of reputable repair shops has charge clients, and the defense lawyer could argue that the update helped reduce the time a professional would take.
The removal tool still need to be downloaded and run as per lenovo's website (http://news.lenovo.com/article_display.cfm?article_id=1931&v...). The malware still exist in laptops today and a professional would have to download the file, run it, and verify the removal of the infected malware to repair the machine.
Yes. People spent $700 on what were supposed to be their own computers, following their own wills. In fact they got computers which ignore their instructions (i.e. to fetch a webpage) and instead fetch the modified version that Lenovo's partners want them to see. The computers are not their own, they are Lenovo's. Full refunds are in order.
Good luck separating from the class and pursuing the claim in court. Though honestly you might have a shot if the hardware is something you could push in your local small claims. Think the "windows refund"
Still, it's better for this to be in the open, with all the bad PR associated to it, so that companies will think about it twice before pulling similar stunts in the future.
>so that companies will think about it twice before pulling similar stunts in the future //
Is that how it will pan out though. I'd imagine it's more likely to be that Lenovo get away with paying a little of their profits out in the class action but still overall profit from the whole deal. Then companies will be encouraged to do so long as when they factor in the cost of the lawsuit they still come out on top.
IMO penalties should be such that a company doing this sort of thing makes no profit and is at a very real risk of having to be liquidated if they already weren't making a profit. For large companies the payout should be measured in $100 millions as that's the only sort of level of fine that will be noticed.
Directors in charge of that section that authorised or actioned the activity should be barred from being directors again and where appropriate face criminal charges. In Lenovos case if they can ever afford to do this again and if the controlling elements (or those who should have exercised control according to the org chart) aren't prosecuted under eg CFAA then the punishment will be too small.
Yes the attorneys will get most of the money but it's still A Good Thing™ because Lenovo will pay millions in punitive fees that should serve as a deterrent to them and others.
I think you are drastically underestimating this. $4M likely won't cover the bill for making copies of the discovery. Firms in similarly underwhelming class action cases have received $50M-$100M.
Not true. The customer will see the company getting punished which is worth a lot more. They will think twice about doing something idiotic next time. This is what I call using your lawyer powers for good (and profit).
The analogy is getting your car stolen and telling the police, who find the car, keep it for their effort, and let you keep (one of) the floor-mats. You are saying that this is fair because the thief ended up in jail.
The main point is that it makes a clear punishment for the company; so that others think before doing it themselves.
If the cost of loosing the case is high enough, all manufacturers will learn to be cautious about including 3rd party software on their laptops.
"Additionally, the large security hole created by the Superfish program can easily be breached, because the security key for the single self-signed root certificate used by the Superfish program has been broken and published on the internet. It took one computer security researcher less than 15 seconds on-line to obtain the security key for the Superfish root certificate."
It's interesting that they are sticking to the original narrative when the situation was actually far worse as I originally disclosed here on HN & which was later written about by Filippo Valsorda on his blog.
"Notably, Lenovo did not preinstall the Superfish program on any of its computer models that were marketed to businesses or more sophisticated computer users."
> Not necessarily. Many of the higher end and business models come without spyware of any kind, not just this particular piece of software.
I like that you said spyware, whether intentionally or not.
Most people call these programs "crapware," "junkware," "bloatware," or third-party pre-installed software. Though generally speaking this third-party junkware isn't expressly designed to be spyware. Nevertheless, with cases like Superfish, the line between spyware and junkware is vanishingly faint.
Couple of things here. Large companies most likely reimage the devices with enterprise license. For example, we order based on hardware configuration. Our company uses HP for everything, so we purchase the business class equipment with 3 year warranty on everything. Also, we don't use the version of Windows that comes with the devices, we reimage all our systems with our own using System Center Configuration Manager.
Only updates we may be concerned for are BIOS ones with our full disk encryption compatibility with Check Point. None of our systems have any HP software so we don't need updates for those. We also control updates like java, flash, and windows ones too via SCCM.
I'd wager ChristianBundy was referring to device drivers that would come from HP for things like the graphics card or CPU's built-in graphics processor. Often, these start out as an Intel chip but are then slightly modified by the laptop builder so that the base OEM drivers should no longer be used. Many times, these drivers are not distributed via Windows Update. As such, the drivers wind up out of date, continuing to use what was in the base image... sometimes the generic version included on Windows Update. This can often lead to system instability, particularly where browsers come into play on corporate systems (that's usually the most graphics intensive thing they do). Folks like Mozilla and Google maintain driver blacklists to disable hardware acceleration when one of these outdated and buggy drivers is detected (here's Mozilla's: https://wiki.mozilla.org/Blocklisting/Blocked_Graphics_Drive... ). So, the browser will run a bit slower. More importantly, text won't render anywhere near as well... approaching unreadability on some sites.
In general the big PC makers will have all their hardware drivers available for download, and if you need a specific driver you can just add it to your base image (assuming it's not already handled for you by Windows updates)
It's a lot easier to add HP's drivers to a base image than it is to turn a HP base windows install into something configured the way we want.
But Superfish was directed to consumers with the intent of personalisation, which is generally not in line with business users (though in practice, many people use business machines to do their personal shopping).
Going through the list of complaints, it really sound as it should have been a criminal procedure, not civil. One then wonder why that isn't the case here.
It would seem to be a violation of the DMCA, as it is software preinstalled to allow the eventual side-stepping of the end-user's security measures (using an HTTPS-capable browser).
"It also criminalizes the act of circumventing an access control, whether or not there is actual infringement of copyright itself."
EDIT: Considering the huge number of victims systematically targeted on an ongoing basis, perhaps RICO would apply too. Certainly RICO is brought to bear by prosecutors when trying to intimidate less resourced individuals.
It would make my day to see companies (or the individuals who called for this retarded project) get punished under DMCA / RICO / CFAA. I bet we'd see those repealed real quick due to lobbying pressure if that kind of thing actually worked.
In the U.S., private prosecutions are not usually allowed. Additionally, government officials with prosecutorial authority have some amount of discretion in choosing which cases to prosecute and limited resources that prevent them from prosecuting every possible case. A private citizen cannot force prosecution, no matter how meritorious the case.
One strategy the DOJ uses is to let a civil case go forward and then piggy back off it. Let the private attorneys do the heavy lifting and then swoop in for an easy victory.
Also, the way the law is structured, it's typically easier to get information in a civil suit since defendants have fewer rights.
Well, there are surely more than three orders of magnitude more computers connected to the internet today than the 60,000 Paul Graham reports people guessing at in 1988.
Put another way, as dreadful as it is, Superfish was never at risk of partitioning the internet. The harm is restricted to those luckless individuals who purchased a Lenovo laptop in the particular time frame at issue; quite possibly a crime, but not, playing devil's advocate for reluctant prosecutors, a 'something must be seen to be done or I'll be lynched' level crime.
Consider what the outcome here would be if, instead of Lenovo expressly doing this, it was a single rogue employee who e.g. Modified the system image used by the factory with the exact same software in the exact same way and took the ad profits.
Whatever would happen in that situation should happen here. I would guess prison time would be involved.
US Judges in civil cases can be obligated for the court to be informed that a crime has been committed, which is then referred to the prosecuting authority. The prosecuting authority still has discretion and is not forced to prosecute the matter.
The allegations here are of a criminal nature. If true, people need to go to jail here, in addition to any civil remedies arising out of the class action suit.
So put the corporation in jail; take its personal items and lock them away, don't allow any outside communications except through visits, no access to bank accounts, etc.
On a more serious note, what happens to the author[ing company] of the software used to inject ads? http://www.komodia.com/about
Apparently they do still include Windows Defender, which is described as "free anti-virus protection that never expires". Although it's a Microsoft product, I would place it close to third party junkware on the scale: in my experience, it often turns out to be the culprit if performance degrades over time, every now and then an update will completely break a box requiring some sort of restore disc or similar to get back up and running, and in any case it seems to add little value being so much less effective these days than a lot of other security software. At least it probably uninstalls cleanly if you do want to swap it out, though.
I found this an interesting, if somewhat inflammatory, criticism of the same Windows Signature programme:
I prefer Windows Defender to the alternatives since it's just as [in]effective and tends to lower performance less than the non-free alternatives. That said, the only times I use AV are when there's a non-negotiable company policy since it's been a losing game for decades.
Thanks for the link, I did not know that cleaner/pristine Windows install are available out of the box. Out of curiosity, if these laptops are the same price as the one laden with "crapware", why are'nt consumers buying these instead? Is it awareness that they are available?
My guess is that it's a combination of limited selection and higher prices. The OEMs seem to be treating this as a premium feature so it's simply not on the radar for the people looking to buy the cheapest (i.e. ad-ware subsidized) PC.
I've bought a couple of these. They're sure nicer than the crapware-ridden vanilla consumer machines (where it takes me an hour or two to remove the crapware . . . and even then I'm not sure).
Its wasn't that they were totally oblivious to the fact that junk/crapware were bundled with their OS, it was that they couldn't have a say in it because then that would be deemed as an anti-trust violation. Antitrust laws are really good to encourage competition but it also has side effects like this.
I would call it "honesty", and it's very refreshing that they not only acknowledge the problem but offer a solution. Making fun of them for this is punishing good behavior and providing ammo to any number of marketing people at MS who would rather the company never admit that anything is wrong, ever.
I don't think one should be surprised. At least two reasons can be given:
1) "crapware" is not well-defined for all users, some utility that absolutely is annoying and unnecessary to medium to advanced users may be found useful by complete novices, e.g. the prototypical "your grandma".
2) The bigger cause is, of course, affiliate money. Companies have little backlash to crapware other than perhaps some lost sales due to disgruntled users. That's hard to quantify. The money you get from an affiliate whose crapware you preinstall is absolutely easy to quantify, though. This is definitely the mode of operation for cell phone companies. My Verizon phone comes with NFL apps and other crap that I can't even uninstall.
3) In lost cases, though, it's the companies own additional software that is the crapware. Again, the cause is money, the tracking and/or usage data is worth a lot of money.
Unless there is a big punishment, large enough to really hurt these huge companies, the status quo will continue. That's why this particular lawsuit is so important.
Regarding (1), has any computer manufacturer ever installed anything we might call "crapware" that anyone ever found to actually be useful? Not something that grandma thinks is useful, but something that is actually useful to grandma (not quite the same thing!).
The rest is totally right, though. For any behavior by a company that seems to do more harm than good, you can usually trace it back to some decision-maker who is rewarded for the good parts but is not responsible for the bad parts. If your decisions cause $1 in gain for your department and $2 in loss for another department, many companies aren't smart enough to do anything but reward you and punish the other department.
I find the Lenovo battery manager mildly useful; not amazing, but enough that I installed it on a fresh Windows install on my work Carbon. It just gives me more granular control than the Windows power options.
Apple used to bundle demo apps and games with their computers. I for example remember getting a demo of a Tony Hawk skating game and a couple of other apps with an iBook.
iTunes isn't crapware on OS X. It is on Windows though, I think mostly because Apple doesn't want to put too many resources into iTunes on Windows.
iTunes on OS X runs better than any other music apps (that are not command line music clients like ncmpcpp) I've used, and I've used a lot. On OS X, I can't see why people would call it bloatware/crapware.
Though never conscious to me before, Macs are crapware free. I wonder how more often PCs would 'just work' if it only came with the OS and core drivers.
You also used to be able to buy a Sharpie marker at the same time as a CD purchase to defeat their rootkit installed from music CDs. I don't miss them too much either.
Laywers in a class-action should have to accept the same currency in the claim as their "clients"--they get a pile of discount vouchers instead of a pile of cash.
Many of these computers don't even come with OS reinstallation media. They tend to have recovery partitions on the hard drives which will only restore the computer to its initial spyware-ridden state.
I downvoted your comment because of your implication that spyware wouldn't be a problem if only everyone were as sophisticated as you.
I was reading HN on mobile but decided to pull my laptop over and upvote you (then comment; can't comment on mobile app) not because I agree with you or agree/disagree with parent comment but because you were highly civilized with your comment and your downvote.
You made a counterpoint, you didn't insult (the use of the word 'nonsense' is really common on HN counterpoints), you downvoted, then you explained your reason for the downvote. In all this now flame-wars were set.
I hope a lot of us will follow your path and make HN pleasant for everyone.
I don't think the comment implies any such thing. Suggesting mitigations for the current state of things doesn't in any way imply acceptance of the current state. At most, it implies resignation.
as much as this is a good idea, remember that most people who buy a laptop just want to take it home and have it work. Add to that point that reinstalling from scratch typically involves finding all the drivers all over again and spending hours running through all the windows updates. This is something that most people DO NOT want to go through or have the knowledge to do so.
Are drivers really such a problem still with windows? The past few laptops I've reinstalled worked out of the box with a fresh install. If not, it automatically got the drivers from windows update.
You can only get windows updates if your network drivers work. With the Lenovos, Dells, and HPs I've been coming across early, Windows 7 and 8 are broken out of the box, usually with no network drivers.
Strangely enough, Linux often works flawlessly with these same computers.
No more than any other vendor. They apologized about Superfish, not that it matters because such apologies are free. Superfish was pretty stupid, but I wouldn't use the preinstalled OS on any laptop anyway just for reasons like this which are NOT specific to Lenovo
You know, my father used to love motorbikes when he was young. Since he lived in a communist state(Poland) all he could get were Soviet-made motorcycles, which, as brilliant as they were, had a tendency to die suddenly after ~1000km even if bought a new one. But my dad let me in on a secret - he said that even if you bought, you had to take it completely apart, including the engine, re-lubricate everything, replace seals with a different type, put it all together and then you got yourself a best bike in the world - it wouldn't fall apart from few thousand km, it would serve you for years. He also used to believe that the ability to take apart and assemble a motorcycle is a good thing to learn.
Me? I believe it's great that I live in a free country where I can buy a new motorcycle and not have to take it apart to make it safe to use, or consider engine-building skill to be essential.
And as much as I enjoy working with software, I don't think reinstalling windows just to avoid spyware should be considered essential, or that regular people should have to know how to do it. For your regular Mr or Mrs Smith reinstalling is not a valuable skill - computers are tools which should just work.
There were a number of lawsuits that were filed against Lenovo as a result of Superfish. I believe the Joint Panel For Multidistrict Litigation will soon (May 28) hear argument about whether and where those cases should be consolidated for pre-trial matters. See: http://www.jpml.uscourts.gov/sites/jpml/files/Hearing%20Orde...
Rule #1 of buying any pre-packged Windows computer: Clean install the OS from original MS disks, not from what might come with the computer. If you are running a business the cost is insignificant when compared with the aggravation and risk of crapware. This is also the reason we still build our own desktop computers: You know exactly what's in them, you can service them and generally get more performance and quality per dollar spent.
It's also amusing to me how many of the people who do this will install Windows from a "cracked" distro, as that is now more secure than what most manufacturers provide out-of-the-box. Sad when random ISO from public torrent tracker is more trustworthy than Official Disk Image from publicly-traded corporation.
It's the same as with anti-piracy warnings and ads you can't skip on original movies. The pirates don't have financial incentives to milk you, and they have all the incentives to get the best version working as soon as possible. So that's why you often get better stuff from them than you can buy.
The software was pre-installed on the machines. I guess it probably depends on what the user terms were for it. The statue requires "without authorization."
I'm surprised there isn't a negligence or products liability claim in here. Because one of the biggest problems, isn't' that they MTTM attacked HTTPS to inject ads, but they did it in a way that was recklessly insecure.
I'm pretty curious about who this "Sterling International Consulting Group" suing Lenovo is, their website (http://www.sterling-consulting.com/) 404s...
What I'm confused about is why anyone needs another human to explain to them that watching the same woman repeating the same verbatim speech in reaction to every user action is stupid.
It's usually someone who paid a lot of money to have that video created and wants to see it "put to use". They spend very little time browsing their own website after it is created and hope that they get some form of return out of it.
I've had clients request a video on every page - and sometimes they come back to me with "I was browsing my website and that video is annoying to have on every page. Please make it only the home page."
> It's usually someone who paid a lot of money to have that video created and wants to see it "put to use". They spend very little time browsing their own website after it is created and hope that they get some form of return out of it.
I purchased a Lenovo laptop in December, and it was one of the ones with SuperFish. They refused to give me a refund, because it was outside of their 30 day refund policy. It would be impossible to get a refund for SuperFish because the info came out in February and they were only infecting systems between September and December.
However, there is a happy ending to this story. I went through my credit card company to get a refund, and it was taken care of no problem. The CC company was incredibly responsive and shocked about SuperFish.
I'm quite pleased, as SuperFish aside, this is the worst computer I've ever owned (Y50 UHD.)
It was purchased directly from Lenovo with a Mastercard. I purchased the laptop in early December, though they did not deliver until after Christmas (first strike against Lenovo on this laptop.)
The chargeback just went through successfully on Friday. I have not heard anything from Lenovo yet regarding returning the laptop. I can keep you updated on this if you like.
The woman at MasterCard was very helpful and knowledgeable. She was surprised about SuperFish, but seemed to understand it. I use the laptop professionally and do systems work, so I explained how I basically could not use the laptop for work and had to spend time double-checking some of the work I had already done for clients.
There are also annoying hardware issues with this laptop, various intermittent problems causing crashes. I didn't get into that though, and just stuck with the Lenovo omitting fraud / laptop unusable for work narrative.
I always heard good things about Lenovo, but the late delivery, SuperFish, and hardware issues are enough to make me avoid the company like the plague.
Thanks for sharing the details. If enough people do this, it will provide visible feedback to Lenovo.
Historically, the Thinkpad brand was a gold standard in business notebooks, but they have sadly devolved into poor followers of Apple. Hopefully the Thinkpad brand can rediscover its innovative roots.
> "I always heard good things about Lenovo, but the late delivery, SuperFish, and hardware issues are enough to make me avoid the company like the plague."
"Good things about Lenovo" are usually in reference to the Thinkpad brand. The GP's hardware issues are unrelated to the historical reputation of the Thinkpad brand.
For me, the reputation of the Thinkpad extended to Lenovo itself as a company. Until this thread, I didn't realize I had an Ideapad instead of a Thinkpad. Now, this might make me come off as a poorly informed consumer, and I'll admit to that if you like. However, it was the reputation of the Thinkpad brand that made me make this purchase, and I am now suspect of all of Lenovo's brands.
The GP made an assessment ("hardware issues are enough to make me avoid the company like the plague") of the entire Lenovo brand, which includes the Thinkpad brand.
I found this article surprisingly clear. I expected to find an unreadable morass of legalese. Is the ill reputation towards legalese unjustified, or is the clarity of this article uncommon?
Just bought a Lenovo laptop over the weekend for my wife. Sounds to me like it's no longer being installed on the laptops, but will check it to make sure Superfish isn't there.
I'd format it with a fresh version of whatever OS came on it just to be safe. I actually have always done this when buying pre-built computers just to get rid of all the junk that comes from the manufacturer.
Well, I have a Nexus and I still see a few applications that I don't want and can't even remove. But you are right that it's a better than others I've seen.
What's worse though is that they apparently don't have any QA whatsoever since they pushed an update that made the device basically unusable (keywords: Nexus 7 2012 Android 5).
Any Android 2.x I've touched was unusable piece of .. software. I seriously don't see how they dared to sell it to people. Can't even imagine what 1.x looked like. My experience with 4.x is much better in this regard.
Excellent suggestion. I highly second that. Yes, even though more and more vendors are making that harder. For example, claiming that reinstalling the OS voids your warranty.
Because then they wouldn't benefit from the crapware they installed, so they need to disincent you.
Not running crapware is theft, just like not watching commercials is theft. The only way they can afford to sell you a PC at those prices is by subsidizing their profit with crapware income. /s
It's challenging due to multitude of vendor/model specific device drivers that are also required to computer to operate (mouse, network, wifi, usb, etc...).
Plus you need to have a separate OS license as well to make it work.
I have been Lenovo faithful for many years, although I mainly run Linux and keep a small Windows partition. I strongly recommend you reinstall Windows. Thankfully the regular Windows 7 (and presumably later) disks/USB images from Microsoft work.
The software you will want from Lenovo is their System Updater which can be installed on a fresh (non-Lenovo) Windows install, and will let you install drivers and similar software (nothing is forced, all up to you).
The one thing you won't be able to install the various pieces of crapware, but that is a benefit.
After a pro-forma hearing a judge will approve the settlement as fair, reasonable, and adequate.