Lenovo’s Superfish nightmare is a sign that marketing tech has gone too far

The revelation that Lenovo has loaded harmful adware onto some of its laptops has sparked a discussion about whether marketing tech has crossed a line.

Lenovo’s customers have been complaining for months about a program that puts product plugs in search results. The software that enables these ads is called Superfish and came preinstalled on some of Lenovo’s laptops. While the marketing itself was annoying for customers, it turns out the adware was also dangerous.

A security researcher at Errata Security discovered that he could extract the computer’s security certificate along with the private key needed to decrypt web communications. As a result he was able to post up at a coffee shop with free Wi-Fi and view the activity of anyone with an infected Lenovo computer.

“It’s not just bad what they’ve done — it’s certainly questionable to begin with — but they’ve subverted the way SSL works and they’ve done it in a way that other people can exploit,” said Joe Siegrist, CEO of security firm LastPass. In the wake of Superfish’s unveiling, LastPass has launched a website that will let Lenovo users know whether they’re infected and if so, steps they can take to remove Superfish.

Siegrist says this isn’t the first time that marketing tech has made consumers vulnerable to hackers. Back in 2005, security experts realized Sony music CDs automatically downloaded a rootkit on computers, without the user’s consent, as a digital rights management tool. But the software also opened up a huge access security vulnerability — hackers could get onto your system and you wouldn’t know it.

It was a fiasco similar to the one Lenovo is facing and called into question whether a big corporate company had gone too far to save its bottom line.

With Lenovo, the question is slightly different: How invasive do marketers get to be before they cross the line?

We're sorry. We messed up. We're owning it. And we're making sure it never happens again. Fully uninstall Superfish: http://t.co/mSSUwp5EQE

— Lenovo United States (@lenovoUS) February 20, 2015

As our attention is increasingly fixed on a screen, be it mobile or otherwise, marketers are refining the ways they get ads in front of our eyes. Targeted advertising and tracking web activity is one of those methods. And it’s another annoying marketing measure that also has potential consequences for customers. To track you, marketers deploy tags on webpages.

“If the provider of that tag is compromised, then your data can be compromised. But even that is a different level,” said Siegrist.

He said that what makes the tag hack less severe is that the person deploying the tag will know when they’ve been compromised and can apply a fix. But it does still potentially put consumers at risk — and at what cost?

Siegrist hopes that this will be a wakeup call to companies and marketers that deploying undisclosed malware to sell ads is not OK.

“As soon as you put people in any danger, you’ve gone too far, and that has to be the line that this has gone too far.”