Lenovo (United States) Inc.; Analysis To Aid Public Comment, 43013-43017 [2017-19385]
Download as PDF
<![CDATA[
Federal Register / Vol. 82, No. 176 / Wednesday, September 13, 2017 / Notices
letter. The collection of information
saves time for both licensees and
Commission staff since they are
received in IBFS electronically and
include only the information that is
essential to process the requests in a
timely manner. Furthermore, the Efiling module expedites the Commission
staff’s announcement of surrenders of
authorizations via Public Notice.
Federal Communications Commission.
Marlene H. Dortch,
Secretary, Office of the Secretary.
[FR Doc. 2017–19387 Filed 9–12–17; 8:45 am]
49.74 percent of the voting shares of 1st
Advantage Bancshares, Inc., St. Peters,
Missouri, and thereby indirectly acquire
shares of 1st Advantage Bank, St. Peters,
Missouri.
B. Federal Reserve Bank of Kansas
City (Dennis Denney, Assistant Vice
President) 1 Memorial Drive, Kansas
City, Missouri 64198–0001:
1. HYS Investments, LLC, to acquire
additional voting shares for a total of
26.48 percent of BOTS, Inc., and thereby
indirectly acquire shares of VisionBank,
all of Topeka, Kansas.
Board of Governors of the Federal Reserve
System, September 8, 2017.
Yao-Chin Chao,
Assistant Secretary of the Board.
BILLING CODE 6712–01–P
FEDERAL RESERVE SYSTEM
[FR Doc. 2017–19420 Filed 9–12–17; 8:45 am]
sradovich on DSK3GMQ082PROD with NOTICES
Formations of, Acquisitions by, and
Mergers of Bank Holding Companies
BILLING CODE 6210–01–P
The companies listed in this notice
have applied to the Board for approval,
pursuant to the Bank Holding Company
Act of 1956 (12 U.S.C. 1841 et seq.)
(BHC Act), Regulation Y (12 CFR part
225), and all other applicable statutes
and regulations to become a bank
holding company and/or to acquire the
assets or the ownership of, control of, or
the power to vote shares of a bank or
bank holding company and all of the
banks and nonbanking companies
owned by the bank holding company,
including the companies listed below.
The applications listed below, as well
as other related filings required by the
Board, are available for immediate
inspection at the Federal Reserve Bank
indicated. The applications will also be
available for inspection at the offices of
the Board of Governors. Interested
persons may express their views in
writing on the standards enumerated in
the BHC Act (12 U.S.C. 1842(c)). If the
proposal also involves the acquisition of
a nonbanking company, the review also
includes whether the acquisition of the
nonbanking company complies with the
standards in section 4 of the BHC Act
(12 U.S.C. 1843). Unless otherwise
noted, nonbanking activities will be
conducted throughout the United States.
Unless otherwise noted, comments
regarding each of these applications
must be received at the Reserve Bank
indicated or the offices of the Board of
Governors not later than October 10,
2017.
A. Federal Reserve Bank of St. Louis
(David L. Hubbard, Senior Manager)
P.O. Box 442, St. Louis, Missouri
63166–2034. Comments can also be sent
electronically to Comments.applications
@stls.frb.org:
1. Banc Investors, L.L.C., Town and
Country, Missouri; to acquire up to
FEDERAL RESERVE SYSTEM
VerDate Sep<11>2014
17:34 Sep 12, 2017
Jkt 241001
Formations of, Acquisitions by, and
Mergers of Bank Holding Companies
The companies listed in this notice
have applied to the Board for approval,
pursuant to the Bank Holding Company
Act of 1956 (12 U.S.C. 1841 et seq.)
(BHC Act), Regulation Y (12 CFR part
225), and all other applicable statutes
and regulations to become a bank
holding company and/or to acquire the
assets or the ownership of, control of, or
the power to vote shares of a bank or
bank holding company and all of the
banks and nonbanking companies
owned by the bank holding company,
including the companies listed below.
The applications listed below, as well
as other related filings required by the
Board, are available for immediate
inspection at the Federal Reserve Bank
indicated. The applications will also be
available for inspection at the offices of
the Board of Governors. Interested
persons may express their views in
writing on the standards enumerated in
the BHC Act (12 U.S.C. 1842(c)). If the
proposal also involves the acquisition of
a nonbanking company, the review also
includes whether the acquisition of the
nonbanking company complies with the
standards in section 4 of the BHC Act
(12 U.S.C. 1843). Unless otherwise
noted, nonbanking activities will be
conducted throughout the United States.
Unless otherwise noted, comments
regarding each of these applications
must be received at the Reserve Bank
indicated or the offices of the Board of
Governors not later than October 10,
2017.
A. Federal Reserve Bank of Kansas
City (Dennis Denney, Assistant Vice
President) 1 Memorial Drive, Kansas
City, Missouri 64198–0001:
PO 00000
Frm 00045
Fmt 4703
Sfmt 4703
43013
1. TIG Bancorp, Inc., and its newly
formed merger subsidiary, TIG Merger
Sub, Inc., both of Durango, Colorado; to
become bank holding companies by
acquiring Custer Bancorp, Denver,
Colorado, and thereby indirectly acquire
First State Bank of Colorado, Hotchkiss,
Colorado.
B. Federal Reserve Bank of
Philadelphia (William Spaniel, Senior
Vice President) 100 North 6th Street,
Philadelphia, Pennsylvania 19105–
1521. Comments can also be sent
electronically to Comments.
applications@phil.frb.org:
1. OceanFirst Financial Corp., Toms
River, New Jersey; to become a bank
holding company, in connection with
the conversion of OceanFirst Bank,
Toms River, New Jersey, from a federal
savings bank, to a national bank named
OceanFirst National Bank.
2. OceanFirst Financial Corp., Toms
River, New Jersey; to merge with Sun
Bancorp, Mt. Laurel, New Jersey and
thereby indirectly acquire Sun National
Bank, Mt. Laurel, New Jersey.
Board of Governors of the Federal Reserve
System, September 7, 2017.
Yao-Chin Chao,
Assistant Secretary of the Board.
[FR Doc. 2017–19358 Filed 9–12–17; 8:45 am]
BILLING CODE P
FEDERAL TRADE COMMISSION
[File No. 152 3134]
Lenovo (United States) Inc.; Analysis
To Aid Public Comment
Federal Trade Commission.
Proposed consent agreement.
AGENCY:
ACTION:
The consent agreement in this
matter settles alleged violations of
federal law prohibiting unfair or
deceptive acts or practices. The attached
Analysis to Aid Public Comment
describes both the allegations in the
complaint and the terms of the consent
order—embodied in the consent
agreement—that would settle these
allegations.
SUMMARY:
Comments must be received on
or before October 5, 2017.
ADDRESSES: Interested parties may file a
comment online or on paper, by
following the instructions in the
Request for Comment part of the
SUPPLEMENTARY INFORMATION section
below. Write: ‘‘Lenovo (United States)
Inc., Matter No. 152 3134’’ on your
comment, and file your comment online
at https://ftcpublic.commentworks.com/
ftc/lenovoconsent by following the
instructions on the Web-based form. If
DATES:
E:\FR\FM\13SEN1.SGM
13SEN1
43014
Federal Register / Vol. 82, No. 176 / Wednesday, September 13, 2017 / Notices
you prefer to file your comment on
paper, write ‘‘Lenovo (United States)
Inc., Matter No. 152 3134’’ on your
comment and on the envelope, and mail
your comment to the following address:
Federal Trade Commission, Office of the
Secretary, 600 Pennsylvania Avenue
NW., Suite CC–5610 (Annex D),
Washington, DC 20580, or deliver your
comment to the following address:
Federal Trade Commission, Office of the
Secretary, Constitution Center, 400 7th
Street SW., 5th Floor, Suite 5610
(Annex D), Washington, DC 20024.
FOR FURTHER INFORMATION CONTACT:
Linda Holleran Kopp, (202–326–2267)
and Tiffany George (202–326–3040),
Bureau of Consumer Protection, 600
Pennsylvania Avenue NW., Washington,
DC 20580.
Pursuant
to Section 6(f) of the Federal Trade
Commission Act, 15 U.S.C. 46(f), and
FTC Rule 2.34, 16 CFR 2.34, notice is
hereby given that the above-captioned
consent agreement containing a consent
order to cease and desist, having been
filed with and accepted, subject to final
approval, by the Commission, has been
placed on the public record for a period
of thirty (30) days. The following
Analysis to Aid Public Comment
describes the terms of the consent
agreement, and the allegations in the
complaint. An electronic copy of the
full text of the consent agreement
package can be obtained from the FTC
Home Page (for September 5, 2017), on
the World Wide Web, at https://
www.ftc.gov/news-events/commissionactions.
You can file a comment online or on
paper. For the Commission to consider
your comment, we must receive it on or
before October 5, 2017. Write ‘‘Lenovo
(United States) Inc., Matter No. 152
3134’’ on your comment. Your
comment—including your name and
your state—will be placed on the public
record of this proceeding, including, to
the extent practicable, on the public
Commission Web site, at https://
www.ftc.gov/policy/public-comments.
Postal mail addressed to the
Commission is subject to delay due to
heightened security screening. As a
result, we encourage you to submit your
comments online. To make sure that the
Commission considers your online
comment, you must file it at https://
ftcpublic.commentworks.com/ftc/
lenovoconsent by following the
instructions on the web-based form. If
this Notice appears at https://
www.regulations.gov/#!home, you also
may file a comment through that Web
site.
sradovich on DSK3GMQ082PROD with NOTICES
SUPPLEMENTARY INFORMATION:
VerDate Sep<11>2014
17:34 Sep 12, 2017
Jkt 241001
If you prefer to file your comment on
paper, write ‘‘Lenovo (United States)
Inc., Matter No. 152 3134’’ on your
comment and on the envelope, and mail
your comment to the following address:
Federal Trade Commission, Office of the
Secretary, 600 Pennsylvania Avenue
NW., Suite CC–5610 (Annex D),
Washington, DC 20580, or deliver your
comment to the following address:
Federal Trade Commission, Office of the
Secretary, Constitution Center, 400 7th
Street SW., 5th Floor, Suite 5610
(Annex D), Washington, DC 20024. If
possible, submit your paper comment to
the Commission by courier or overnight
service.
Because your comment will be placed
on the publicly accessible FTC Web site
at https://www.ftc.gov, you are solely
responsible for making sure that your
comment does not include any sensitive
or confidential information. In
particular, your comment should not
include any sensitive personal
information, such as your or anyone
else’s Social Security number; date of
birth; driver’s license number or other
state identification number, or foreign
country equivalent; passport number;
financial account number; or credit or
debit card number. You are also solely
responsible for making sure that your
comment does not include any sensitive
health information, such as medical
records or other individually
identifiable health information. In
addition, your comment should not
include any ‘‘trade secret or any
commercial or financial information
which . . . is privileged or
confidential’’—as provided by Section
6(f) of the FTC Act, 15 U.S.C. 46(f), and
FTC Rule 4.10(a)(2), 16 CFR 4.10(a)(2)—
including in particular competitively
sensitive information such as costs,
sales statistics, inventories, formulas,
patterns, devices, manufacturing
processes, or customer names.
Comments containing material for
which confidential treatment is
requested must be filed in paper form,
must be clearly labeled ‘‘Confidential,’’
and must comply with FTC Rule 4.9(c).
In particular, the written request for
confidential treatment that accompanies
the comment must include the factual
and legal basis for the request, and must
identify the specific portions of the
comment to be withheld from the public
record. See FTC Rule 4.9(c). Your
comment will be kept confidential only
if the General Counsel grants your
request in accordance with the law and
the public interest. Once your comment
has been posted on the public FTC Web
site—as legally required by FTC Rule
4.9(b)—we cannot redact or remove
your comment from the FTC Web site,
PO 00000
Frm 00046
Fmt 4703
Sfmt 4703
unless you submit a confidentiality
request that meets the requirements for
such treatment under FTC Rule 4.9(c),
and the General Counsel grants that
request.
Visit the FTC Web site at https://
www.ftc.gov to read this Notice and the
news release describing it. The FTC Act
and other laws that the Commission
administers permit the collection of
public comments to consider and use in
this proceeding, as appropriate. The
Commission will consider all timely
and responsive public comments that it
receives on or before October 5, 2017.
For information on the Commission’s
privacy policy, including routine uses
permitted by the Privacy Act, see
https://www.ftc.gov/site-information/
privacy-policy.
Analysis of Agreement Containing
Consent Order To Aid Public Comment
The Federal Trade Commission has
accepted, subject to final approval, an
agreement containing a consent order
from Lenovo (United States), Inc.
(‘‘Lenovo’’).
The proposed consent order has been
placed on the public record for thirty
(30) days for receipt of comments by
interested persons. Comments received
during this period will become part of
the public record. After thirty (30) days,
the Commission again will review the
agreement and the comments received
and will decide whether it should
withdraw from the agreement or make
final the agreement’s proposed order.
This matter involves Lenovo, one of
the world’s largest personal computer
manufacturers, and its preinstallation
on certain consumer laptops of
VisualDiscovery, an ad-injecting
software developed by Superfish, Inc.
and customized for Lenovo.
VisualDiscovery injected pop-up ads of
similar-looking products sold by
Superfish’s retail partners whenever a
consumer’s cursor hovered over a
product image while browsing on a
shopping Web site. For example, when
a consumer’s cursor hovered over an
image of owl-shaped pendants on a
shopping Web site like amazon.com,
VisualDiscovery would show the user
pop-up ads of similar-looking owl
pendants. To do so, VisualDiscovery
acted as a ‘‘man-in-the-middle’’ between
consumers’ browsers and the Web sites
they visited, including encrypted
https://websites. This man-in-themiddle technique allowed
VisualDiscovery to see all of a
consumer’s sensitive personal
information that was transmitted on the
Internet, such as login credentials,
Social Security numbers, financial
account information, medical
E:\FR\FM\13SEN1.SGM
13SEN1
sradovich on DSK3GMQ082PROD with NOTICES
Federal Register / Vol. 82, No. 176 / Wednesday, September 13, 2017 / Notices
information, and email
communications. VisualDiscovery then
collected, transmitted to Superfish
servers, and stored a more limited
subset of user information, including
the Web site addresses visited by
consumers, consumers’ IP addresses,
and a unique identifier assigned by
Superfish to each user’s laptop.
Superfish had the ability to collect
additional information from Lenovo
users through VisualDiscovery at any
time.
To facilitate its injection of pop-up
ads into encrypted https://websites,
VisualDiscovery installed a self-signed
root certificate in the laptop’s operating
system. This allowed VisualDiscovery to
replace the digital certificates for
https://websites with VisualDiscovery’s
own certificates for those Web sites and
caused consumers’ browsers to
automatically trust the VisualDiscoverysigned certificates. Digital certificates
are part of the Transport Layer Security
(TLS) protocol that, when properly
validated, serve as proof that consumers
are communicating with the authentic
https://website and not an imposter.
As alleged in the complaint,
VisualDiscovery’s substitution of digital
certificates for https://websites with its
own certificates for those Web sites
created two significant security
vulnerabilities. First, VisualDiscovery
did not adequately verify that Web sites’
digital certificates were valid before
replacing them with its own certificates,
which were automatically trusted by
consumers’ browsers. This rendered a
critical browser security function
useless because browsers would no
longer warn consumers that their
connections were untrusted when they
visited potentially spoofed or malicious
Web sites with invalid digital
certificates.
The complaint also alleges that
VisualDiscovery created a second
security vulnerability by using a selfsigned root certificate with the same
private encryption key and the same
easy-to-crack password on every laptop
rather than employing private keys
unique to each laptop. This violated
basic encryption key management
principles because attackers who
cracked the simple password on one
consumer’s laptop could then target
every affected Lenovo user with man-inthe-middle attacks that could intercept
consumers’ electronic communications
with any Web site, including those for
financial institutions and medical
providers. Such attacks would provide
attackers with unauthorized access to
consumers’ sensitive personal
information, such as Social Security
numbers, financial account numbers,
VerDate Sep<11>2014
17:34 Sep 12, 2017
Jkt 241001
login credentials, medical information,
and email communications. This
vulnerability also made it easier for
attackers to deceive consumers into
downloading malware onto any affected
Lenovo laptop. The risk that this
vulnerability would be exploited
increased after February 19, 2015, when
news of these vulnerabilities became
public and bloggers posted instructions
on how the vulnerabilities could be
exploited.
The complaint alleges that Lenovo
failed to discover these significant
security vulnerabilities because it failed
to take reasonable measures to assess
and address security risks created by
third-party software it preinstalled on
its laptops. Specifically, Lenovo
allegedly:
• Failed to adopt and implement
written data security policies applicable
to third-party preinstalled software;
• failed to adequately assess the data
security risks of third-party software
prior to preinstallation;
• failed to request or review any
information prior to preinstallation
about Superfish’s data security policies,
procedures or practices;
• failed to require Superfish by
contract to adopt and implement
reasonable data security measures;
• failed to assess VisualDiscovery’s
compliance with reasonable data
security standards; and
• failed to provide adequate data
security training for employees
responsible for testing third-party
software.
The complaint alleges that Lenovo’s
failure was an unfair act that caused or
was likely to cause substantial
consumer injury that consumers could
not reasonably avoid, and that there
were no countervailing benefits to
consumers or competition.
The Commission’s complaint also
alleges that Lenovo failed to make
adequate disclosures about
VisualDiscovery to consumers. Lenovo
did not disclose to consumers that it
had preinstalled VisualDiscovery prior
to purchase, and the software had
limited visibility on the consumer’s
laptop. Lenovo only disclosed
VisualDiscovery through a one-time
pop-up window the first time
consumers visited a shopping Web site
that stated,
Explore shopping with
VisualDiscovery: Your browser is
enabled with VisualDiscovery which
lets you discover visually similar
products and best prices while you
shop.
The pop-up window contained a
small opt-out link at the bottom of the
pop-up that was easy for consumers to
PO 00000
Frm 00047
Fmt 4703
Sfmt 4703
43015
miss. If a consumer clicked on the popup’s ‘x’ close button, or anywhere else
on the screen, the consumer was opted
in to the software.
The complaint alleges that this popup window’s disclosures were
inadequate and violated Section 5 of the
FTC Act by failing to disclose, or failing
to disclose adequately, that
VisualDiscovery would act as a man-inthe-middle between consumers and all
the Web sites they visited, including
encrypted https://websites, and collect
and transmit certain consumer Internet
browsing data to Superfish. These facts
would be material to consumers’
decisions whether or not to use
VisualDiscovery.
The complaint also alleges that
Lenovo’s preinstallation of the adinjecting software that, without
adequate notice or informed consent,
acted as a man-in-the-middle between
consumers and all the Web sites they
visited, including encrypted https://
websites, and collected and transmitted
certain consumer Internet browsing data
to Superfish was an unfair act that
caused or was likely to cause substantial
injury to consumers, and that was not
offset by countervailing benefits to
consumers or competition and was not
reasonably avoidable by consumers.
The proposed consent order contains
provisions designed to prevent Lenovo
from engaging in similar acts and
practices in the future.
Part I of the proposed order prohibits
Lenovo from making any
misrepresentations about certain
preinstalled software on its personal
computers.
Part II of the proposed order requires
Lenovo to obtain a consumer’s
affirmative express consent, with certain
limited exceptions, prior to any
preinstalled software a) injecting
advertisements into a consumer’s
Internet browsing session, or b)
transmitting, or causing to transmit, the
consumer’s personal information to any
person or entity other than the
consumer. Lenovo must also provide
instructions for how consumers can
revoke their consent to the software’s
operation by providing a reasonable and
effective means for consumers to opt
out, disable or remove the software.
Parts III and IV of the proposed order
require Lenovo to implement a
mandated software security program
that is reasonably designed to address
security risks in software preinstalled
on its personal computers, and undergo
biennial software security assessments
of its mandated software security
program by a third party.
Parts V through IX of the proposed
order are standard reporting and
E:\FR\FM\13SEN1.SGM
13SEN1
43016
Federal Register / Vol. 82, No. 176 / Wednesday, September 13, 2017 / Notices
compliance provisions. Part V requires
dissemination of the order now and in
the future to all current and future
principals, officers, directors, and
managers, and to persons with
managerial or supervisory
responsibilities relating to Parts I–IV of
the order. Part VI mandates that Lenovo
submit a compliance report to the FTC
one year after issuance, and then
notices, as the order specifies,
thereafter. Parts VII and VIII requires
Lenovo to retain documents relating to
its compliance with the order for a fiveyear period, and to provide such
additional information or documents
necessary for the Commission to
monitor compliance. Part IX states that
the Order will remain in effect for 20
years.
The purpose of this analysis is to aid
public comment on the proposed order.
It is not intended to constitute an
official interpretation of the complaint
or proposed order, or to modify in any
way the proposed order’s terms.
By direction of the Commission.
Donald S. Clark,
Secretary.
sradovich on DSK3GMQ082PROD with NOTICES
Statement of Acting Chairman Maureen
K. Ohlhausen in the Matter of Lenovo,
Inc.
I support this important case and the
strong settlement. I write separately to
caution against an over broad
application of our failure to disclose
(sometimes called ‘‘deceptive
omission’’) authority. We should hew to
longstanding case law and avoid
circumventing congressionallyestablished limits on our authority. I
therefore respectfully disagree with my
colleague’s position that we should
expand Count I to allege additional
failures to disclose.
Most FTC deception cases involve an
express misrepresentation (‘‘This sugar
pill cures cancer’’) or an express
statement that gives rise to an implied
claim that is false or misleading (‘‘Many
people who take this sugar pill don’t die
of cancer’’).
Although the FTC and the courts have
also recognized that a failure to disclose
can be deceptive, this has limits.1 For
every product there is a potentially
enormous amount of information that at
least some consumers might wish to
know when deciding whether to
1 International Harvester Co., 104 FTC 949 (1984),
represents the Commission’s most comprehensive
effort to define deceptive omissions, and that
framework remains in place today. See also,
Cliffdale Associates, Inc., 103 FTC 110, App. A at
2 (1984) (‘‘Deception Statement’’).
VerDate Sep<11>2014
17:34 Sep 12, 2017
Jkt 241001
purchase or use it.2 Copious disclosures
would be both impractical and
unhelpful, and the law sensibly does
not require sellers to disclose all
information that a consumer might find
important.
Thus, the FTC has generally found a
failure to disclose to be deceptive in two
categories of cases. First, the FTC has
found ‘‘half-truths’’ to be deceptive,
where a seller makes a truthful
statement that creates a material
misleading impression that the seller
does not correct.3 Most of the FTC’s
failure to disclose cases are half-truth
cases, and many could be restyled as
cases of implied false or misleading
claims. For example, a complaint
addressing the claim that ‘‘Many people
who take this sugar pill don’t die of
cancer’’ could allege an implied false
claim that the pill cures cancer, or could
allege a deceptive failure to disclose that
the pill does not reduce the chances of
dying from cancer.
Second, and less frequently, the FTC
has found a seller’s silence to be
deceptive ‘‘under circumstances that
constitute an implied but false
representation.’’ 4 Such implied false
representations can arise from ‘‘ordinary
consumer expectations as to the
irreducible minimum performance
standards of a particular class of
good.’’ 5 Stated differently, offering a
product for sale implies that the product
is ‘‘reasonably fit for [its] intended
uses,’’ and that it is ‘‘free of gross safety
hazards.’’ 6 If the product does not meet
ordinary consumer expectations of
minimum performance, or if the product
is not reasonably fit for its intended
uses, the seller must disclose that. For
example, it would be deceptive for an
auto dealer to sell, without a disclosure,
a normal-looking car with a maximum
speed of 35 miles per hour.7 Consumers
expect cars to be able to reach highway
speeds, and thus the dealer must
disclose to the buyer that the car does
not meet that ordinary expectation.
In such cases, an omission is
misleading under the FTC Act if the
consumers’ ordinary fundamental
expectations about the product were
violated. Mere annoyances that leave
the product reasonably fit for its
intended use do not meet this
threshold.8 Thus, a dealer’s failure to
2 International Harvester, 104 FTC at 1059
(explaining why the FTC does not treat pure
omissions as deceptive).
3 Id. at 1057–58.
4 Id. at 1058.
5 Id.
6 Id. at 1058–59.
7 Id. at n.29.
8 Id. at 1058; Deception Statement at n.4 (‘‘Not all
omissions are deceptive, even if providing the
PO 00000
Frm 00048
Fmt 4703
Sfmt 4703
disclose that some might find a car’s
seatbelt warning to be annoyingly loud
would not be a deceptive omission
because consumers have no ordinary
expectations about car seatbelt warnings
that would mislead them absent a
disclosure.
As International Harvester sets out at
length, a deceptive omission is distinct
from an unfair failure to warn or other
forms of unfair omissions.9 The FTC has
brought such cases under its unfairness
authority where it has met the
statutorily mandated higher burden of
showing that the conduct causes or is
likely to cause substantial consumer
injury that is not reasonably avoidable
by the consumer and is not outweighed
by benefits to consumers or
competition.10
Turning to the case at hand, the
complaint alleges that VisualDiscovery
advertising software on Lenovo laptops
acted as a man-in-the-middle between
consumers and the Web sites they
visited. As such, the software had access
to all secure and unsecure consumerWeb site communications and rendered
useless a critical security feature of the
laptops’ web browsers. Such practices
introduced gross hazards inconsistent
with ordinary consumer expectations
about the minimum performance
standards of software. As a result, the
man-in-the-middle functionality and the
problems it generated made
VisualDiscovery unfit for its intended
use as software. Thus, Count I properly
alleges that Lenovo failed to disclose, or
disclose adequately, that
VisualDiscovery acted as a man-in-themiddle.11
Although Commissioner McSweeny
and I both support Count I, she would
add allegations that Lenovo failed to
disclose that VisualDiscovery injected
ads into shopping Web sites and slowed
web browsing. She argues that the
injected ads and slowed web browsing
altered the internet experience of
consumers, and thus VisualDiscovery
failed to meet ‘‘ordinary consumer
expectations as to the irreducible
minimum performance standards of
[that] particular class of good.’’ 12
information would benefit consumers . . . Failure
to disclose that the product is not fit constitutes a
deceptive omission.’’)
9 Id. at 1051 (‘‘It is important to distinguish
between the circumstances under which omissions
are deceptive . . . and the circumstances under
which they amount to an unfair practice.’’).
10 15 U.S.C. 45(n).
11 Count I of the complaint is pled in the form of
a half-truth, but could also be pled as a failure to
correct a false representation implied from
circumstances, and so I address Commissioner
McSweeny’s argument as framed.
12 Statement of Commissioner Terrell McSweeny
at 1 (citing International Harvester, 104 FTC at
1058).
E:\FR\FM\13SEN1.SGM
13SEN1
Federal Register / Vol. 82, No. 176 / Wednesday, September 13, 2017 / Notices
I respectfully disagree. Lenovo failed
to disclose that VisualDiscovery would
act as a man-in-the-middle. However,
Lenovo did disclose that the software
would introduce advertising into
consumers’ web browsing, although its
disclosure could have been better.
Furthermore, to the extent ordinary
consumers expect anything from
advertising software, they likely expect
it to affect their web browsing and to be
intrusive, as the popularity of ad
blocking technology shows. In addition,
unlike the man-in-the-middle
technique, VisualDiscovery’s ad
placement and web browsing effects did
not introduce gross hazards obviously
outside of consumers’ ordinary
expectations for advertising software. In
short, although VisualDiscovery’s ad
placement and effect on web browsing
may have been irritating to many, those
features did not make VisualDiscovery
unfit for its intended use. Therefore, I
do not find Lenovo’s silence about those
features to be a deceptive omission.
Fortunately, the outcome in this case
does not depend on resolving our
disagreement on the application of
deceptive omission to advertising
software. My goal in writing separately
is to maintain the clear distinction set
forth in International Harvester between
deceptive failures to disclose and unfair
omissions.13 When evaluating the
legality of a party’s silence, we must be
careful not to circumvent unfairness’s
higher evidentiary burden by simply
restyling an unfair omission as a
deceptive omission.
Statement of Commissioner Terrell
McSweeny in the Matter of Lenovo, Inc.
I support the Commission’s complaint
against Lenovo, but I am troubled by
conduct in this case that the
Commission fails to challenge.
According to the complaint, Lenovo,
Inc. preinstalled software on computers
that was designed to serve
advertisements to consumers while they
were browsing Web sites. The software,
called VisualDiscovery, acted as a
‘‘man-in-the-middle’’ between the
consumers and all of the Web sites with
which they communicated. It allegedly
actively contravened the security
posture of consumers’ computers,
leaving them vulnerable both to attack
from cyber-criminals and to transmitting
personal information across the web to
Superfish, Inc. servers. These unfair
practices violate the Federal Trade
Commission Act and are appropriately
challenged by the FTC in Counts II and
III of the complaint.
But Lenovo’s unlawful conduct went
beyond the data security failings alleged
in the complaint. The complaint also
describes how the software it
preinstalled on computers would: (1)
Inject pop-up ads every time consumers
visited a shopping Web site; and (2)
disrupt web browsing by reducing
download speeds by almost 25 percent
and upload speeds by 125 percent.
These facts were not disclosed to
consumers and these omissions were
deceptive.
Moreover, the FTC alleges that the
VisualDiscovery software was designed
to be difficult to discover. Consumers
were initially made aware of the
existence of the VisualDiscovery
software via a pop-up window the first
time they visited an ecommerce site. But
clicking to close that window opted
consumers into the program. The initial
pop-up window failed to disclose that
VisualDiscovery would follow the
consumers from shopping site to
shopping site; slow the performance and
functionality of the Web sites they
visited; and compromise their security
and privacy throughout each online
browsing session.
Under Section 5 of the FTC Act, the
failure to disclose information necessary
to prevent the creation of a false
impression is a deceptive practice.1 A
seller’s silence may make an implied
representation ‘‘based on ordinary
consumer expectations as to the
irreducible minimum performance
standards of a particular class of
good.’’ 2 In this case, Lenovo deceptively
omitted that VisualDiscovery would
alter the very internet experience for
which most consumers buy a computer.
I believe that if consumers were fully
aware of what VisualDiscovery was,
how it compromised their system, and
43017
how they could have opted out, most
would have decided to keep
VisualDiscovery inactive.
This is an exceptionally strong case
and clearly articulates how the
Commission uses its unfairness tools to
protect the data security and privacy of
consumers. I support Count I, but
believe the FTC should have included
additional deceptive conduct alleged in
the complaint within the count. The
FTC should not turn a blind eye to
deceptive disclosures and opt-ins,
particularly when consumers’ privacy
and security are at stake.
[FR Doc. 2017–19385 Filed 9–12–17; 8:45 am]
BILLING CODE 6750–01–P
FEDERAL TRADE COMMISSION
Granting of Requests for Early
Termination of the Waiting Period
Under the Premerger Notification
Rules
Section 7A of the Clayton Act, 15
U.S.C. 18a, as added by Title II of the
Hart-Scott-Rodino Antitrust
Improvements Act of 1976, requires
persons contemplating certain mergers
or acquisitions to give the Federal Trade
Commission and the Assistant Attorney
General advance notice and to wait
designated periods before
consummation of such plans. Section
7A(b)(2) of the Act permits the agencies,
in individual cases, to terminate this
waiting period prior to its expiration
and requires that notice of this action be
published in the Federal Register.
The following transactions were
granted early termination—on the dates
indicated—of the waiting period
provided by law and the premerger
notification rules. The listing for each
transaction includes the transaction
number and the parties to the
transaction. The grants were made by
the Federal Trade Commission and the
Assistant Attorney General for the
Antitrust Division of the Department of
Justice. Neither agency intends to take
any action with respect to these
proposed acquisitions during the
applicable waiting period.
sradovich on DSK3GMQ082PROD with NOTICES
EARLY TERMINATIONS GRANTED
JULY 1, 2017 THROUGH JULY 31, 2017
07/03/2017
20171409 ......
20171459 ......
20171460 ......
G
G
G
13 International
VerDate Sep<11>2014
Quest Diagnostics Incorporated; Med Fusion, LLC; Quest Diagnostics Incorporated.
Synnex Corporation; Datatec Limited; Synnex Corporation.
Datatec Limited; Synnex Corporation; Datatec Limited.
Harvester, 104 FTC at 1051.
17:34 Sep 12, 2017
Jkt 241001
1 FTC Policy Statement on Deception, 103 F.T.C.
174, 175 (1984) (appended to Cliffdale Assocs., Inc.,
103 F.T.C. 110 (1984)).
PO 00000
Frm 00049
Fmt 4703
Sfmt 4703
2 Int’l.
E:\FR\FM\13SEN1.SGM
Harvester Co., 104 F.T.C. 949, 1058 (1984).
13SEN1
]]>Agencies
[Federal Register Volume 82, Number 176 (Wednesday, September 13, 2017)]
[Notices]
[Pages 43013-43017]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2017-19385]
=======================================================================
-----------------------------------------------------------------------
FEDERAL TRADE COMMISSION
[File No. 152 3134]
Lenovo (United States) Inc.; Analysis To Aid Public Comment
AGENCY: Federal Trade Commission.
ACTION: Proposed consent agreement.
-----------------------------------------------------------------------
SUMMARY: The consent agreement in this matter settles alleged
violations of federal law prohibiting unfair or deceptive acts or
practices. The attached Analysis to Aid Public Comment describes both
the allegations in the complaint and the terms of the consent order--
embodied in the consent agreement--that would settle these allegations.
DATES: Comments must be received on or before October 5, 2017.
ADDRESSES: Interested parties may file a comment online or on paper, by
following the instructions in the Request for Comment part of the
SUPPLEMENTARY INFORMATION section below. Write: ``Lenovo (United
States) Inc., Matter No. 152 3134'' on your comment, and file your
comment online at https://ftcpublic.commentworks.com/ftc/lenovoconsent
by following the instructions on the Web-based form. If
[[Page 43014]]
you prefer to file your comment on paper, write ``Lenovo (United
States) Inc., Matter No. 152 3134'' on your comment and on the
envelope, and mail your comment to the following address: Federal Trade
Commission, Office of the Secretary, 600 Pennsylvania Avenue NW., Suite
CC-5610 (Annex D), Washington, DC 20580, or deliver your comment to the
following address: Federal Trade Commission, Office of the Secretary,
Constitution Center, 400 7th Street SW., 5th Floor, Suite 5610 (Annex
D), Washington, DC 20024.
FOR FURTHER INFORMATION CONTACT: Linda Holleran Kopp, (202-326-2267)
and Tiffany George (202-326-3040), Bureau of Consumer Protection, 600
Pennsylvania Avenue NW., Washington, DC 20580.
SUPPLEMENTARY INFORMATION: Pursuant to Section 6(f) of the Federal
Trade Commission Act, 15 U.S.C. 46(f), and FTC Rule 2.34, 16 CFR 2.34,
notice is hereby given that the above-captioned consent agreement
containing a consent order to cease and desist, having been filed with
and accepted, subject to final approval, by the Commission, has been
placed on the public record for a period of thirty (30) days. The
following Analysis to Aid Public Comment describes the terms of the
consent agreement, and the allegations in the complaint. An electronic
copy of the full text of the consent agreement package can be obtained
from the FTC Home Page (for September 5, 2017), on the World Wide Web,
at https://www.ftc.gov/news-events/commission-actions.
You can file a comment online or on paper. For the Commission to
consider your comment, we must receive it on or before October 5, 2017.
Write ``Lenovo (United States) Inc., Matter No. 152 3134'' on your
comment. Your comment--including your name and your state--will be
placed on the public record of this proceeding, including, to the
extent practicable, on the public Commission Web site, at https://www.ftc.gov/policy/public-comments.
Postal mail addressed to the Commission is subject to delay due to
heightened security screening. As a result, we encourage you to submit
your comments online. To make sure that the Commission considers your
online comment, you must file it at https://ftcpublic.commentworks.com/ftc/lenovoconsent by following the instructions on the web-based form.
If this Notice appears at https://www.regulations.gov/#!home, you also
may file a comment through that Web site.
If you prefer to file your comment on paper, write ``Lenovo (United
States) Inc., Matter No. 152 3134'' on your comment and on the
envelope, and mail your comment to the following address: Federal Trade
Commission, Office of the Secretary, 600 Pennsylvania Avenue NW., Suite
CC-5610 (Annex D), Washington, DC 20580, or deliver your comment to the
following address: Federal Trade Commission, Office of the Secretary,
Constitution Center, 400 7th Street SW., 5th Floor, Suite 5610 (Annex
D), Washington, DC 20024. If possible, submit your paper comment to the
Commission by courier or overnight service.
Because your comment will be placed on the publicly accessible FTC
Web site at https://www.ftc.gov, you are solely responsible for making
sure that your comment does not include any sensitive or confidential
information. In particular, your comment should not include any
sensitive personal information, such as your or anyone else's Social
Security number; date of birth; driver's license number or other state
identification number, or foreign country equivalent; passport number;
financial account number; or credit or debit card number. You are also
solely responsible for making sure that your comment does not include
any sensitive health information, such as medical records or other
individually identifiable health information. In addition, your comment
should not include any ``trade secret or any commercial or financial
information which . . . is privileged or confidential''--as provided by
Section 6(f) of the FTC Act, 15 U.S.C. 46(f), and FTC Rule 4.10(a)(2),
16 CFR 4.10(a)(2)--including in particular competitively sensitive
information such as costs, sales statistics, inventories, formulas,
patterns, devices, manufacturing processes, or customer names.
Comments containing material for which confidential treatment is
requested must be filed in paper form, must be clearly labeled
``Confidential,'' and must comply with FTC Rule 4.9(c). In particular,
the written request for confidential treatment that accompanies the
comment must include the factual and legal basis for the request, and
must identify the specific portions of the comment to be withheld from
the public record. See FTC Rule 4.9(c). Your comment will be kept
confidential only if the General Counsel grants your request in
accordance with the law and the public interest. Once your comment has
been posted on the public FTC Web site--as legally required by FTC Rule
4.9(b)--we cannot redact or remove your comment from the FTC Web site,
unless you submit a confidentiality request that meets the requirements
for such treatment under FTC Rule 4.9(c), and the General Counsel
grants that request.
Visit the FTC Web site at https://www.ftc.gov to read this Notice
and the news release describing it. The FTC Act and other laws that the
Commission administers permit the collection of public comments to
consider and use in this proceeding, as appropriate. The Commission
will consider all timely and responsive public comments that it
receives on or before October 5, 2017. For information on the
Commission's privacy policy, including routine uses permitted by the
Privacy Act, see https://www.ftc.gov/site-information/privacy-policy.
Analysis of Agreement Containing Consent Order To Aid Public Comment
The Federal Trade Commission has accepted, subject to final
approval, an agreement containing a consent order from Lenovo (United
States), Inc. (``Lenovo'').
The proposed consent order has been placed on the public record for
thirty (30) days for receipt of comments by interested persons.
Comments received during this period will become part of the public
record. After thirty (30) days, the Commission again will review the
agreement and the comments received and will decide whether it should
withdraw from the agreement or make final the agreement's proposed
order.
This matter involves Lenovo, one of the world's largest personal
computer manufacturers, and its preinstallation on certain consumer
laptops of VisualDiscovery, an ad-injecting software developed by
Superfish, Inc. and customized for Lenovo. VisualDiscovery injected
pop-up ads of similar-looking products sold by Superfish's retail
partners whenever a consumer's cursor hovered over a product image
while browsing on a shopping Web site. For example, when a consumer's
cursor hovered over an image of owl-shaped pendants on a shopping Web
site like amazon.com, VisualDiscovery would show the user pop-up ads of
similar-looking owl pendants. To do so, VisualDiscovery acted as a
``man-in-the-middle'' between consumers' browsers and the Web sites
they visited, including encrypted https://websites. This man-in-the-
middle technique allowed VisualDiscovery to see all of a consumer's
sensitive personal information that was transmitted on the Internet,
such as login credentials, Social Security numbers, financial account
information, medical
[[Page 43015]]
information, and email communications. VisualDiscovery then collected,
transmitted to Superfish servers, and stored a more limited subset of
user information, including the Web site addresses visited by
consumers, consumers' IP addresses, and a unique identifier assigned by
Superfish to each user's laptop. Superfish had the ability to collect
additional information from Lenovo users through VisualDiscovery at any
time.
To facilitate its injection of pop-up ads into encrypted https://
websites, VisualDiscovery installed a self-signed root certificate in
the laptop's operating system. This allowed VisualDiscovery to replace
the digital certificates for https://websites with VisualDiscovery's
own certificates for those Web sites and caused consumers' browsers to
automatically trust the VisualDiscovery-signed certificates. Digital
certificates are part of the Transport Layer Security (TLS) protocol
that, when properly validated, serve as proof that consumers are
communicating with the authentic https://website and not an imposter.
As alleged in the complaint, VisualDiscovery's substitution of
digital certificates for https://websites with its own certificates for
those Web sites created two significant security vulnerabilities.
First, VisualDiscovery did not adequately verify that Web sites'
digital certificates were valid before replacing them with its own
certificates, which were automatically trusted by consumers' browsers.
This rendered a critical browser security function useless because
browsers would no longer warn consumers that their connections were
untrusted when they visited potentially spoofed or malicious Web sites
with invalid digital certificates.
The complaint also alleges that VisualDiscovery created a second
security vulnerability by using a self-signed root certificate with the
same private encryption key and the same easy-to-crack password on
every laptop rather than employing private keys unique to each laptop.
This violated basic encryption key management principles because
attackers who cracked the simple password on one consumer's laptop
could then target every affected Lenovo user with man-in-the-middle
attacks that could intercept consumers' electronic communications with
any Web site, including those for financial institutions and medical
providers. Such attacks would provide attackers with unauthorized
access to consumers' sensitive personal information, such as Social
Security numbers, financial account numbers, login credentials, medical
information, and email communications. This vulnerability also made it
easier for attackers to deceive consumers into downloading malware onto
any affected Lenovo laptop. The risk that this vulnerability would be
exploited increased after February 19, 2015, when news of these
vulnerabilities became public and bloggers posted instructions on how
the vulnerabilities could be exploited.
The complaint alleges that Lenovo failed to discover these
significant security vulnerabilities because it failed to take
reasonable measures to assess and address security risks created by
third-party software it preinstalled on its laptops. Specifically,
Lenovo allegedly:
Failed to adopt and implement written data security
policies applicable to third-party preinstalled software;
failed to adequately assess the data security risks of
third-party software prior to preinstallation;
failed to request or review any information prior to
preinstallation about Superfish's data security policies, procedures or
practices;
failed to require Superfish by contract to adopt and
implement reasonable data security measures;
failed to assess VisualDiscovery's compliance with
reasonable data security standards; and
failed to provide adequate data security training for
employees responsible for testing third-party software.
The complaint alleges that Lenovo's failure was an unfair act that
caused or was likely to cause substantial consumer injury that
consumers could not reasonably avoid, and that there were no
countervailing benefits to consumers or competition.
The Commission's complaint also alleges that Lenovo failed to make
adequate disclosures about VisualDiscovery to consumers. Lenovo did not
disclose to consumers that it had preinstalled VisualDiscovery prior to
purchase, and the software had limited visibility on the consumer's
laptop. Lenovo only disclosed VisualDiscovery through a one-time pop-up
window the first time consumers visited a shopping Web site that
stated,
Explore shopping with VisualDiscovery: Your browser is enabled with
VisualDiscovery which lets you discover visually similar products and
best prices while you shop.
The pop-up window contained a small opt-out link at the bottom of
the pop-up that was easy for consumers to miss. If a consumer clicked
on the pop-up's `x' close button, or anywhere else on the screen, the
consumer was opted in to the software.
The complaint alleges that this pop-up window's disclosures were
inadequate and violated Section 5 of the FTC Act by failing to
disclose, or failing to disclose adequately, that VisualDiscovery would
act as a man-in-the-middle between consumers and all the Web sites they
visited, including encrypted https://websites, and collect and transmit
certain consumer Internet browsing data to Superfish. These facts would
be material to consumers' decisions whether or not to use
VisualDiscovery.
The complaint also alleges that Lenovo's preinstallation of the ad-
injecting software that, without adequate notice or informed consent,
acted as a man-in-the-middle between consumers and all the Web sites
they visited, including encrypted https://websites, and collected and
transmitted certain consumer Internet browsing data to Superfish was an
unfair act that caused or was likely to cause substantial injury to
consumers, and that was not offset by countervailing benefits to
consumers or competition and was not reasonably avoidable by consumers.
The proposed consent order contains provisions designed to prevent
Lenovo from engaging in similar acts and practices in the future.
Part I of the proposed order prohibits Lenovo from making any
misrepresentations about certain preinstalled software on its personal
computers.
Part II of the proposed order requires Lenovo to obtain a
consumer's affirmative express consent, with certain limited
exceptions, prior to any preinstalled software a) injecting
advertisements into a consumer's Internet browsing session, or b)
transmitting, or causing to transmit, the consumer's personal
information to any person or entity other than the consumer. Lenovo
must also provide instructions for how consumers can revoke their
consent to the software's operation by providing a reasonable and
effective means for consumers to opt out, disable or remove the
software.
Parts III and IV of the proposed order require Lenovo to implement
a mandated software security program that is reasonably designed to
address security risks in software preinstalled on its personal
computers, and undergo biennial software security assessments of its
mandated software security program by a third party.
Parts V through IX of the proposed order are standard reporting and
[[Page 43016]]
compliance provisions. Part V requires dissemination of the order now
and in the future to all current and future principals, officers,
directors, and managers, and to persons with managerial or supervisory
responsibilities relating to Parts I-IV of the order. Part VI mandates
that Lenovo submit a compliance report to the FTC one year after
issuance, and then notices, as the order specifies, thereafter. Parts
VII and VIII requires Lenovo to retain documents relating to its
compliance with the order for a five-year period, and to provide such
additional information or documents necessary for the Commission to
monitor compliance. Part IX states that the Order will remain in effect
for 20 years.
The purpose of this analysis is to aid public comment on the
proposed order. It is not intended to constitute an official
interpretation of the complaint or proposed order, or to modify in any
way the proposed order's terms.
By direction of the Commission.
Donald S. Clark,
Secretary.
Statement of Acting Chairman Maureen K. Ohlhausen in the Matter of
Lenovo, Inc.
I support this important case and the strong settlement. I write
separately to caution against an over broad application of our failure
to disclose (sometimes called ``deceptive omission'') authority. We
should hew to longstanding case law and avoid circumventing
congressionally-established limits on our authority. I therefore
respectfully disagree with my colleague's position that we should
expand Count I to allege additional failures to disclose.
Most FTC deception cases involve an express misrepresentation
(``This sugar pill cures cancer'') or an express statement that gives
rise to an implied claim that is false or misleading (``Many people who
take this sugar pill don't die of cancer'').
Although the FTC and the courts have also recognized that a failure
to disclose can be deceptive, this has limits.\1\ For every product
there is a potentially enormous amount of information that at least
some consumers might wish to know when deciding whether to purchase or
use it.\2\ Copious disclosures would be both impractical and unhelpful,
and the law sensibly does not require sellers to disclose all
information that a consumer might find important.
---------------------------------------------------------------------------
\1\ International Harvester Co., 104 FTC 949 (1984), represents
the Commission's most comprehensive effort to define deceptive
omissions, and that framework remains in place today. See also,
Cliffdale Associates, Inc., 103 FTC 110, App. A at 2 (1984)
(``Deception Statement'').
\2\ International Harvester, 104 FTC at 1059 (explaining why the
FTC does not treat pure omissions as deceptive).
---------------------------------------------------------------------------
Thus, the FTC has generally found a failure to disclose to be
deceptive in two categories of cases. First, the FTC has found ``half-
truths'' to be deceptive, where a seller makes a truthful statement
that creates a material misleading impression that the seller does not
correct.\3\ Most of the FTC's failure to disclose cases are half-truth
cases, and many could be restyled as cases of implied false or
misleading claims. For example, a complaint addressing the claim that
``Many people who take this sugar pill don't die of cancer'' could
allege an implied false claim that the pill cures cancer, or could
allege a deceptive failure to disclose that the pill does not reduce
the chances of dying from cancer.
---------------------------------------------------------------------------
\3\ Id. at 1057-58.
---------------------------------------------------------------------------
Second, and less frequently, the FTC has found a seller's silence
to be deceptive ``under circumstances that constitute an implied but
false representation.'' \4\ Such implied false representations can
arise from ``ordinary consumer expectations as to the irreducible
minimum performance standards of a particular class of good.'' \5\
Stated differently, offering a product for sale implies that the
product is ``reasonably fit for [its] intended uses,'' and that it is
``free of gross safety hazards.'' \6\ If the product does not meet
ordinary consumer expectations of minimum performance, or if the
product is not reasonably fit for its intended uses, the seller must
disclose that. For example, it would be deceptive for an auto dealer to
sell, without a disclosure, a normal-looking car with a maximum speed
of 35 miles per hour.\7\ Consumers expect cars to be able to reach
highway speeds, and thus the dealer must disclose to the buyer that the
car does not meet that ordinary expectation.
---------------------------------------------------------------------------
\4\ Id. at 1058.
\5\ Id.
\6\ Id. at 1058-59.
\7\ Id. at n.29.
---------------------------------------------------------------------------
In such cases, an omission is misleading under the FTC Act if the
consumers' ordinary fundamental expectations about the product were
violated. Mere annoyances that leave the product reasonably fit for its
intended use do not meet this threshold.\8\ Thus, a dealer's failure to
disclose that some might find a car's seatbelt warning to be annoyingly
loud would not be a deceptive omission because consumers have no
ordinary expectations about car seatbelt warnings that would mislead
them absent a disclosure.
---------------------------------------------------------------------------
\8\ Id. at 1058; Deception Statement at n.4 (``Not all omissions
are deceptive, even if providing the information would benefit
consumers . . . Failure to disclose that the product is not fit
constitutes a deceptive omission.'')
---------------------------------------------------------------------------
As International Harvester sets out at length, a deceptive omission
is distinct from an unfair failure to warn or other forms of unfair
omissions.\9\ The FTC has brought such cases under its unfairness
authority where it has met the statutorily mandated higher burden of
showing that the conduct causes or is likely to cause substantial
consumer injury that is not reasonably avoidable by the consumer and is
not outweighed by benefits to consumers or competition.\10\
---------------------------------------------------------------------------
\9\ Id. at 1051 (``It is important to distinguish between the
circumstances under which omissions are deceptive . . . and the
circumstances under which they amount to an unfair practice.'').
\10\ 15 U.S.C. 45(n).
---------------------------------------------------------------------------
Turning to the case at hand, the complaint alleges that
VisualDiscovery advertising software on Lenovo laptops acted as a man-
in-the-middle between consumers and the Web sites they visited. As
such, the software had access to all secure and unsecure consumer-Web
site communications and rendered useless a critical security feature of
the laptops' web browsers. Such practices introduced gross hazards
inconsistent with ordinary consumer expectations about the minimum
performance standards of software. As a result, the man-in-the-middle
functionality and the problems it generated made VisualDiscovery unfit
for its intended use as software. Thus, Count I properly alleges that
Lenovo failed to disclose, or disclose adequately, that VisualDiscovery
acted as a man-in-the-middle.\11\
---------------------------------------------------------------------------
\11\ Count I of the complaint is pled in the form of a half-
truth, but could also be pled as a failure to correct a false
representation implied from circumstances, and so I address
Commissioner McSweeny's argument as framed.
---------------------------------------------------------------------------
Although Commissioner McSweeny and I both support Count I, she
would add allegations that Lenovo failed to disclose that
VisualDiscovery injected ads into shopping Web sites and slowed web
browsing. She argues that the injected ads and slowed web browsing
altered the internet experience of consumers, and thus VisualDiscovery
failed to meet ``ordinary consumer expectations as to the irreducible
minimum performance standards of [that] particular class of good.''
\12\
---------------------------------------------------------------------------
\12\ Statement of Commissioner Terrell McSweeny at 1 (citing
International Harvester, 104 FTC at 1058).
---------------------------------------------------------------------------
[[Page 43017]]
I respectfully disagree. Lenovo failed to disclose that
VisualDiscovery would act as a man-in-the-middle. However, Lenovo did
disclose that the software would introduce advertising into consumers'
web browsing, although its disclosure could have been better.
Furthermore, to the extent ordinary consumers expect anything from
advertising software, they likely expect it to affect their web
browsing and to be intrusive, as the popularity of ad blocking
technology shows. In addition, unlike the man-in-the-middle technique,
VisualDiscovery's ad placement and web browsing effects did not
introduce gross hazards obviously outside of consumers' ordinary
expectations for advertising software. In short, although
VisualDiscovery's ad placement and effect on web browsing may have been
irritating to many, those features did not make VisualDiscovery unfit
for its intended use. Therefore, I do not find Lenovo's silence about
those features to be a deceptive omission.
Fortunately, the outcome in this case does not depend on resolving
our disagreement on the application of deceptive omission to
advertising software. My goal in writing separately is to maintain the
clear distinction set forth in International Harvester between
deceptive failures to disclose and unfair omissions.\13\ When
evaluating the legality of a party's silence, we must be careful not to
circumvent unfairness's higher evidentiary burden by simply restyling
an unfair omission as a deceptive omission.
---------------------------------------------------------------------------
\13\ International Harvester, 104 FTC at 1051.
---------------------------------------------------------------------------
Statement of Commissioner Terrell McSweeny in the Matter of Lenovo,
Inc.
I support the Commission's complaint against Lenovo, but I am
troubled by conduct in this case that the Commission fails to
challenge. According to the complaint, Lenovo, Inc. preinstalled
software on computers that was designed to serve advertisements to
consumers while they were browsing Web sites. The software, called
VisualDiscovery, acted as a ``man-in-the-middle'' between the consumers
and all of the Web sites with which they communicated. It allegedly
actively contravened the security posture of consumers' computers,
leaving them vulnerable both to attack from cyber-criminals and to
transmitting personal information across the web to Superfish, Inc.
servers. These unfair practices violate the Federal Trade Commission
Act and are appropriately challenged by the FTC in Counts II and III of
the complaint.
But Lenovo's unlawful conduct went beyond the data security
failings alleged in the complaint. The complaint also describes how the
software it preinstalled on computers would: (1) Inject pop-up ads
every time consumers visited a shopping Web site; and (2) disrupt web
browsing by reducing download speeds by almost 25 percent and upload
speeds by 125 percent. These facts were not disclosed to consumers and
these omissions were deceptive.
Moreover, the FTC alleges that the VisualDiscovery software was
designed to be difficult to discover. Consumers were initially made
aware of the existence of the VisualDiscovery software via a pop-up
window the first time they visited an ecommerce site. But clicking to
close that window opted consumers into the program. The initial pop-up
window failed to disclose that VisualDiscovery would follow the
consumers from shopping site to shopping site; slow the performance and
functionality of the Web sites they visited; and compromise their
security and privacy throughout each online browsing session.
Under Section 5 of the FTC Act, the failure to disclose information
necessary to prevent the creation of a false impression is a deceptive
practice.\1\ A seller's silence may make an implied representation
``based on ordinary consumer expectations as to the irreducible minimum
performance standards of a particular class of good.'' \2\ In this
case, Lenovo deceptively omitted that VisualDiscovery would alter the
very internet experience for which most consumers buy a computer. I
believe that if consumers were fully aware of what VisualDiscovery was,
how it compromised their system, and how they could have opted out,
most would have decided to keep VisualDiscovery inactive.
---------------------------------------------------------------------------
\1\ FTC Policy Statement on Deception, 103 F.T.C. 174, 175
(1984) (appended to Cliffdale Assocs., Inc., 103 F.T.C. 110 (1984)).
\2\ Int'l. Harvester Co., 104 F.T.C. 949, 1058 (1984).
---------------------------------------------------------------------------
This is an exceptionally strong case and clearly articulates how
the Commission uses its unfairness tools to protect the data security
and privacy of consumers. I support Count I, but believe the FTC should
have included additional deceptive conduct alleged in the complaint
within the count. The FTC should not turn a blind eye to deceptive
disclosures and opt-ins, particularly when consumers' privacy and
security are at stake.
[FR Doc. 2017-19385 Filed 9-12-17; 8:45 am]
BILLING CODE 6750-01-P
