Lenovo (United States) Inc.; Analysis To Aid Public Comment, 43013-43017 [2017-19385]

Download as PDF Federal Register / Vol. 82, No. 176 / Wednesday, September 13, 2017 / Notices letter. The collection of information saves time for both licensees and Commission staff since they are received in IBFS electronically and include only the information that is essential to process the requests in a timely manner. Furthermore, the Efiling module expedites the Commission staff’s announcement of surrenders of authorizations via Public Notice. Federal Communications Commission. Marlene H. Dortch, Secretary, Office of the Secretary. [FR Doc. 2017–19387 Filed 9–12–17; 8:45 am] 49.74 percent of the voting shares of 1st Advantage Bancshares, Inc., St. Peters, Missouri, and thereby indirectly acquire shares of 1st Advantage Bank, St. Peters, Missouri. B. Federal Reserve Bank of Kansas City (Dennis Denney, Assistant Vice President) 1 Memorial Drive, Kansas City, Missouri 64198–0001: 1. HYS Investments, LLC, to acquire additional voting shares for a total of 26.48 percent of BOTS, Inc., and thereby indirectly acquire shares of VisionBank, all of Topeka, Kansas. Board of Governors of the Federal Reserve System, September 8, 2017. Yao-Chin Chao, Assistant Secretary of the Board. BILLING CODE 6712–01–P FEDERAL RESERVE SYSTEM [FR Doc. 2017–19420 Filed 9–12–17; 8:45 am] sradovich on DSK3GMQ082PROD with NOTICES Formations of, Acquisitions by, and Mergers of Bank Holding Companies BILLING CODE 6210–01–P The companies listed in this notice have applied to the Board for approval, pursuant to the Bank Holding Company Act of 1956 (12 U.S.C. 1841 et seq.) (BHC Act), Regulation Y (12 CFR part 225), and all other applicable statutes and regulations to become a bank holding company and/or to acquire the assets or the ownership of, control of, or the power to vote shares of a bank or bank holding company and all of the banks and nonbanking companies owned by the bank holding company, including the companies listed below. The applications listed below, as well as other related filings required by the Board, are available for immediate inspection at the Federal Reserve Bank indicated. The applications will also be available for inspection at the offices of the Board of Governors. Interested persons may express their views in writing on the standards enumerated in the BHC Act (12 U.S.C. 1842(c)). If the proposal also involves the acquisition of a nonbanking company, the review also includes whether the acquisition of the nonbanking company complies with the standards in section 4 of the BHC Act (12 U.S.C. 1843). Unless otherwise noted, nonbanking activities will be conducted throughout the United States. Unless otherwise noted, comments regarding each of these applications must be received at the Reserve Bank indicated or the offices of the Board of Governors not later than October 10, 2017. A. Federal Reserve Bank of St. Louis (David L. Hubbard, Senior Manager) P.O. Box 442, St. Louis, Missouri 63166–2034. Comments can also be sent electronically to Comments.applications @stls.frb.org: 1. Banc Investors, L.L.C., Town and Country, Missouri; to acquire up to FEDERAL RESERVE SYSTEM VerDate Sep<11>2014 17:34 Sep 12, 2017 Jkt 241001 Formations of, Acquisitions by, and Mergers of Bank Holding Companies The companies listed in this notice have applied to the Board for approval, pursuant to the Bank Holding Company Act of 1956 (12 U.S.C. 1841 et seq.) (BHC Act), Regulation Y (12 CFR part 225), and all other applicable statutes and regulations to become a bank holding company and/or to acquire the assets or the ownership of, control of, or the power to vote shares of a bank or bank holding company and all of the banks and nonbanking companies owned by the bank holding company, including the companies listed below. The applications listed below, as well as other related filings required by the Board, are available for immediate inspection at the Federal Reserve Bank indicated. The applications will also be available for inspection at the offices of the Board of Governors. Interested persons may express their views in writing on the standards enumerated in the BHC Act (12 U.S.C. 1842(c)). If the proposal also involves the acquisition of a nonbanking company, the review also includes whether the acquisition of the nonbanking company complies with the standards in section 4 of the BHC Act (12 U.S.C. 1843). Unless otherwise noted, nonbanking activities will be conducted throughout the United States. Unless otherwise noted, comments regarding each of these applications must be received at the Reserve Bank indicated or the offices of the Board of Governors not later than October 10, 2017. A. Federal Reserve Bank of Kansas City (Dennis Denney, Assistant Vice President) 1 Memorial Drive, Kansas City, Missouri 64198–0001: PO 00000 Frm 00045 Fmt 4703 Sfmt 4703 43013 1. TIG Bancorp, Inc., and its newly formed merger subsidiary, TIG Merger Sub, Inc., both of Durango, Colorado; to become bank holding companies by acquiring Custer Bancorp, Denver, Colorado, and thereby indirectly acquire First State Bank of Colorado, Hotchkiss, Colorado. B. Federal Reserve Bank of Philadelphia (William Spaniel, Senior Vice President) 100 North 6th Street, Philadelphia, Pennsylvania 19105– 1521. Comments can also be sent electronically to Comments. applications@phil.frb.org: 1. OceanFirst Financial Corp., Toms River, New Jersey; to become a bank holding company, in connection with the conversion of OceanFirst Bank, Toms River, New Jersey, from a federal savings bank, to a national bank named OceanFirst National Bank. 2. OceanFirst Financial Corp., Toms River, New Jersey; to merge with Sun Bancorp, Mt. Laurel, New Jersey and thereby indirectly acquire Sun National Bank, Mt. Laurel, New Jersey. Board of Governors of the Federal Reserve System, September 7, 2017. Yao-Chin Chao, Assistant Secretary of the Board. [FR Doc. 2017–19358 Filed 9–12–17; 8:45 am] BILLING CODE P FEDERAL TRADE COMMISSION [File No. 152 3134] Lenovo (United States) Inc.; Analysis To Aid Public Comment Federal Trade Commission. Proposed consent agreement. AGENCY: ACTION: The consent agreement in this matter settles alleged violations of federal law prohibiting unfair or deceptive acts or practices. The attached Analysis to Aid Public Comment describes both the allegations in the complaint and the terms of the consent order—embodied in the consent agreement—that would settle these allegations. SUMMARY: Comments must be received on or before October 5, 2017. ADDRESSES: Interested parties may file a comment online or on paper, by following the instructions in the Request for Comment part of the SUPPLEMENTARY INFORMATION section below. Write: ‘‘Lenovo (United States) Inc., Matter No. 152 3134’’ on your comment, and file your comment online at https://ftcpublic.commentworks.com/ ftc/lenovoconsent by following the instructions on the Web-based form. If DATES: E:\FR\FM\13SEN1.SGM 13SEN1 43014 Federal Register / Vol. 82, No. 176 / Wednesday, September 13, 2017 / Notices you prefer to file your comment on paper, write ‘‘Lenovo (United States) Inc., Matter No. 152 3134’’ on your comment and on the envelope, and mail your comment to the following address: Federal Trade Commission, Office of the Secretary, 600 Pennsylvania Avenue NW., Suite CC–5610 (Annex D), Washington, DC 20580, or deliver your comment to the following address: Federal Trade Commission, Office of the Secretary, Constitution Center, 400 7th Street SW., 5th Floor, Suite 5610 (Annex D), Washington, DC 20024. FOR FURTHER INFORMATION CONTACT: Linda Holleran Kopp, (202–326–2267) and Tiffany George (202–326–3040), Bureau of Consumer Protection, 600 Pennsylvania Avenue NW., Washington, DC 20580. Pursuant to Section 6(f) of the Federal Trade Commission Act, 15 U.S.C. 46(f), and FTC Rule 2.34, 16 CFR 2.34, notice is hereby given that the above-captioned consent agreement containing a consent order to cease and desist, having been filed with and accepted, subject to final approval, by the Commission, has been placed on the public record for a period of thirty (30) days. The following Analysis to Aid Public Comment describes the terms of the consent agreement, and the allegations in the complaint. An electronic copy of the full text of the consent agreement package can be obtained from the FTC Home Page (for September 5, 2017), on the World Wide Web, at https:// www.ftc.gov/news-events/commissionactions. You can file a comment online or on paper. For the Commission to consider your comment, we must receive it on or before October 5, 2017. Write ‘‘Lenovo (United States) Inc., Matter No. 152 3134’’ on your comment. Your comment—including your name and your state—will be placed on the public record of this proceeding, including, to the extent practicable, on the public Commission Web site, at https:// www.ftc.gov/policy/public-comments. Postal mail addressed to the Commission is subject to delay due to heightened security screening. As a result, we encourage you to submit your comments online. To make sure that the Commission considers your online comment, you must file it at https:// ftcpublic.commentworks.com/ftc/ lenovoconsent by following the instructions on the web-based form. If this Notice appears at http:// www.regulations.gov/#!home, you also may file a comment through that Web site. sradovich on DSK3GMQ082PROD with NOTICES SUPPLEMENTARY INFORMATION: VerDate Sep<11>2014 17:34 Sep 12, 2017 Jkt 241001 If you prefer to file your comment on paper, write ‘‘Lenovo (United States) Inc., Matter No. 152 3134’’ on your comment and on the envelope, and mail your comment to the following address: Federal Trade Commission, Office of the Secretary, 600 Pennsylvania Avenue NW., Suite CC–5610 (Annex D), Washington, DC 20580, or deliver your comment to the following address: Federal Trade Commission, Office of the Secretary, Constitution Center, 400 7th Street SW., 5th Floor, Suite 5610 (Annex D), Washington, DC 20024. If possible, submit your paper comment to the Commission by courier or overnight service. Because your comment will be placed on the publicly accessible FTC Web site at https://www.ftc.gov, you are solely responsible for making sure that your comment does not include any sensitive or confidential information. In particular, your comment should not include any sensitive personal information, such as your or anyone else’s Social Security number; date of birth; driver’s license number or other state identification number, or foreign country equivalent; passport number; financial account number; or credit or debit card number. You are also solely responsible for making sure that your comment does not include any sensitive health information, such as medical records or other individually identifiable health information. In addition, your comment should not include any ‘‘trade secret or any commercial or financial information which . . . is privileged or confidential’’—as provided by Section 6(f) of the FTC Act, 15 U.S.C. 46(f), and FTC Rule 4.10(a)(2), 16 CFR 4.10(a)(2)— including in particular competitively sensitive information such as costs, sales statistics, inventories, formulas, patterns, devices, manufacturing processes, or customer names. Comments containing material for which confidential treatment is requested must be filed in paper form, must be clearly labeled ‘‘Confidential,’’ and must comply with FTC Rule 4.9(c). In particular, the written request for confidential treatment that accompanies the comment must include the factual and legal basis for the request, and must identify the specific portions of the comment to be withheld from the public record. See FTC Rule 4.9(c). Your comment will be kept confidential only if the General Counsel grants your request in accordance with the law and the public interest. Once your comment has been posted on the public FTC Web site—as legally required by FTC Rule 4.9(b)—we cannot redact or remove your comment from the FTC Web site, PO 00000 Frm 00046 Fmt 4703 Sfmt 4703 unless you submit a confidentiality request that meets the requirements for such treatment under FTC Rule 4.9(c), and the General Counsel grants that request. Visit the FTC Web site at http:// www.ftc.gov to read this Notice and the news release describing it. The FTC Act and other laws that the Commission administers permit the collection of public comments to consider and use in this proceeding, as appropriate. The Commission will consider all timely and responsive public comments that it receives on or before October 5, 2017. For information on the Commission’s privacy policy, including routine uses permitted by the Privacy Act, see https://www.ftc.gov/site-information/ privacy-policy. Analysis of Agreement Containing Consent Order To Aid Public Comment The Federal Trade Commission has accepted, subject to final approval, an agreement containing a consent order from Lenovo (United States), Inc. (‘‘Lenovo’’). The proposed consent order has been placed on the public record for thirty (30) days for receipt of comments by interested persons. Comments received during this period will become part of the public record. After thirty (30) days, the Commission again will review the agreement and the comments received and will decide whether it should withdraw from the agreement or make final the agreement’s proposed order. This matter involves Lenovo, one of the world’s largest personal computer manufacturers, and its preinstallation on certain consumer laptops of VisualDiscovery, an ad-injecting software developed by Superfish, Inc. and customized for Lenovo. VisualDiscovery injected pop-up ads of similar-looking products sold by Superfish’s retail partners whenever a consumer’s cursor hovered over a product image while browsing on a shopping Web site. For example, when a consumer’s cursor hovered over an image of owl-shaped pendants on a shopping Web site like amazon.com, VisualDiscovery would show the user pop-up ads of similar-looking owl pendants. To do so, VisualDiscovery acted as a ‘‘man-in-the-middle’’ between consumers’ browsers and the Web sites they visited, including encrypted https://websites. This man-in-themiddle technique allowed VisualDiscovery to see all of a consumer’s sensitive personal information that was transmitted on the Internet, such as login credentials, Social Security numbers, financial account information, medical E:\FR\FM\13SEN1.SGM 13SEN1 sradovich on DSK3GMQ082PROD with NOTICES Federal Register / Vol. 82, No. 176 / Wednesday, September 13, 2017 / Notices information, and email communications. VisualDiscovery then collected, transmitted to Superfish servers, and stored a more limited subset of user information, including the Web site addresses visited by consumers, consumers’ IP addresses, and a unique identifier assigned by Superfish to each user’s laptop. Superfish had the ability to collect additional information from Lenovo users through VisualDiscovery at any time. To facilitate its injection of pop-up ads into encrypted https://websites, VisualDiscovery installed a self-signed root certificate in the laptop’s operating system. This allowed VisualDiscovery to replace the digital certificates for https://websites with VisualDiscovery’s own certificates for those Web sites and caused consumers’ browsers to automatically trust the VisualDiscoverysigned certificates. Digital certificates are part of the Transport Layer Security (TLS) protocol that, when properly validated, serve as proof that consumers are communicating with the authentic https://website and not an imposter. As alleged in the complaint, VisualDiscovery’s substitution of digital certificates for https://websites with its own certificates for those Web sites created two significant security vulnerabilities. First, VisualDiscovery did not adequately verify that Web sites’ digital certificates were valid before replacing them with its own certificates, which were automatically trusted by consumers’ browsers. This rendered a critical browser security function useless because browsers would no longer warn consumers that their connections were untrusted when they visited potentially spoofed or malicious Web sites with invalid digital certificates. The complaint also alleges that VisualDiscovery created a second security vulnerability by using a selfsigned root certificate with the same private encryption key and the same easy-to-crack password on every laptop rather than employing private keys unique to each laptop. This violated basic encryption key management principles because attackers who cracked the simple password on one consumer’s laptop could then target every affected Lenovo user with man-inthe-middle attacks that could intercept consumers’ electronic communications with any Web site, including those for financial institutions and medical providers. Such attacks would provide attackers with unauthorized access to consumers’ sensitive personal information, such as Social Security numbers, financial account numbers, VerDate Sep<11>2014 17:34 Sep 12, 2017 Jkt 241001 login credentials, medical information, and email communications. This vulnerability also made it easier for attackers to deceive consumers into downloading malware onto any affected Lenovo laptop. The risk that this vulnerability would be exploited increased after February 19, 2015, when news of these vulnerabilities became public and bloggers posted instructions on how the vulnerabilities could be exploited. The complaint alleges that Lenovo failed to discover these significant security vulnerabilities because it failed to take reasonable measures to assess and address security risks created by third-party software it preinstalled on its laptops. Specifically, Lenovo allegedly: • Failed to adopt and implement written data security policies applicable to third-party preinstalled software; • failed to adequately assess the data security risks of third-party software prior to preinstallation; • failed to request or review any information prior to preinstallation about Superfish’s data security policies, procedures or practices; • failed to require Superfish by contract to adopt and implement reasonable data security measures; • failed to assess VisualDiscovery’s compliance with reasonable data security standards; and • failed to provide adequate data security training for employees responsible for testing third-party software. The complaint alleges that Lenovo’s failure was an unfair act that caused or was likely to cause substantial consumer injury that consumers could not reasonably avoid, and that there were no countervailing benefits to consumers or competition. The Commission’s complaint also alleges that Lenovo failed to make adequate disclosures about VisualDiscovery to consumers. Lenovo did not disclose to consumers that it had preinstalled VisualDiscovery prior to purchase, and the software had limited visibility on the consumer’s laptop. Lenovo only disclosed VisualDiscovery through a one-time pop-up window the first time consumers visited a shopping Web site that stated, Explore shopping with VisualDiscovery: Your browser is enabled with VisualDiscovery which lets you discover visually similar products and best prices while you shop. The pop-up window contained a small opt-out link at the bottom of the pop-up that was easy for consumers to PO 00000 Frm 00047 Fmt 4703 Sfmt 4703 43015 miss. If a consumer clicked on the popup’s ‘x’ close button, or anywhere else on the screen, the consumer was opted in to the software. The complaint alleges that this popup window’s disclosures were inadequate and violated Section 5 of the FTC Act by failing to disclose, or failing to disclose adequately, that VisualDiscovery would act as a man-inthe-middle between consumers and all the Web sites they visited, including encrypted https://websites, and collect and transmit certain consumer Internet browsing data to Superfish. These facts would be material to consumers’ decisions whether or not to use VisualDiscovery. The complaint also alleges that Lenovo’s preinstallation of the adinjecting software that, without adequate notice or informed consent, acted as a man-in-the-middle between consumers and all the Web sites they visited, including encrypted https:// websites, and collected and transmitted certain consumer Internet browsing data to Superfish was an unfair act that caused or was likely to cause substantial injury to consumers, and that was not offset by countervailing benefits to consumers or competition and was not reasonably avoidable by consumers. The proposed consent order contains provisions designed to prevent Lenovo from engaging in similar acts and practices in the future. Part I of the proposed order prohibits Lenovo from making any misrepresentations about certain preinstalled software on its personal computers. Part II of the proposed order requires Lenovo to obtain a consumer’s affirmative express consent, with certain limited exceptions, prior to any preinstalled software a) injecting advertisements into a consumer’s Internet browsing session, or b) transmitting, or causing to transmit, the consumer’s personal information to any person or entity other than the consumer. Lenovo must also provide instructions for how consumers can revoke their consent to the software’s operation by providing a reasonable and effective means for consumers to opt out, disable or remove the software. Parts III and IV of the proposed order require Lenovo to implement a mandated software security program that is reasonably designed to address security risks in software preinstalled on its personal computers, and undergo biennial software security assessments of its mandated software security program by a third party. Parts V through IX of the proposed order are standard reporting and E:\FR\FM\13SEN1.SGM 13SEN1 43016 Federal Register / Vol. 82, No. 176 / Wednesday, September 13, 2017 / Notices compliance provisions. Part V requires dissemination of the order now and in the future to all current and future principals, officers, directors, and managers, and to persons with managerial or supervisory responsibilities relating to Parts I–IV of the order. Part VI mandates that Lenovo submit a compliance report to the FTC one year after issuance, and then notices, as the order specifies, thereafter. Parts VII and VIII requires Lenovo to retain documents relating to its compliance with the order for a fiveyear period, and to provide such additional information or documents necessary for the Commission to monitor compliance. Part IX states that the Order will remain in effect for 20 years. The purpose of this analysis is to aid public comment on the proposed order. It is not intended to constitute an official interpretation of the complaint or proposed order, or to modify in any way the proposed order’s terms. By direction of the Commission. Donald S. Clark, Secretary. sradovich on DSK3GMQ082PROD with NOTICES Statement of Acting Chairman Maureen K. Ohlhausen in the Matter of Lenovo, Inc. I support this important case and the strong settlement. I write separately to caution against an over broad application of our failure to disclose (sometimes called ‘‘deceptive omission’’) authority. We should hew to longstanding case law and avoid circumventing congressionallyestablished limits on our authority. I therefore respectfully disagree with my colleague’s position that we should expand Count I to allege additional failures to disclose. Most FTC deception cases involve an express misrepresentation (‘‘This sugar pill cures cancer’’) or an express statement that gives rise to an implied claim that is false or misleading (‘‘Many people who take this sugar pill don’t die of cancer’’). Although the FTC and the courts have also recognized that a failure to disclose can be deceptive, this has limits.1 For every product there is a potentially enormous amount of information that at least some consumers might wish to know when deciding whether to 1 International Harvester Co., 104 FTC 949 (1984), represents the Commission’s most comprehensive effort to define deceptive omissions, and that framework remains in place today. See also, Cliffdale Associates, Inc., 103 FTC 110, App. A at 2 (1984) (‘‘Deception Statement’’). VerDate Sep<11>2014 17:34 Sep 12, 2017 Jkt 241001 purchase or use it.2 Copious disclosures would be both impractical and unhelpful, and the law sensibly does not require sellers to disclose all information that a consumer might find important. Thus, the FTC has generally found a failure to disclose to be deceptive in two categories of cases. First, the FTC has found ‘‘half-truths’’ to be deceptive, where a seller makes a truthful statement that creates a material misleading impression that the seller does not correct.3 Most of the FTC’s failure to disclose cases are half-truth cases, and many could be restyled as cases of implied false or misleading claims. For example, a complaint addressing the claim that ‘‘Many people who take this sugar pill don’t die of cancer’’ could allege an implied false claim that the pill cures cancer, or could allege a deceptive failure to disclose that the pill does not reduce the chances of dying from cancer. Second, and less frequently, the FTC has found a seller’s silence to be deceptive ‘‘under circumstances that constitute an implied but false representation.’’ 4 Such implied false representations can arise from ‘‘ordinary consumer expectations as to the irreducible minimum performance standards of a particular class of good.’’ 5 Stated differently, offering a product for sale implies that the product is ‘‘reasonably fit for [its] intended uses,’’ and that it is ‘‘free of gross safety hazards.’’ 6 If the product does not meet ordinary consumer expectations of minimum performance, or if the product is not reasonably fit for its intended uses, the seller must disclose that. For example, it would be deceptive for an auto dealer to sell, without a disclosure, a normal-looking car with a maximum speed of 35 miles per hour.7 Consumers expect cars to be able to reach highway speeds, and thus the dealer must disclose to the buyer that the car does not meet that ordinary expectation. In such cases, an omission is misleading under the FTC Act if the consumers’ ordinary fundamental expectations about the product were violated. Mere annoyances that leave the product reasonably fit for its intended use do not meet this threshold.8 Thus, a dealer’s failure to 2 International Harvester, 104 FTC at 1059 (explaining why the FTC does not treat pure omissions as deceptive). 3 Id. at 1057–58. 4 Id. at 1058. 5 Id. 6 Id. at 1058–59. 7 Id. at n.29. 8 Id. at 1058; Deception Statement at n.4 (‘‘Not all omissions are deceptive, even if providing the PO 00000 Frm 00048 Fmt 4703 Sfmt 4703 disclose that some might find a car’s seatbelt warning to be annoyingly loud would not be a deceptive omission because consumers have no ordinary expectations about car seatbelt warnings that would mislead them absent a disclosure. As International Harvester sets out at length, a deceptive omission is distinct from an unfair failure to warn or other forms of unfair omissions.9 The FTC has brought such cases under its unfairness authority where it has met the statutorily mandated higher burden of showing that the conduct causes or is likely to cause substantial consumer injury that is not reasonably avoidable by the consumer and is not outweighed by benefits to consumers or competition.10 Turning to the case at hand, the complaint alleges that VisualDiscovery advertising software on Lenovo laptops acted as a man-in-the-middle between consumers and the Web sites they visited. As such, the software had access to all secure and unsecure consumerWeb site communications and rendered useless a critical security feature of the laptops’ web browsers. Such practices introduced gross hazards inconsistent with ordinary consumer expectations about the minimum performance standards of software. As a result, the man-in-the-middle functionality and the problems it generated made VisualDiscovery unfit for its intended use as software. Thus, Count I properly alleges that Lenovo failed to disclose, or disclose adequately, that VisualDiscovery acted as a man-in-themiddle.11 Although Commissioner McSweeny and I both support Count I, she would add allegations that Lenovo failed to disclose that VisualDiscovery injected ads into shopping Web sites and slowed web browsing. She argues that the injected ads and slowed web browsing altered the internet experience of consumers, and thus VisualDiscovery failed to meet ‘‘ordinary consumer expectations as to the irreducible minimum performance standards of [that] particular class of good.’’ 12 information would benefit consumers . . . Failure to disclose that the product is not fit constitutes a deceptive omission.’’) 9 Id. at 1051 (‘‘It is important to distinguish between the circumstances under which omissions are deceptive . . . and the circumstances under which they amount to an unfair practice.’’). 10 15 U.S.C. 45(n). 11 Count I of the complaint is pled in the form of a half-truth, but could also be pled as a failure to correct a false representation implied from circumstances, and so I address Commissioner McSweeny’s argument as framed. 12 Statement of Commissioner Terrell McSweeny at 1 (citing International Harvester, 104 FTC at 1058). E:\FR\FM\13SEN1.SGM 13SEN1 Federal Register / Vol. 82, No. 176 / Wednesday, September 13, 2017 / Notices I respectfully disagree. Lenovo failed to disclose that VisualDiscovery would act as a man-in-the-middle. However, Lenovo did disclose that the software would introduce advertising into consumers’ web browsing, although its disclosure could have been better. Furthermore, to the extent ordinary consumers expect anything from advertising software, they likely expect it to affect their web browsing and to be intrusive, as the popularity of ad blocking technology shows. In addition, unlike the man-in-the-middle technique, VisualDiscovery’s ad placement and web browsing effects did not introduce gross hazards obviously outside of consumers’ ordinary expectations for advertising software. In short, although VisualDiscovery’s ad placement and effect on web browsing may have been irritating to many, those features did not make VisualDiscovery unfit for its intended use. Therefore, I do not find Lenovo’s silence about those features to be a deceptive omission. Fortunately, the outcome in this case does not depend on resolving our disagreement on the application of deceptive omission to advertising software. My goal in writing separately is to maintain the clear distinction set forth in International Harvester between deceptive failures to disclose and unfair omissions.13 When evaluating the legality of a party’s silence, we must be careful not to circumvent unfairness’s higher evidentiary burden by simply restyling an unfair omission as a deceptive omission. Statement of Commissioner Terrell McSweeny in the Matter of Lenovo, Inc. I support the Commission’s complaint against Lenovo, but I am troubled by conduct in this case that the Commission fails to challenge. According to the complaint, Lenovo, Inc. preinstalled software on computers that was designed to serve advertisements to consumers while they were browsing Web sites. The software, called VisualDiscovery, acted as a ‘‘man-in-the-middle’’ between the consumers and all of the Web sites with which they communicated. It allegedly actively contravened the security posture of consumers’ computers, leaving them vulnerable both to attack from cyber-criminals and to transmitting personal information across the web to Superfish, Inc. servers. These unfair practices violate the Federal Trade Commission Act and are appropriately challenged by the FTC in Counts II and III of the complaint. But Lenovo’s unlawful conduct went beyond the data security failings alleged in the complaint. The complaint also describes how the software it preinstalled on computers would: (1) Inject pop-up ads every time consumers visited a shopping Web site; and (2) disrupt web browsing by reducing download speeds by almost 25 percent and upload speeds by 125 percent. These facts were not disclosed to consumers and these omissions were deceptive. Moreover, the FTC alleges that the VisualDiscovery software was designed to be difficult to discover. Consumers were initially made aware of the existence of the VisualDiscovery software via a pop-up window the first time they visited an ecommerce site. But clicking to close that window opted consumers into the program. The initial pop-up window failed to disclose that VisualDiscovery would follow the consumers from shopping site to shopping site; slow the performance and functionality of the Web sites they visited; and compromise their security and privacy throughout each online browsing session. Under Section 5 of the FTC Act, the failure to disclose information necessary to prevent the creation of a false impression is a deceptive practice.1 A seller’s silence may make an implied representation ‘‘based on ordinary consumer expectations as to the irreducible minimum performance standards of a particular class of good.’’ 2 In this case, Lenovo deceptively omitted that VisualDiscovery would alter the very internet experience for which most consumers buy a computer. I believe that if consumers were fully aware of what VisualDiscovery was, how it compromised their system, and 43017 how they could have opted out, most would have decided to keep VisualDiscovery inactive. This is an exceptionally strong case and clearly articulates how the Commission uses its unfairness tools to protect the data security and privacy of consumers. I support Count I, but believe the FTC should have included additional deceptive conduct alleged in the complaint within the count. The FTC should not turn a blind eye to deceptive disclosures and opt-ins, particularly when consumers’ privacy and security are at stake. [FR Doc. 2017–19385 Filed 9–12–17; 8:45 am] BILLING CODE 6750–01–P FEDERAL TRADE COMMISSION Granting of Requests for Early Termination of the Waiting Period Under the Premerger Notification Rules Section 7A of the Clayton Act, 15 U.S.C. 18a, as added by Title II of the Hart-Scott-Rodino Antitrust Improvements Act of 1976, requires persons contemplating certain mergers or acquisitions to give the Federal Trade Commission and the Assistant Attorney General advance notice and to wait designated periods before consummation of such plans. Section 7A(b)(2) of the Act permits the agencies, in individual cases, to terminate this waiting period prior to its expiration and requires that notice of this action be published in the Federal Register. The following transactions were granted early termination—on the dates indicated—of the waiting period provided by law and the premerger notification rules. The listing for each transaction includes the transaction number and the parties to the transaction. The grants were made by the Federal Trade Commission and the Assistant Attorney General for the Antitrust Division of the Department of Justice. Neither agency intends to take any action with respect to these proposed acquisitions during the applicable waiting period. sradovich on DSK3GMQ082PROD with NOTICES EARLY TERMINATIONS GRANTED JULY 1, 2017 THROUGH JULY 31, 2017 07/03/2017 20171409 ...... 20171459 ...... 20171460 ...... G G G 13 International VerDate Sep<11>2014 Quest Diagnostics Incorporated; Med Fusion, LLC; Quest Diagnostics Incorporated. Synnex Corporation; Datatec Limited; Synnex Corporation. Datatec Limited; Synnex Corporation; Datatec Limited. Harvester, 104 FTC at 1051. 17:34 Sep 12, 2017 Jkt 241001 1 FTC Policy Statement on Deception, 103 F.T.C. 174, 175 (1984) (appended to Cliffdale Assocs., Inc., 103 F.T.C. 110 (1984)). PO 00000 Frm 00049 Fmt 4703 Sfmt 4703 2 Int’l. E:\FR\FM\13SEN1.SGM Harvester Co., 104 F.T.C. 949, 1058 (1984). 13SEN1

Agencies

[Federal Register Volume 82, Number 176 (Wednesday, September 13, 2017)]
[Notices]
[Pages 43013-43017]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2017-19385]


=======================================================================
-----------------------------------------------------------------------

FEDERAL TRADE COMMISSION

[File No. 152 3134]


Lenovo (United States) Inc.; Analysis To Aid Public Comment

AGENCY: Federal Trade Commission.

ACTION: Proposed consent agreement.

-----------------------------------------------------------------------

SUMMARY: The consent agreement in this matter settles alleged 
violations of federal law prohibiting unfair or deceptive acts or 
practices. The attached Analysis to Aid Public Comment describes both 
the allegations in the complaint and the terms of the consent order--
embodied in the consent agreement--that would settle these allegations.

DATES: Comments must be received on or before October 5, 2017.

ADDRESSES: Interested parties may file a comment online or on paper, by 
following the instructions in the Request for Comment part of the 
SUPPLEMENTARY INFORMATION section below. Write: ``Lenovo (United 
States) Inc., Matter No. 152 3134'' on your comment, and file your 
comment online at https://ftcpublic.commentworks.com/ftc/lenovoconsent 
by following the instructions on the Web-based form. If

[[Page 43014]]

you prefer to file your comment on paper, write ``Lenovo (United 
States) Inc., Matter No. 152 3134'' on your comment and on the 
envelope, and mail your comment to the following address: Federal Trade 
Commission, Office of the Secretary, 600 Pennsylvania Avenue NW., Suite 
CC-5610 (Annex D), Washington, DC 20580, or deliver your comment to the 
following address: Federal Trade Commission, Office of the Secretary, 
Constitution Center, 400 7th Street SW., 5th Floor, Suite 5610 (Annex 
D), Washington, DC 20024.

FOR FURTHER INFORMATION CONTACT: Linda Holleran Kopp, (202-326-2267) 
and Tiffany George (202-326-3040), Bureau of Consumer Protection, 600 
Pennsylvania Avenue NW., Washington, DC 20580.

SUPPLEMENTARY INFORMATION: Pursuant to Section 6(f) of the Federal 
Trade Commission Act, 15 U.S.C. 46(f), and FTC Rule 2.34, 16 CFR 2.34, 
notice is hereby given that the above-captioned consent agreement 
containing a consent order to cease and desist, having been filed with 
and accepted, subject to final approval, by the Commission, has been 
placed on the public record for a period of thirty (30) days. The 
following Analysis to Aid Public Comment describes the terms of the 
consent agreement, and the allegations in the complaint. An electronic 
copy of the full text of the consent agreement package can be obtained 
from the FTC Home Page (for September 5, 2017), on the World Wide Web, 
at https://www.ftc.gov/news-events/commission-actions.
    You can file a comment online or on paper. For the Commission to 
consider your comment, we must receive it on or before October 5, 2017. 
Write ``Lenovo (United States) Inc., Matter No. 152 3134'' on your 
comment. Your comment--including your name and your state--will be 
placed on the public record of this proceeding, including, to the 
extent practicable, on the public Commission Web site, at https://www.ftc.gov/policy/public-comments.
    Postal mail addressed to the Commission is subject to delay due to 
heightened security screening. As a result, we encourage you to submit 
your comments online. To make sure that the Commission considers your 
online comment, you must file it at https://ftcpublic.commentworks.com/ftc/lenovoconsent by following the instructions on the web-based form. 
If this Notice appears at http://www.regulations.gov/#!home, you also 
may file a comment through that Web site.
    If you prefer to file your comment on paper, write ``Lenovo (United 
States) Inc., Matter No. 152 3134'' on your comment and on the 
envelope, and mail your comment to the following address: Federal Trade 
Commission, Office of the Secretary, 600 Pennsylvania Avenue NW., Suite 
CC-5610 (Annex D), Washington, DC 20580, or deliver your comment to the 
following address: Federal Trade Commission, Office of the Secretary, 
Constitution Center, 400 7th Street SW., 5th Floor, Suite 5610 (Annex 
D), Washington, DC 20024. If possible, submit your paper comment to the 
Commission by courier or overnight service.
    Because your comment will be placed on the publicly accessible FTC 
Web site at https://www.ftc.gov, you are solely responsible for making 
sure that your comment does not include any sensitive or confidential 
information. In particular, your comment should not include any 
sensitive personal information, such as your or anyone else's Social 
Security number; date of birth; driver's license number or other state 
identification number, or foreign country equivalent; passport number; 
financial account number; or credit or debit card number. You are also 
solely responsible for making sure that your comment does not include 
any sensitive health information, such as medical records or other 
individually identifiable health information. In addition, your comment 
should not include any ``trade secret or any commercial or financial 
information which . . . is privileged or confidential''--as provided by 
Section 6(f) of the FTC Act, 15 U.S.C. 46(f), and FTC Rule 4.10(a)(2), 
16 CFR 4.10(a)(2)--including in particular competitively sensitive 
information such as costs, sales statistics, inventories, formulas, 
patterns, devices, manufacturing processes, or customer names.
    Comments containing material for which confidential treatment is 
requested must be filed in paper form, must be clearly labeled 
``Confidential,'' and must comply with FTC Rule 4.9(c). In particular, 
the written request for confidential treatment that accompanies the 
comment must include the factual and legal basis for the request, and 
must identify the specific portions of the comment to be withheld from 
the public record. See FTC Rule 4.9(c). Your comment will be kept 
confidential only if the General Counsel grants your request in 
accordance with the law and the public interest. Once your comment has 
been posted on the public FTC Web site--as legally required by FTC Rule 
4.9(b)--we cannot redact or remove your comment from the FTC Web site, 
unless you submit a confidentiality request that meets the requirements 
for such treatment under FTC Rule 4.9(c), and the General Counsel 
grants that request.
    Visit the FTC Web site at http://www.ftc.gov to read this Notice 
and the news release describing it. The FTC Act and other laws that the 
Commission administers permit the collection of public comments to 
consider and use in this proceeding, as appropriate. The Commission 
will consider all timely and responsive public comments that it 
receives on or before October 5, 2017. For information on the 
Commission's privacy policy, including routine uses permitted by the 
Privacy Act, see https://www.ftc.gov/site-information/privacy-policy.

Analysis of Agreement Containing Consent Order To Aid Public Comment

    The Federal Trade Commission has accepted, subject to final 
approval, an agreement containing a consent order from Lenovo (United 
States), Inc. (``Lenovo'').
    The proposed consent order has been placed on the public record for 
thirty (30) days for receipt of comments by interested persons. 
Comments received during this period will become part of the public 
record. After thirty (30) days, the Commission again will review the 
agreement and the comments received and will decide whether it should 
withdraw from the agreement or make final the agreement's proposed 
order.
    This matter involves Lenovo, one of the world's largest personal 
computer manufacturers, and its preinstallation on certain consumer 
laptops of VisualDiscovery, an ad-injecting software developed by 
Superfish, Inc. and customized for Lenovo. VisualDiscovery injected 
pop-up ads of similar-looking products sold by Superfish's retail 
partners whenever a consumer's cursor hovered over a product image 
while browsing on a shopping Web site. For example, when a consumer's 
cursor hovered over an image of owl-shaped pendants on a shopping Web 
site like amazon.com, VisualDiscovery would show the user pop-up ads of 
similar-looking owl pendants. To do so, VisualDiscovery acted as a 
``man-in-the-middle'' between consumers' browsers and the Web sites 
they visited, including encrypted https://websites. This man-in-the-
middle technique allowed VisualDiscovery to see all of a consumer's 
sensitive personal information that was transmitted on the Internet, 
such as login credentials, Social Security numbers, financial account 
information, medical

[[Page 43015]]

information, and email communications. VisualDiscovery then collected, 
transmitted to Superfish servers, and stored a more limited subset of 
user information, including the Web site addresses visited by 
consumers, consumers' IP addresses, and a unique identifier assigned by 
Superfish to each user's laptop. Superfish had the ability to collect 
additional information from Lenovo users through VisualDiscovery at any 
time.
    To facilitate its injection of pop-up ads into encrypted https://
websites, VisualDiscovery installed a self-signed root certificate in 
the laptop's operating system. This allowed VisualDiscovery to replace 
the digital certificates for https://websites with VisualDiscovery's 
own certificates for those Web sites and caused consumers' browsers to 
automatically trust the VisualDiscovery-signed certificates. Digital 
certificates are part of the Transport Layer Security (TLS) protocol 
that, when properly validated, serve as proof that consumers are 
communicating with the authentic https://website and not an imposter.
    As alleged in the complaint, VisualDiscovery's substitution of 
digital certificates for https://websites with its own certificates for 
those Web sites created two significant security vulnerabilities. 
First, VisualDiscovery did not adequately verify that Web sites' 
digital certificates were valid before replacing them with its own 
certificates, which were automatically trusted by consumers' browsers. 
This rendered a critical browser security function useless because 
browsers would no longer warn consumers that their connections were 
untrusted when they visited potentially spoofed or malicious Web sites 
with invalid digital certificates.
    The complaint also alleges that VisualDiscovery created a second 
security vulnerability by using a self-signed root certificate with the 
same private encryption key and the same easy-to-crack password on 
every laptop rather than employing private keys unique to each laptop. 
This violated basic encryption key management principles because 
attackers who cracked the simple password on one consumer's laptop 
could then target every affected Lenovo user with man-in-the-middle 
attacks that could intercept consumers' electronic communications with 
any Web site, including those for financial institutions and medical 
providers. Such attacks would provide attackers with unauthorized 
access to consumers' sensitive personal information, such as Social 
Security numbers, financial account numbers, login credentials, medical 
information, and email communications. This vulnerability also made it 
easier for attackers to deceive consumers into downloading malware onto 
any affected Lenovo laptop. The risk that this vulnerability would be 
exploited increased after February 19, 2015, when news of these 
vulnerabilities became public and bloggers posted instructions on how 
the vulnerabilities could be exploited.
    The complaint alleges that Lenovo failed to discover these 
significant security vulnerabilities because it failed to take 
reasonable measures to assess and address security risks created by 
third-party software it preinstalled on its laptops. Specifically, 
Lenovo allegedly:
     Failed to adopt and implement written data security 
policies applicable to third-party preinstalled software;
     failed to adequately assess the data security risks of 
third-party software prior to preinstallation;
     failed to request or review any information prior to 
preinstallation about Superfish's data security policies, procedures or 
practices;
     failed to require Superfish by contract to adopt and 
implement reasonable data security measures;
     failed to assess VisualDiscovery's compliance with 
reasonable data security standards; and
     failed to provide adequate data security training for 
employees responsible for testing third-party software.
    The complaint alleges that Lenovo's failure was an unfair act that 
caused or was likely to cause substantial consumer injury that 
consumers could not reasonably avoid, and that there were no 
countervailing benefits to consumers or competition.
    The Commission's complaint also alleges that Lenovo failed to make 
adequate disclosures about VisualDiscovery to consumers. Lenovo did not 
disclose to consumers that it had preinstalled VisualDiscovery prior to 
purchase, and the software had limited visibility on the consumer's 
laptop. Lenovo only disclosed VisualDiscovery through a one-time pop-up 
window the first time consumers visited a shopping Web site that 
stated,
    Explore shopping with VisualDiscovery: Your browser is enabled with 
VisualDiscovery which lets you discover visually similar products and 
best prices while you shop.
    The pop-up window contained a small opt-out link at the bottom of 
the pop-up that was easy for consumers to miss. If a consumer clicked 
on the pop-up's `x' close button, or anywhere else on the screen, the 
consumer was opted in to the software.
    The complaint alleges that this pop-up window's disclosures were 
inadequate and violated Section 5 of the FTC Act by failing to 
disclose, or failing to disclose adequately, that VisualDiscovery would 
act as a man-in-the-middle between consumers and all the Web sites they 
visited, including encrypted https://websites, and collect and transmit 
certain consumer Internet browsing data to Superfish. These facts would 
be material to consumers' decisions whether or not to use 
VisualDiscovery.
    The complaint also alleges that Lenovo's preinstallation of the ad-
injecting software that, without adequate notice or informed consent, 
acted as a man-in-the-middle between consumers and all the Web sites 
they visited, including encrypted https://websites, and collected and 
transmitted certain consumer Internet browsing data to Superfish was an 
unfair act that caused or was likely to cause substantial injury to 
consumers, and that was not offset by countervailing benefits to 
consumers or competition and was not reasonably avoidable by consumers.
    The proposed consent order contains provisions designed to prevent 
Lenovo from engaging in similar acts and practices in the future.
    Part I of the proposed order prohibits Lenovo from making any 
misrepresentations about certain preinstalled software on its personal 
computers.
    Part II of the proposed order requires Lenovo to obtain a 
consumer's affirmative express consent, with certain limited 
exceptions, prior to any preinstalled software a) injecting 
advertisements into a consumer's Internet browsing session, or b) 
transmitting, or causing to transmit, the consumer's personal 
information to any person or entity other than the consumer. Lenovo 
must also provide instructions for how consumers can revoke their 
consent to the software's operation by providing a reasonable and 
effective means for consumers to opt out, disable or remove the 
software.
    Parts III and IV of the proposed order require Lenovo to implement 
a mandated software security program that is reasonably designed to 
address security risks in software preinstalled on its personal 
computers, and undergo biennial software security assessments of its 
mandated software security program by a third party.
    Parts V through IX of the proposed order are standard reporting and

[[Page 43016]]

compliance provisions. Part V requires dissemination of the order now 
and in the future to all current and future principals, officers, 
directors, and managers, and to persons with managerial or supervisory 
responsibilities relating to Parts I-IV of the order. Part VI mandates 
that Lenovo submit a compliance report to the FTC one year after 
issuance, and then notices, as the order specifies, thereafter. Parts 
VII and VIII requires Lenovo to retain documents relating to its 
compliance with the order for a five-year period, and to provide such 
additional information or documents necessary for the Commission to 
monitor compliance. Part IX states that the Order will remain in effect 
for 20 years.
    The purpose of this analysis is to aid public comment on the 
proposed order. It is not intended to constitute an official 
interpretation of the complaint or proposed order, or to modify in any 
way the proposed order's terms.

    By direction of the Commission.
Donald S. Clark,
Secretary.

Statement of Acting Chairman Maureen K. Ohlhausen in the Matter of 
Lenovo, Inc.

    I support this important case and the strong settlement. I write 
separately to caution against an over broad application of our failure 
to disclose (sometimes called ``deceptive omission'') authority. We 
should hew to longstanding case law and avoid circumventing 
congressionally-established limits on our authority. I therefore 
respectfully disagree with my colleague's position that we should 
expand Count I to allege additional failures to disclose.
    Most FTC deception cases involve an express misrepresentation 
(``This sugar pill cures cancer'') or an express statement that gives 
rise to an implied claim that is false or misleading (``Many people who 
take this sugar pill don't die of cancer'').
    Although the FTC and the courts have also recognized that a failure 
to disclose can be deceptive, this has limits.\1\ For every product 
there is a potentially enormous amount of information that at least 
some consumers might wish to know when deciding whether to purchase or 
use it.\2\ Copious disclosures would be both impractical and unhelpful, 
and the law sensibly does not require sellers to disclose all 
information that a consumer might find important.
---------------------------------------------------------------------------

    \1\ International Harvester Co., 104 FTC 949 (1984), represents 
the Commission's most comprehensive effort to define deceptive 
omissions, and that framework remains in place today. See also, 
Cliffdale Associates, Inc., 103 FTC 110, App. A at 2 (1984) 
(``Deception Statement'').
    \2\ International Harvester, 104 FTC at 1059 (explaining why the 
FTC does not treat pure omissions as deceptive).
---------------------------------------------------------------------------

    Thus, the FTC has generally found a failure to disclose to be 
deceptive in two categories of cases. First, the FTC has found ``half-
truths'' to be deceptive, where a seller makes a truthful statement 
that creates a material misleading impression that the seller does not 
correct.\3\ Most of the FTC's failure to disclose cases are half-truth 
cases, and many could be restyled as cases of implied false or 
misleading claims. For example, a complaint addressing the claim that 
``Many people who take this sugar pill don't die of cancer'' could 
allege an implied false claim that the pill cures cancer, or could 
allege a deceptive failure to disclose that the pill does not reduce 
the chances of dying from cancer.
---------------------------------------------------------------------------

    \3\ Id. at 1057-58.
---------------------------------------------------------------------------

    Second, and less frequently, the FTC has found a seller's silence 
to be deceptive ``under circumstances that constitute an implied but 
false representation.'' \4\ Such implied false representations can 
arise from ``ordinary consumer expectations as to the irreducible 
minimum performance standards of a particular class of good.'' \5\ 
Stated differently, offering a product for sale implies that the 
product is ``reasonably fit for [its] intended uses,'' and that it is 
``free of gross safety hazards.'' \6\ If the product does not meet 
ordinary consumer expectations of minimum performance, or if the 
product is not reasonably fit for its intended uses, the seller must 
disclose that. For example, it would be deceptive for an auto dealer to 
sell, without a disclosure, a normal-looking car with a maximum speed 
of 35 miles per hour.\7\ Consumers expect cars to be able to reach 
highway speeds, and thus the dealer must disclose to the buyer that the 
car does not meet that ordinary expectation.
---------------------------------------------------------------------------

    \4\ Id. at 1058.
    \5\ Id.
    \6\ Id. at 1058-59.
    \7\ Id. at n.29.
---------------------------------------------------------------------------

    In such cases, an omission is misleading under the FTC Act if the 
consumers' ordinary fundamental expectations about the product were 
violated. Mere annoyances that leave the product reasonably fit for its 
intended use do not meet this threshold.\8\ Thus, a dealer's failure to 
disclose that some might find a car's seatbelt warning to be annoyingly 
loud would not be a deceptive omission because consumers have no 
ordinary expectations about car seatbelt warnings that would mislead 
them absent a disclosure.
---------------------------------------------------------------------------

    \8\ Id. at 1058; Deception Statement at n.4 (``Not all omissions 
are deceptive, even if providing the information would benefit 
consumers . . . Failure to disclose that the product is not fit 
constitutes a deceptive omission.'')
---------------------------------------------------------------------------

    As International Harvester sets out at length, a deceptive omission 
is distinct from an unfair failure to warn or other forms of unfair 
omissions.\9\ The FTC has brought such cases under its unfairness 
authority where it has met the statutorily mandated higher burden of 
showing that the conduct causes or is likely to cause substantial 
consumer injury that is not reasonably avoidable by the consumer and is 
not outweighed by benefits to consumers or competition.\10\
---------------------------------------------------------------------------

    \9\ Id. at 1051 (``It is important to distinguish between the 
circumstances under which omissions are deceptive . . . and the 
circumstances under which they amount to an unfair practice.'').
    \10\ 15 U.S.C. 45(n).
---------------------------------------------------------------------------

    Turning to the case at hand, the complaint alleges that 
VisualDiscovery advertising software on Lenovo laptops acted as a man-
in-the-middle between consumers and the Web sites they visited. As 
such, the software had access to all secure and unsecure consumer-Web 
site communications and rendered useless a critical security feature of 
the laptops' web browsers. Such practices introduced gross hazards 
inconsistent with ordinary consumer expectations about the minimum 
performance standards of software. As a result, the man-in-the-middle 
functionality and the problems it generated made VisualDiscovery unfit 
for its intended use as software. Thus, Count I properly alleges that 
Lenovo failed to disclose, or disclose adequately, that VisualDiscovery 
acted as a man-in-the-middle.\11\
---------------------------------------------------------------------------

    \11\ Count I of the complaint is pled in the form of a half-
truth, but could also be pled as a failure to correct a false 
representation implied from circumstances, and so I address 
Commissioner McSweeny's argument as framed.
---------------------------------------------------------------------------

    Although Commissioner McSweeny and I both support Count I, she 
would add allegations that Lenovo failed to disclose that 
VisualDiscovery injected ads into shopping Web sites and slowed web 
browsing. She argues that the injected ads and slowed web browsing 
altered the internet experience of consumers, and thus VisualDiscovery 
failed to meet ``ordinary consumer expectations as to the irreducible 
minimum performance standards of [that] particular class of good.'' 
\12\
---------------------------------------------------------------------------

    \12\ Statement of Commissioner Terrell McSweeny at 1 (citing 
International Harvester, 104 FTC at 1058).

---------------------------------------------------------------------------

[[Page 43017]]

    I respectfully disagree. Lenovo failed to disclose that 
VisualDiscovery would act as a man-in-the-middle. However, Lenovo did 
disclose that the software would introduce advertising into consumers' 
web browsing, although its disclosure could have been better. 
Furthermore, to the extent ordinary consumers expect anything from 
advertising software, they likely expect it to affect their web 
browsing and to be intrusive, as the popularity of ad blocking 
technology shows. In addition, unlike the man-in-the-middle technique, 
VisualDiscovery's ad placement and web browsing effects did not 
introduce gross hazards obviously outside of consumers' ordinary 
expectations for advertising software. In short, although 
VisualDiscovery's ad placement and effect on web browsing may have been 
irritating to many, those features did not make VisualDiscovery unfit 
for its intended use. Therefore, I do not find Lenovo's silence about 
those features to be a deceptive omission.
    Fortunately, the outcome in this case does not depend on resolving 
our disagreement on the application of deceptive omission to 
advertising software. My goal in writing separately is to maintain the 
clear distinction set forth in International Harvester between 
deceptive failures to disclose and unfair omissions.\13\ When 
evaluating the legality of a party's silence, we must be careful not to 
circumvent unfairness's higher evidentiary burden by simply restyling 
an unfair omission as a deceptive omission.
---------------------------------------------------------------------------

    \13\ International Harvester, 104 FTC at 1051.
---------------------------------------------------------------------------

Statement of Commissioner Terrell McSweeny in the Matter of Lenovo, 
Inc.

    I support the Commission's complaint against Lenovo, but I am 
troubled by conduct in this case that the Commission fails to 
challenge. According to the complaint, Lenovo, Inc. preinstalled 
software on computers that was designed to serve advertisements to 
consumers while they were browsing Web sites. The software, called 
VisualDiscovery, acted as a ``man-in-the-middle'' between the consumers 
and all of the Web sites with which they communicated. It allegedly 
actively contravened the security posture of consumers' computers, 
leaving them vulnerable both to attack from cyber-criminals and to 
transmitting personal information across the web to Superfish, Inc. 
servers. These unfair practices violate the Federal Trade Commission 
Act and are appropriately challenged by the FTC in Counts II and III of 
the complaint.
    But Lenovo's unlawful conduct went beyond the data security 
failings alleged in the complaint. The complaint also describes how the 
software it preinstalled on computers would: (1) Inject pop-up ads 
every time consumers visited a shopping Web site; and (2) disrupt web 
browsing by reducing download speeds by almost 25 percent and upload 
speeds by 125 percent. These facts were not disclosed to consumers and 
these omissions were deceptive.
    Moreover, the FTC alleges that the VisualDiscovery software was 
designed to be difficult to discover. Consumers were initially made 
aware of the existence of the VisualDiscovery software via a pop-up 
window the first time they visited an ecommerce site. But clicking to 
close that window opted consumers into the program. The initial pop-up 
window failed to disclose that VisualDiscovery would follow the 
consumers from shopping site to shopping site; slow the performance and 
functionality of the Web sites they visited; and compromise their 
security and privacy throughout each online browsing session.
    Under Section 5 of the FTC Act, the failure to disclose information 
necessary to prevent the creation of a false impression is a deceptive 
practice.\1\ A seller's silence may make an implied representation 
``based on ordinary consumer expectations as to the irreducible minimum 
performance standards of a particular class of good.'' \2\ In this 
case, Lenovo deceptively omitted that VisualDiscovery would alter the 
very internet experience for which most consumers buy a computer. I 
believe that if consumers were fully aware of what VisualDiscovery was, 
how it compromised their system, and how they could have opted out, 
most would have decided to keep VisualDiscovery inactive.
---------------------------------------------------------------------------

    \1\ FTC Policy Statement on Deception, 103 F.T.C. 174, 175 
(1984) (appended to Cliffdale Assocs., Inc., 103 F.T.C. 110 (1984)).
    \2\ Int'l. Harvester Co., 104 F.T.C. 949, 1058 (1984).
---------------------------------------------------------------------------

    This is an exceptionally strong case and clearly articulates how 
the Commission uses its unfairness tools to protect the data security 
and privacy of consumers. I support Count I, but believe the FTC should 
have included additional deceptive conduct alleged in the complaint 
within the count. The FTC should not turn a blind eye to deceptive 
disclosures and opt-ins, particularly when consumers' privacy and 
security are at stake.

[FR Doc. 2017-19385 Filed 9-12-17; 8:45 am]
 BILLING CODE 6750-01-P