Savvy consumers are generally aware that new computers often include pre-installed software. However, most consumers do not realize that lurking behind their screens is software that computer manufacturers include to pad profit margins. And, because such pre-installed software is often harmless (if obnoxious), it is often called bundled software, bloatware or – the most vulgar reference – crapware. However, in 2014, as part of its standard pre-installed software packages on its laptops, Lenovo included VisualDiscovery, an advertising software developed by Superfish, Inc. Among many things, the software delivered pop-up ads from Superfish’s retail partners’ products whenever a consumer’s cursor hovered over a similar-looking product. To make those pop-up ads possible, the software meddled in the interaction between browsers and websites in, as the Federal Trade Commission (FTC) called it in its complaint against Lenovo, a “man-in-the-middle” role.
Earlier this week, the FTC and 32 state attorneys general announced that they settled complaints against Lenovo. The FTC’s complaint included three FTC Act violations. Under count one, the FTC alleged that Lenovo’s failure to disclose that the software would act as a man-in-the-middle between consumers and all websites, including encrypted websites, was a deceptive act or practice. In count two, the FTC alleged that Lenovo committed an unfair act by not adequately disclosing, or obtaining informed consent from the consumer, that the pre-installed software could cause substantial injury to consumers by leaving a user’s sensitive personal information vulnerable to hackers in certain situations. Finally, under count three, the FTC alleged that Lenovo’s failure to take reasonable measures to address the security risks created by the software constituted unfair security practices.
The settlement prohibits Lenovo from misrepresenting any features of pre-installed software on laptops that will inject advertising into consumers’ Internet browsing sessions or transmit sensitive consumer information to third parties. Additionally, the settlement agreement requires Lenovo to obtain consumers’ affirmative consent before installing similar software.
What we found most interesting, however, are FTC Acting Chairman Ohlhausen’s and FTC Commissioner McSweeny’s statements about the case. That is, even though Acting Chairman Ohlhausen and Commissioner McSweeny both voted to issue the FTC’s complaint and accept the settlement, they both issued conflicting concurring statements about the scope of the FTC’s authority to bring deceptive omission cases. In her statement, Commissioner McSweeny asserted that Lenovo’s conduct went beyond what was alleged in the complaint. She argued that Lenovo, by not disclosing to consumers that the pre-installed software would inject pop-up ads and that such activity would disrupt web browsing, deceptively omitted material facts relevant to consumers. She explicitly asserted that “Lenovo deceptively omitted that VisualDiscovery would alter the very internet experience for which most consumers buy a computer.” To that point, she believes that consumers would have deactivated VisualDiscovery if they had been fully aware of its purpose and effect on the computer.
Arguing in opposition of a challenge of deceptive omission, the Acting Chairman in her statement cautioned against the FTC’s over-broad application of its deceptive omission authority. Specifically, she took the position that Lenovo’s silence about VisualDiscovery’s ad-placement issues and web-browsing effects, while perhaps irritating to consumers, did not rise to the level of a deceptive omission. She further stated that it is critical for the FTC to maintain a clear distinction between deceptive omission and unfair omissions and that “[w]hen evaluating the legality of a party’s silence, [the FTC] must be careful not to circumvent unfairness’s higher evidentiary burden by simply restyling an unfair omission as a deceptive omission.”
Drawing the line on what constitutes an actionable “deception by omission” can be a hard call. Jamming a computer with the software in question here does not seem like such a hard call. Probably seemed like a good idea at the time.