There have always been worries that the Chinese government could use its power to force homegrown technology companies like ZTE, Huawei, Qihoo 360 and Lenovo to spy on user communications, but now a bombshell has landed that shows Lenovo is forcing adware onto users' computers on the company's own volition.
According to Errata Security, an ad-supported software on Lenovo computers called SuperFish is "designed to intercept all encrypted connections… It does this in a poor way that it leaves the system open to hackers or NSA-style spies."
SuperFish apparently resides on all Lenovo laptops registered after "mid-2013". Errata reports that SuperFish's advertising injects JavaScript code into webpages and installs a transparent-proxy service on the laptop that intercepts browser connections.
Yet Mark Hopkins, the program manager for Lenovo social media, responded about a month ago that "Superfish technology is purely based on contextual/image and not behavioral. It does not profile nor monitor user behavior. It does not record user information. It does not know who the user is. Users are not tracked nor re-targeted. Every session is independent. When using Superfish for the first time, the user is presented the Terms of User and Privacy Policy, and has option not to accept these terms, i.e., Superfish is then disabled."
The good news is FireFox or Chrome users are not affected, even if they do use infected Lenovo laptops. So only users who use Internet Explorer are vulnerable.
But removing the adware software reportedly does not solve the problem because the root certificates are still embedded into Lenovo laptops. So a savvy user must manually go into the computer's settings to remove that errant certificate.