Listen to Your Engineers: On Lenovo, Superfish and Business Ethics

26 februari 2015

Earlier this week, news broke that Lenovo has been shipping computers with pre-installed malware in order to analyze images on the web and insert relevant advertisements, in one of those deals when a vendor is paid to install certain software on their computers before they are delivered. This is, in itself, horrible treatment of their customers. In order to effectively do this the program, Superfish, is designed to intercept all encrypted connections, the security backbone of the web. Your connection being encrypted is what protects your passwords, your online banking activity, credit card shopping and so on. What’s worse, once the certificate has been extracted and the password cracked, it’s open for so-called third party man-in-the-middle attacks, meaning that Superfish can be used for far more malicious purposes than just injecting ads, by basically anyone, and suddenly that banking activity, credit card information and those passwords aren’t quite as secure any more.

It’s probably legal, of course, agreed to by one of those user agreements no one ever reads. Nevertheless: Lenovo has knowingly installed software that tampers with the security of their users encrypted traffic, software that installs its own root CA certificate. The certificates are used to make sure you’re actually connected to the site you think you’re connected to, and not sending your information somewhere else. Thus your browser is fooled that everything is fine and in order. There’s no way Lenovo didn’t know what they did. Someone must have understood the magnitude of the decision. Very possibly not the persons who made it. What baffles me the most is the sheer stupidity of it all. Pre-installed adware is one thing, pre-installed adware that tampers with basic online security another thing entirely.

Here’s where a bit of company ethics would have made very good business sense. In no way can they have made enough money for this to be a good deal for Lenovo, especially if it is true, as they claim, that they didn’t make any substantial money from the deal. In no way can they have made enough money for this to make sense. It will hurt them. And it will hurt them for the best of reasons: they did wrong. Worst case is they knew it all the time and hoped not to be discovered. Best case they didn’t listen to those who tried to explain what they were doing. Sometimes there’s a lot of money to be made from morally repulsive decisions, unfortunately, but there’s risk too, and there’s a certain ruthlessness to the delight we take in seeing companies punished for their missteps. And someone at Lenovo must have known all along that it was going to end exactly like this.

Listen to your engineers. They will understand the implications of what you’re inflicting on your company and customers. And more often than not, among them you can find people who can serve as a sound ethical foundation.

Further technical reading