In February 2015 the public discovered that Lenovo released new Lenovo laptops with Microsoft Windows came preinstalled with “Superfish” which allowed, among other things, spying on user’s web connections even if those connections were encrypted. The software responsible for this is “Superfish”. You can read more about Lenovo/Superfish on Ars Technica and Wikipedia. Lenovo claims laptops shipped between October and December 2014 have Superfish preinstalled and Lenovo claims they won’t resume shipping Superfish. But why trust them?
The Free Software Foundation (FSF) calls on Lenovo “to create and sell laptops that are certified to respect user freedom and come with a preinstalled free operating system“. The FSF also points out the difference between proprietary security exploitation (such as what was done with Superfish) and free software privacy mistakes (such as what happened with Heartbleed and POODLE):
Recent high-profile security vulnerabilities in free software, like Heartbleed and POODLE, were created when well-intentioned developers made mistakes that were difficult to detect. But this is different — Lenovo and Superfish caused a massive security breach for the sake of expedience in generating ad revenue.
Digital Citizen agrees with this call. Lenovo can set a trend for respecting user freedom by working with the FSF and the FSF’s Respects Your Freedom campaign to produce laptops that users can buy which respect the user’s freedom right out of the box.
Update (2015-02-22): Ars Technica publishes an article saying that there are now 14 known programs using the same code that renders users helpless against secure website spying. And the article also reminds us that “Superfish CEO Adi Pinhas issued a statement on Friday saying Superfish software posed no security risk“. It’s worth keeping this in mind the next time you hear any proprietor tell you their software is secure. Free software offers no guarantee of security but software freedom lets you inspect the program to make sure it does only what you want it to do, alter the program until it meets your needs, and distribute the program to help others. Proprietary programs are an unknown quantity—you can’t tell all of what they do because you have no complete corresponding source code, you have no distribution rights so you can’t help others or get much help from them, and some proprietary programs even restrict when they may be run.