Lenovo and Superfish Sued Under The Computer Fraud and Abuse Act.

Written by Keenan W. Ng

It was recently discovered that Lenovo has been selling laptops with preinstalled adware that creates a catastrophic security hole in the web browser leaving users vulnerable to hacks. Superfish, a small company in Palo Alto, develops the adware. Plenty has been written about the technical aspects of the security flaw and more will be written going forward.  As the ramifications of the Superfish vulnerability play out in the community, at least two lawsuits* have been filed. More lawsuits certainly will come. One of these cases, Sterling International Consulting Group (“SICG”) v. Lenovo, Inc. and Superfish, Inc.(collectively, “Lenovo”), alleges violations of the Computer Fraud and Abuse Act. SICG seeks class action certification and was filed in the Northern District of California. The problem with Sterling is that the plaintiffs may have a hard time establishing the authorization element of the CFAA.

Allegations

SICG alleges Lenovo violated Section 1030(a)(5) of the CFAA:

“a. Knowingly causes the transmission of a software program, information, code or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer;

  1. Intentionally accesses a protected computer without authorization, and as a result of such conduct, recklessly causes damage; or
  1. Intentionally accesses a protected computer without authorization, and a result of such conduct, cases damage.”

(Paragraph 54.)

SICG alleges that Lenovo pre-installed the Superfish software without authorization. (Paragraph 55, 56.)

SICG alleges that Lenovo caused damage under each of those three sections. SICG defines “damage” as including “‘any impairment to the integrity of availability of data, a program, a system, or information,’ that causes ‘loss to 1 or more persons during any 1-year period . . . aggregating at least $5000 in value . . . .’ 18 U.S.C. §§ 1030(e)(8),

1030(a)(5)(B)(i).” (Paragraph 57.)

SICG’s “aggregate damages” exceed $5,000 and include: (1) “plaintiff and Class members will have to spend time and labor repairing their Lenovo notebook computers”; (2) “Superfish Visual Discovery program has consumed the resources and hindered the performance of plaintiff’s and Class members’ Lenovo notebook computers”; and (3) “lost personal and business opportunities, data and information and goodwill.” (Paragraph 58.)

These damages, as defined by section 1030(e), have caused SICG to suffer “an impairment to the integrity or availability of data software programs including the operating system. Such impairment has caused and will cause losses aggregating to at least $5,000 in value in any one-year period to plaintiff and Class members.” (Paragraph 61.)

Problems with the Complaint

While SICG pleads it spent time repairing the computers and lost business opportunities, the face of the complaint does not quantify that this loss aggregates to $5,000. It could plead the number of hours spent and the value of the time spent to overcome this jurisdictional hurdle.

Second, the pleading seems to confuse “loss” and “damage.”  Paragraph 57 defines “damage” as including “‘any impairment to the integrity of availability of data, a program, a system, or information,’ that causes ‘loss to 1 or more persons during any 1-year period . . . aggregating at least $5000 in value . . . .’ 18 U.S.C. §§ 1030(e)(8),

1030(a)(5)(B)(i).” Not only does 1030(a)(5)(B)(i) not exist, but “damage” does not have a $5,000 barrier to clear – “loss” does.** So, curiously, while the allegation happens to plead “loss,” it does not specify that it is pleading loss as opposed to damage. This confusion was probably an oversight owing to the fact the firm was trying to get the complaint filed as quickly as possible so that it could take advantage of the vast amount of media attention already being paid to the issue. The muddled pleading of loss versus damage will be cleared up if SICG is given an opportunity to amend its CFAA claims.

Third, and most importantly, the “authorization” allegation may be fatal as it is not clear that Lenovo acted without authorization. SICG alleges that Lenovo pre-installed the Superfish software prior to consumer sales and that the installation was without authorization. This suggests that the authority to provide authorization to install comes from the consumers who were harmed by the software.

SICG’s theory of authority does not work. Because Lenovo owned the laptops at the time Superfish was installed, it was always authorized to access the computers and install the software. The Northern District of California seems to agree with the sentiment that native installations by hardware manufacturers are not without authorization because the end-user purchased the pre-installed software thus volunteering to its application. See In re iPhone Application Litig., 844 F. Supp. 2d 1040, 1066 (N.D. Cal. 2012)​(“Apple had authority to access the iDevice and to collect geolocation data as a result of the voluntary installation of the software (either as an update or as a native installation”).)

Moreover, following SICG’s theory, would all pre-loaded applications on computers and smart phones be potential CFAA violations (putting aside the issue of damage and loss)? Would a laptop with Superfish installed, but never sold, be violative of the CFAA?  Probably not. Because Lenovo installed the software on computers it owned at that time, it was authorized to install Superfish.

Once the laptop was sold and ownership was shifted to the consumer, then the consumer possesses authority to deny or grant authorization. So, if the software was installed after the laptop sale, a plausible CFAA violation could exist. But not before ownership changed hands.

On a final note, I am interested to see how a court might interpret the mens rea standard of 1030(a)(5)(a) because there are potentially two mens rea standards to apply. (I think it is the only clause with a “knowing” and “intentional” standard built in.) Section 1030(a)(5)(a) makes it a CFAA violation to “knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer.”  It is clear the defendant has to act “knowingly” when transmitting a program. But, does the defendant have to “intentionally” seek to cause damage without authorization when transmitting the program. Or, does the program have to “intentionally” have to cause damage? Must the program intentionally be programmed to have a specific purpose of destruction?

For example, is it a CFAA violation to knowingly transmit a program that was programmed to intentionally destroy if you did not know about its destructive properties? Or, does a defendant have to knowingly transmit a destructive program and intend for it to cause destruction? Why not make both standards “intentional”?​

Superfish is definitely a problem and Lenovo might have some liability for pre-installing the software and potentially exposing its consumers to significant security vulnerability. But, if this case is litigated, I suspect the CFAA claims may be dismissed at the pleading stage.

*          The other lawsuit is Bennett v. Lenovo, Inc., et. al., filed on February 19, 2015 in the Southern District of California.

**        “Loss” means “any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service.” Section 1030(e)(11).

Leave a Reply

Your email address will not be published.