The recent dust-up over a program called Superfish has left many computer users on edge and caused heartburn for major hardware manufacturer Lenovo. What happened reminds us of an unsettling truth: Chasing down just who is responsible for what can be an extremely challenging proposition as companies insert computer code from other firms into their products, creating a nest of relationships that is hard to untangle and puts users at risk.
Lenovo has run into problems doing what PC makers have been doing for years, which is installing all manner of third-party software on the machines they sell to consumers. Much of this stuff is junk, but making it available allows the manufacturers to make extra money. Theoretically, consumers can remove the programs if they don’t want them, making learning how to uninstall programs a priority. The infuriating thing is that to completely clean a PC of a heavy bloatware presence can take time and no little effort, even using an uninstaller program.
The list of bloatware (it has other, less flattering names among PC users) is lengthy, and not all of it is junk. You might use Skype to begin with, so getting it preinstalled might not be a problem, but wouldn’t it be better to make that decision by yourself? The same holds true for trial packages of Norton Internet Security, or HP’s Snapfish online photo printing service, or any number of preinstalled games that are designed to suck you into paying for upgrades.
Superfish went a step further, though. It’s a form of visual search technology, a kind of software under intense study by major players such as Google that can recognize images you view online and figure out what they are without descriptive text. The idea is to check the pictures you look at online and offer ads for the same kind of products. The algorithms behind this are actually quite interesting and have real promise in the world of online shopping.
The problem with Superfish, though, is that the company behind it (a Silicon Valley startup) used software from yet another company, telling the Associated Press that a firm in Israel called Komodia had unintentionally introduced a security flaw into its Superfish code. Whatever the case, Superfish on Lenovo laptops was allowing hackers to eavesdrop when Internet users went to secure websites, meaning personal data of all kinds could be at risk.
So clear was the danger that the Department of Homeland Security issued an alert to Lenovo customers saying they should remove the Superfish software because of hacking dangers. But at this point it’s still unclear how widespread the problem is, for presumably the rogue code, from Komodia or whatever source, could find its way to other companies’ machines. Lenovo is releasing an automated tool that will remove Superfish from its laptops, and I see that Microsoft has updated Windows Defender to get rid of the malicious programming.
I’m sure Lenovo, which makes excellent machines, will recover from this gaffe, but the problem is instructive. For one thing, many of us are using computers loaded with preinstalled software that we don’t think about and don’t use but we have to cope with every time it slows down our machines. For another, intrusions and hacker attacks aren’t always traceable to a single source, but often evolve through one company’s products becoming entwined with another’s.
This is not a good combination. And there is a lesson here for hardware manufacturers, even after the Superfish issue is cleared up. What kind of goodwill does a company create by dumping marginal programs into computers bearing its brand? Even without the added insult of malware, most of these programs compromise performance and, with popups and other nagging alerts, build frustration. A smart PC maker will lose the bloatware and try to rebuild trust.
Paul A. Gilster is the author of several books on technology. Reach him at firstname.lastname@example.org.