Lenovo seems to be testing the boundaries of trust.
First came the Superfish scandal where they were found to be pre-loading ad software that was so poorly implemented that it left victims/customers vulnerable to serious security flaws.
Then, Lenovo software was discovered on a fresh install of the retail edition of Windows. Lenovo had been modifying the BIOS, to insure that, no matter what a customer did, their software got installed. And, this was software that both The Register and ExtremeTech referred to as "crapware". That the software (the Lenovo Service Engine) was buggy, just made a bad situation worse. In the end, Lenovo updated the BIOS not to muck around with the installed copy of Windows.
Both cases involved consumer machines. In their statement about the Lenovo Service Engine software, the company noted that "The software does not come loaded on any Think-branded PCs."
On a recent edition of the Security Now podcast, Steve Gibson read a note from a listener saying that while Lenovo was corrupting their consumer PCs, they have kept their hands off the ThinkPad line. Both Gibson and the show host, Leo Laporte, proceeded to sing the praises of ThinkPads.
But there's more to the story.
Back in October 2014, I purchased a refurbished ThinkPad T520 laptop from IBM. In June of this year, I purchased a refurbished T420 ThinkPad, again from IBM. Both shipped with fresh copies of Windows 7 Professional.
When I examined the task scheduler database on these machines I found a troubling entry in each.
Thanks to the TaskSchedulerView program, that I wrote about last month, it's easy to see the scheduled tasks in Windows. TaskSchedulerView is free, portable and comes from Nir Sofer, whom I consider a reliable source. The program provides a simple spreadsheet like interface to the Task Scheduler database.
The task that gave me pause is called "Lenovo Customer Feedback Program 64". It was running daily. According to the description in the task scheduler: "This task uploads Customer Feedback Program data to Lenovo".
I have setup my fair share of new Lenovo machines and can't recall ever being asked about a Customer Feedback program.
The program that runs daily is
Lenovo.TVT.CustomerFeedback.Agent.exe and it resides in folder
C:\Program Files (x86)\Lenovo\Customer Feedback Program.
Other files in this folder are Lenovo.TVT.CustomerFeedback.Agent.exe.config, Lenovo.TVT.CustomerFeedback.InnovApps.dll and Lenovo.TVT.CustomerFeedback.OmnitureSiteCatalyst.dll.
According to Wikipedia, Omniture is an online marketing and web analytics firm, and SiteCatalyst (since renamed) is their software as a service application for client-side web analytics.
So, while there may not be extra ads on ThinkPads, there is some monitoring and tracking.
On the one hand this is surprising because the machines were refurbished and sold by IBM. On the other hand, considering Lenovo's recent history, it's not surprising at all.
Poking around the Lenovo directory, I found that folder
C:\Program Files (x86)\Lenovo\MetricCollectionSDK\licenses
contained RTF files in different languages. The English version is file ILAENG.rtf and it starts off with
Lenovo License Agreement
This Lenovo License Agreement (the “Agreement”) applies to each Lenovo Software Product that You acquire, whether it is preinstalled on or included with a Lenovo hardware product, acquired separately ... Lenovo will license the Software Product to You only if You accept this Agreement. You agree to the terms of this Agreement by clicking to accept it or by installing, downloading, or using the Software Product.
Seems like it only applies to Lenovo software.
Later, the License Agreement says:
Lenovo will collect basic information about what applications, services, and offers you choose during system setup. In order to make your experience more useful and enjoyable we may also collect information on how you use Lenovo applications. If you decide at any time you'd like us to stop collecting information on how you use Lenovo applications, you may open Settings and turn off Usage statistics. These processes do not involve the collection of any personally identifiable information.
OK, so you can disable it in "Settings". What settings? Where? It doesn't say.
Whatever it was designed to do, it's not doing it any more on my laptops. On each machine I used TaskSchedulerView to disable the task and for good luck, I also renamed the
C:\Program Files (x86)\Lenovo folder.
Then, turning to my favorite search engine, I found another explanation of this tracking in Lenovo support document HT102023: Lenovo systems may include software components that communicate with servers on the internet - All ThinkCentre, All ThinkStation, All ThinkPad.
Interestingly, this document was last updated February 27, 2015, just after the Superfish fiasco.
Lenovo says here that all ThinkPad, ThinkCentre and ThinkStation PCs, running Windows 7 and 8.1, may upload "non-personal and non-identifying information about Lenovo software application usage" to 112.2o7.net.
This functionality is implemented in two programs: Lenovo.TVT.CustomerFeedback.Agent.exe and LenovoExperienceImprovement.exe.
Here too, Lenovo points out that "The behavior is documented in the End User License Agreement that all users must read and accept prior to using their Lenovo system for the first time".
Want to see that EULA now? The document says that it can be found in the
C:\windows\system32\oobe\info folder. The folder contains 39 files. Which is the EULA? It doesn't say.
Apparently, the reason I only ran across one of the two phone-home EXEs is that the Lenovo Experience Improvement system un-installs itself after 90 days. The document mentions that it can also be manually un-installed from the Control Panel "Programs and Features" where it is listed as "Lenovo Experience Improvement".
Lenovo repeatedly mentions, in document HT102023, that the data they collect is not "personally identifiable information". They also state that the only apps for which they collect data are their own. And, Lenovo.TVT.CustomerFeedback.Agent.exe gets a clean bill of health at Virus Total where it was first seen in May of 2014.
Had this been any other PC vendor, this might be a triviality. Certainly Microsoft is doing far more tracking in Windows 10.
But trust is the price Lenovo pays for their previous behavior. Those of that recall the company's initial reaction to Superfish, dismissing it out of hand, have a hard time trusting them again.
If you use a Lenovo Windows computer, do yourself a favor and check out the task scheduler database with TaskSchedulerView.
- - - -
Update October 20, 2015: For more on this, and Lenovo's response to it, see my next blog Trusting Lenovo.