My previous blog, about hidden Lenovo tracking software on their Think branded PCs, generated a bigger reaction than any of my previous blogs, and I have been writing about Defensive Computing for more than eight years.
I don't consider the Lenovo software that I accidentally stumbled across to be spyware. The word "spyware" never appeared in my previous blog. Neither did I call it malware.
Yet, just hours after the blog went live, the spyware meme started.
Cory Doctorow wrote about "Yet another pre-installed spyware app discovered on Lenovo computers". Softpedia wrote that "Lenovo Laptops and Computers Come with Pre-Installed Spyware". Chris Smith of BGR wrote that "Lenovo caught yet again spying on Windows PC users". Mohul Ghosh added that "Lenovo Laptops Again Found To Carry Pre-Installed Spywares Which Sends Usage Data To 3rd Party".
To me, it's a stretch to label something as spyware when the company that produced the software documents its behavior.
If this documentation was purposely wrong, then it would certainly be spyware. That Lenovo has revised their documentation multiple times since my blog was published, shows that it was, at least in part, wrong. We have to judge for ourselves whether the missing revisions were purposeful or an oversight.
If the software was collecting more data than Lenovo claims it is, that too, would classify it as spyware. I did not test this, but Michiel Hendriks did, and he concluded that the software was harmless, writing
What this customer feedback tool actually does is update entries from the "event log" called "Lenovo-Customer Feedback" ... The kind of things logged appear events for the various Lenovo tools, like starting and which Lenovo system update you installed. (Along with data about your hardware/OS) ... the collected data looks mostly harmless and somewhat anonymous, as far as posting data to a website with a stored ID can be considered harmless.
I do not know Mr. Hendriks, and he did not explain his methods. That said, his analysis seems much too detailed to be prank and there is indeed an event log called "Lenovo-Customer Feedback".
All that said, Lenovo certainly tried to keep the software hidden, which begs the question, why? If there was nothing to hide, why didn't Lenovo step into the light and fully inform their customers about what they were/are doing?
You can look for the tracking software I discovered in the list of installed software, but you wont find it. As I recounted last time, I found the software (Lenovo.TVT.CustomerFeedback.Agent.exe) by accident while looking into the newly released TaskSchedulerView from Nir Sofer.
The Lenovo software also hides from Autoruns, a great, free program by Mark Russinovich of Microsoft. Autoruns provides a full accounting of the programs that run automatically when a Windows system boots up. But, even though the Lenovo Customer Feedback software runs daily, it doesn't run at start-up, so Autoruns ignores it.
And, the existence of the software is hidden behind a EULA presented the first time Windows starts up, something no one ever reads. I found the document describing the software with my favorite search engine, but, without knowing about the software in the first place, no Lenovo customer would find this documentation.
TURNING IT OFF
Lenovo offers two approaches to disabling their customer feedback system (a.k.a. "Application usage data"), you can either stop the data collection or the data upload.
Twelve Lenovo apps feed data into a collector. Seven of them have a configuration option that turns off the data collection, four of them do not. To prevent these four applications from collecting data, they have to be un-installed. The twelfth one, Lenovo QuickDisplay, can be tweaked on Windows 8 to not collect data but has to be un-installed on Windows 7.
Got that? If not, then Plan B is to allow the Lenovo apps to collect data, but prevent the data from being uploaded to "a server in the United States".
You do this in the task scheduler which is surely beyond the means of many Windows users, especially when you consider that Lenovo neither provides the names of the scheduled tasks that need to be deleted/disabled, nor even how many of them there are. And this is after three (or more?) recent revisions to their documentation (Sept. 25th, Sept. 29th and Oct. 16th).
TURNING THE NEW STUFF OFF
On top of what I ran across in Windows 7, Lenovo documents that they started collecting additional data in Windows 8, and continue to do so in Windows 10.
Lenovo calls these additional metrics "Preloaded application inventory data". Simply put, they want to know which of their pre-installed applications people remove. This data too, is uploaded to "a server in the United States," which you can take to mean that it does not go directly to Lenovo.
Lenovo writes that this data is only collected for the first 90 days after which the application (LenovoExperienceImprovement.exe) uninstalls itself. You can also manually uninstall it in the usual way (look for "Lenovo Experience Improvement").
To call it lame, would be an understatement. Even without reading it, the fact that the "statement" displays on a web page with no date, and a 2011 copyright, sets the mood. It says
In preparation for Windows 10, all programs preloaded on Lenovo PCs were reviewed by Lenovo and independent 3rd parties from privacy and technical perspectives and are listed in the “programs directory” in Windows, under “settings”.
After their two prior security failures (Superfish and modified BIOS), that software is reviewed by Lenovo means nothing, at least to me. Then too, there is the failure to name the third parties that reviewed it. Why the secrecy?
Saying the programs are listed in a directory is, I assume, meant to imply they are not hidden. But the fact that applications consist of files in a particular folder does not mean they are not hidden. From my perspective, if the software does not appear in the list of installed Windows applications (Control Panel -> Programs and Features in Windows 7), then it is hidden. The software that I stumbled across was in the
C:\Program Files (x86) folder for a long time (years?) yet no one knew about it.
Then too, just what "programs directory" are they referring to? Is it
C:\Program Files or
C:\Program Files (x86)
And what the heck are the "settings" it refers to? Really, I can't even guess on this one.
Then it goes on to say
Customers who do not want to participate, can remove the program by going into the “Control Panel”, opening “Add / Remove Programs”, clicking on the program and selecting “uninstall”.
First off, there is no one program. Their own technical Document HT102023 describes 13 programs that collect data.
Then too, the 14th program, Lenovo.TVT.CustomerFeedback.Agent.exe, the one in charge of sending the data, can not be uninstalled this way as it does not appear in the list of installed software.
And, Windows 7, 8 and 10 do not uninstall software using "Add/Remove Programs". That was Windows XP. This tells me that no techie reviewed this statement.
Lenovo needs a new PR company. Their "statement" makes me trust them even less.
OTHERS DO IT TOO
Some people wrote that Lenovo is no worse than other companies. One example given was Apple, which also tracks iOS users (see Share diagnostics and usage information with Apple).
But Apple is up-front about this and not hiding anything. Even without running across the support document, anyone concerned with privacy would look in the Privacy section of the iOS settings and see the option to turn off tracking. And, it can be easily disabled unlike the song and dance Lenovo requires.
Finally, whatever data is being collected is being uploaded to Apple, rather than a third party, such as 2o7.net. Steve Gibson, on his Security Now podcast, wondered why Lenovo sends data to a third party that does tracking and analytics. He wonders if they are making a profit selling this data.
Surprisingly F-Secure also wants to track users of their Freedome VPN. I say surprisingly, because people that pay for a VPN in the first place, are those that least want to be tracked. But,they are up-front about this as shown below.
TRUST IS THE ISSUE
As I see it, the issue with Lenovo isn't so much the specifics of what they are tracking, or whether tracking software that runs daily without appearing in the list of installed software, should be considered spyware. It doesn't have to be spyware to matter. The issue is trust and Lenovo is playing far too close to the line, especially given their prior history.
Cory Doctorow suggests that "... this kind of terrible behavior speaks to a serious deficit in the company's management and calls into question the whole firm's strategy and attitude toward its customers."
Jeremy Hellstrom of PC Perspective suggests that you "... take some time to think about how much you value your privacy and what data you are willing to share in exchange for products and services. Integrate that concern into your purchasing decisions, social media and internet usage. Hashtags are nice, but nothing speaks as loudly as your money ... "
Certainly, some are thinking: three strikes and you're out.
Microsoft too, faces huge issues of trust.
Many techies don't trust them, myself included. The recent issue of forcing Windows 10 down the throats of people running Windows 7 and 8 just illustrates the point. Even someone who likes Windows 10 may not want a 5GB installable copy of it surreptitiously downloaded onto their Windows 7 or 8 machine.
That said, switching away from Windows is hard. A transition to Linux or OS X is non-trivial in many ways. The cellphone companies probably get away with things too because switching companies is a big deal.
But anyone buying a new Windows computer can switch away from Lenovo quite easily.
DON'T TRACK ME
Finally, a Defensive Computing suggestion.
If you really don't want to be tracked on-line, consider using a Chromebook in Guest Mode connected to a VPN.
Guest mode starts you off with a clean copy of Chrome OS, and removes all traces of your activity when you logoff.
Chrome OS supports two types of VPNs: L2TP over IPsec and OpenVPN. VyprVPN has a compatible (L2TP/IPsec with Pre-shared key), free, bandwidth-limited account that will get you started. No credit card is needed, just a verified email address. Connecting to a VPN from Guest Mode is a pain, but all increases in security come at the cost of convenience.