CyberLex
CyberLex Insights on cybersecurity, privacy and data protection law

Lenovo and Superfish: Proposed Class Action Proceeds on Privacy Tort and Statutes

Posted in Cybersecurity, Internet of Things, Privacy
Carole Piovesan

A recent privacy decision regarding pre-installed software on laptops may have implications for companies operating not only in the traditional hardware space, but for those companies venturing into the burgeoning “Internet of Things” ecosystem. In short, an Ontario court declined to strike the common law and statutory privacy claims, suggesting that courts are at least willing to entertain such claims in the context of manufactured devices.

Background

Lenovo has faced several privacy-related lawsuits in Canada and the United States following its sale of laptop computers preloaded with Superfish. Superfish is a VisualDiscovery (VD) adware program that tracks a user’s Web searches and browsing activity to place targeted ads on sites visited by the user.

In Canada, a nationwide proposed class action has been commenced by plaintiff Daniel Bennett, a lawyer from St. John’s Newfoundland (see Bennett v Lenovo, 2017 ONSC 1082). Mr. Bennett recently purchased a new laptop from Lenovo’s website, which he later discovered contained the VD adware program.

Mr. Bennett alleges in the Statement of Claim that the adware program not only affects a computer’s performance but, crucially, “intercepts the user’s secure internet connections and scans the user’s web traffic to inject unauthorized advertisements into the user’s web browser without the user’s knowledge or consent”. He further alleges that the adware program “allows hackers … to collect … bank credentials, passwords and other highly sensitive information” including “confidential personal and financial information.”

Mr. Bennett advances the following claims against Lenovo on behalf of the proposed class: (1) breach of the implied condition of merchantability; (2) intrusion upon seclusion; (3) breach of provincial privacy legislation; and, (4) breach of contract. Mr. Bennett initially pled negligence as well but subsequently withdrew that claim.

In February 2017, Lenovo brought a motion to strike the Statement of Claim on the basis that it was plain and obvious the four claims could not succeed. The motion was heard by Justice Edward Belobaba who struck only one of the four claims.

The Decision

(1)  Breach of the implied condition of merchantability

Mr. Bennett alleges that the security risks and performance problems caused by the adware program render the computer “not of merchantable quality” or, simply, defective. The legal context for this claim is that consumer protection legislation establishes “implied conditions of fitness for purpose and merchantability” that cannot be modified or varied.[1] The question thus is what constitutes “merchantable”?

Lenovo argued that under Canadian law a product with multiple uses, such as Mr. Bennett’s computer (word processing, storing data, accessing the internet, etc.) is “merchantable” if it can be reasonably used, even with the alleged defect (i.e. the adware program), for at least one of the purposes, such as off-line word processing. Mr. Bennett argued in retort that the various purposes listed by Lenovo are not “multiple purposes” but illustrations of the laptop’s over-riding single purpose: to engage in electronic communications that are expected to remain private.

Justice Belobaba refused to strike this claim on the basis that the law on implied condition of merchantability in respect of computers is still unsettled. His Honour stated:

It is enough for me to find that it is not at all plain and obvious under Canadian law that a laptop that cannot be used on-line because of a hidden defect that has compromised the user’s privacy, and can only be used off-line for word processing, is nonetheless merchantable. As Professor Fridman notes, “If the test for unmerchantability [is] that the article is fit for no use, few goods would be unmerchantable because use can always be found for goods at a price.” Further, it is not plain and obvious that a reasonable computer user today would ever agree to purchase and use an affected laptop, knowing about the security risks created by the VD adware program, without insisting on a substantial reduction in the purchase price.

 (2)  Intrusion upon seclusion

Intrusion upon seclusion was recognized by the Court of Appeal as a new privacy tort in Jones v. Tsige. Intrusion upon seclusion is established when: (i) the defendant’s conduct is intentional or reckless; (ii) the defendant has invaded, without lawful justification, the plaintiff’s private affairs or concerns; and (iii) a reasonable person would regard the invasion as highly offensive causing distress, humiliation or anguish. Proof of actual loss is not required.

Mr. Bennett claims that the mere act of implanting the adware program onto his laptop without his prior knowledge and consent was an intrusion on his privacy. The adware program allows private information to be sent to unknown servers, thereby compromising the security of a user’s personal information. The vulnerabilities in security facilitate a hacker’s ability to intercept a user’s internet collection and access private data such as passwords.

Justice Belobaba found that the first two elements of the tort had been properly pled and were viable on the facts as stated in the Statement of Claim. The third element of distress was not pled but was reasonably inferred in the circumstances. His Honour held that the tort of intrusion upon seclusion is still evolving and its scope and content have not yet been fully determined. He also refused to strike this claim.

(3)  Provincial privacy laws

Mr. Bennett advances a claim of breach of privacy laws in British Columbia, Saskatchewan, Manitoba, and Newfoundland and Labrador. Lenovo argued that there is no pleading of actual violation of privacy and no allegation that any confidential information was actually hacked and appropriated. Accordingly, argued Lenovo, these statutory claims were certain to fail.

Justice Belobaba rejected Lenovo’s argument on the basis that unauthorized access to private information is itself a concern, even without proof of actual removal or theft of information. Each of the four provincial statutes declares in essence that the unlawful violation of another’s privacy is an actionable tort, without proof of loss.

His Honour stated that the scope and content of the provincial privacy laws in question is still evolving. He refused to strike this claim as well.

(4) Breach of contract

The only claim struck by Justice Belobaba was the claim for breach of contract. Mr. Bennett pleads the existence of an implied term in the sales agreement that the Lenovo laptops would be free of any defects and at the very least would not have pre-installed software that exposed class members to significant security risks.

Justice Belobaba stated that the case law is clear that a term will not be implied if it is inconsistent or otherwise conflicts with an express provision in the agreement. In this case, the sales agreement that was viewable on-line when Mr. Bennett purchased his laptop on Lenovo’s website and “clicked” his acceptance, made clear in Article 5.2 that the installed software was being sold “without warranties or conditions of any kind.”

Conclusion

It has been reported that a partial settlement may have been reached with Superfish, in a U.S. class action against both defendants. The settlement reportedly includes Superfish’s cooperation with the plaintiffs by disclosing over 2.8 million additional files and providing Superfish witnesses for a potential trial.

The Canadian proposed class action is very much in its infancy. It remains to be seen how the class action will evolve in Canada.

[1]       Sections 9(2) and (3) of the Consumer Protection Act stipulate that the implied conditions and warranties applicable to goods sold under the Sale of Goods Act are also applicable to goods sold under a consumer agreement (in this case, the Lenovo sales agreement). These implied conditions and warranties cannot be varied or waived.