Lenovo continues to spy on Thinkpads

LENOVOLenovo is doing itself some serious damage in the corporate world with its insistence on spying on its customers.

One would think that a company being watched like a hawk to make sure that it did not spy on customers to sell secrets to the Chinese government would be super careful. However it seems that Lenovo is continuing to make software which accesses customer data.

First there was the Superfish scandal where they were found to be pre-loading ad software that was so poorly implemented that it left customers vulnerable to serious security flaws.

Then it was caught modifying the BIOS, to insure that, no matter what a customer did, its software got installed. In the end, Lenovo updated the BIOS not to muck around with the installed copy of Windows.

We had hoped Lenovo had learnt its lesson, after it said that the Lenovo Service Engine software does not come loaded on any Think-branded PCs.

But security expert Michael Horowitz wrote on ComputerWorld that he found some troubling info in the task scheduler database of two thinkpads.

He found there was an entry called  “Lenovo Customer Feedback Program 64”. It was running daily. According to the description in the task scheduler: “This task uploads Customer Feedback Program data to Lenovo”.

The program that runs daily is Lenovo.TVT.CustomerFeedback.Agent.exe and it resides in folder C:\Program Files (x86)\Lenovo\Customer Feedback Program.

Other files in this folder are Lenovo.TVT.CustomerFeedback.Agent.exe.config, Lenovo.TVT.CustomerFeedback.InnovApps.dll and Lenovo.TVT.CustomerFeedback.OmnitureSiteCatalyst.dll.

Omniture is an online marketing and web analytics firm, and SiteCatalyst is a service application for client-side web analytics.

The Lenovo Experience Improvement system uninstalls itself after 90 days. The document mentions that it can also be manually uninstalled from the Control Panel “Programs and Features” where it is listed as “Lenovo Experience Improvement”.

Lenovo repeatedly mentions, in document HT102023, that the data it collects is not “personally identifiable information”. It also states that the only apps for which it collects data are its own. And, Lenovo.TVT.CustomerFeedback.Agent.exe gets a clean bill of health at Virus Total where it was first seen in May of 2014.