Lenovo collects utilization knowledge on ThinkPad, ThinkCentre and ThinkStation PCs


Lenovo appears to be testing the boundaries of belief.

First got here the Superfish scandal the place they had been discovered to be pre-loading advert software program that was so poorly applied that it left victims/prospects susceptible to severe safety flaws.

Then, Lenovo software program was found on a recent set up of the retail version of Home windows. Lenovo had been modifying the BIOS, to insure that, it doesn’t matter what a buyer did, their software program acquired put in. And, this was software program that each The Register and ExtremeTech known as “crapware”. That the software program (the Lenovo Service Engine) was buggy, simply made a nasty state of affairs worse. In the long run, Lenovo up to date the BIOS to not muck round with the put in copy of Home windows. 

Each instances concerned shopper machines. Of their assertion concerning the Lenovo Service Engine software program, the corporate famous that “The software program doesn’t come loaded on any Assume-branded PCs.” 

On a current version of the Safety Now podcast, Steve Gibson learn a observe from a listener saying that whereas Lenovo was corrupting their shopper PCs, they’ve stored their arms off the ThinkPad line. Each Gibson and the present host, Leo Laporte, proceeded to sing the praises of ThinkPads. 

However there’s extra to the story.

Again in October 2014, I bought a refurbished ThinkPad T520 laptop computer from IBM. In June of this yr, I bought a refurbished T420 ThinkPad, once more from IBM. Each shipped with recent copies of Home windows 7 Skilled.

Once I examined the duty scheduler database on these machines I discovered a troubling entry in every.

Due to the TaskSchedulerView program, that I wrote about final month, it is simple to see the scheduled duties in Home windows. TaskSchedulerView is free, transportable and comes from Nir Sofer, whom I think about a dependable supply. This system gives a easy spreadsheet like interface to the Process Scheduler database.

Lenovo scheduled task

The duty that gave me pause is known as “Lenovo Buyer Suggestions Program 64”. It was working day by day. In accordance with the outline within the process scheduler: “This process uploads Buyer Suggestions Program knowledge to Lenovo”.

I’ve setup my justifiable share of latest Lenovo machines and may’t recall ever being requested a few Buyer Suggestions program.

This system that runs day by day is Lenovo.TVT.CustomerFeedback.Agent.exe and it resides in folder C:Program Information (x86)LenovoCustomer Suggestions Program.

Different information on this folder are Lenovo.TVT.CustomerFeedback.Agent.exe.config, Lenovo.TVT.CustomerFeedback.InnovApps.dll and Lenovo.TVT.CustomerFeedback.OmnitureSiteCatalyst.dll.

In accordance with Wikipedia, Omniture is a web based advertising and net analytics agency, and SiteCatalyst (since renamed) is their software program as a service software for client-side net analytics.

So, whereas there is probably not further advertisements on ThinkPads, there may be some monitoring and monitoring.

On the one hand that is stunning as a result of the machines had been refurbished and bought by IBM. Then again, contemplating Lenovo’s current historical past, it is not stunning in any respect.

Poking across the Lenovo listing, I discovered that folder

C:Program Information (x86)LenovoMetricCollectionSDKlicenses

contained RTF information in several languages. The English model is file ILAENG.rtf and it begins off with

Lenovo License Settlement
L505-0009-05 10/2013
This Lenovo License Settlement (the “Settlement”) applies to every Lenovo Software program Product that You purchase, whether or not it’s preinstalled on or included with a Lenovo {hardware} product, acquired individually … Lenovo will license the Software program Product to You provided that You settle for this Settlement. You comply with the phrases of this Settlement by clicking to simply accept it or by putting in, downloading, or utilizing the Software program Product.

Looks like it solely applies to Lenovo software program.

Later, the License Settlement says:

Lenovo will gather fundamental details about what functions, providers, and gives you select throughout system setup. With a view to make your expertise extra helpful and pleasing we can also gather info on how you employ Lenovo functions. For those who resolve at any time you need us to cease accumulating info on how you employ Lenovo functions, chances are you’ll open Settings and switch off Utilization statistics. These processes don’t contain the gathering of any personally identifiable info.

OK, so you may disable it in “Settings”. What settings? The place? It does not say.

No matter it was designed to do, it is not doing it any extra on my laptops. On every machine I used TaskSchedulerView to disable the duty and for good luck, I additionally renamed the  C:Program Information (x86)Lenovo  folder.

Then, turning to my favourite search engine, I discovered one other rationalization of this monitoring in Lenovo assist doc HT102023: Lenovo techniques might embody software program parts that talk with servers on the web – All ThinkCentre, All ThinkStation, All ThinkPad. 

Curiously, this doc was final up to date February 27, 2015, simply after the Superfish fiasco.

Lenovo says right here that every one ThinkPad, ThinkCentre and ThinkStation PCs, working Home windows 7 and eight.1, might add “non-personal and non-identifying details about Lenovo software program software utilization” to 112.2o7.web.

This performance is applied in two packages: Lenovo.TVT.CustomerFeedback.Agent.exe and LenovoExperienceImprovement.exe.

Right here too, Lenovo factors out that “The conduct is documented within the Finish Person License Settlement that all customers should learn and settle for previous to utilizing their Lenovo system for the primary time”.

Need to see that EULA now? The doc says that it may be discovered within the C:windowssystem32oobeinfo folder. The folder incorporates 39 information. Which is the EULA? It does not say. 

Apparently, the rationale I solely ran throughout one of many two phone-home EXEs is that the Lenovo Expertise Enchancment system un-installs itself after 90 days. The doc mentions that it may also be manually un-installed from the Management Panel “Packages and Options” the place it’s listed as “Lenovo Expertise Enchancment”.

Lenovo repeatedly mentions, in doc HT102023, that the info they gather shouldn’t be “personally identifiable info”. In addition they state that the one apps for which they gather knowledge are their very own. And, Lenovo.TVT.CustomerFeedback.Agent.exe will get a clear invoice of well being at Virus Complete the place it was first seen in Might of 2014. 

Lenovo customer feedback evaluated by VirusTotal

Had this been another PC vendor, this is likely to be a triviality. Actually Microsoft is doing far extra monitoring in Home windows 10.

However belief is the value Lenovo pays for his or her earlier conduct. These of that recall the corporate’s preliminary response to Superfish, dismissing it out of hand, have a tough time trusting them once more.

For those who use a Lenovo Home windows pc, do your self a favor and take a look at the duty scheduler database with TaskSchedulerView.

– – – – 

Replace October 20, 2015: For extra on this, and Lenovo’s response to it, see my subsequent weblog Trusting Lenovo. 

Copyright © 2015 IDG Communications, Inc.


Supply hyperlink