Euro Security Watch with Mathew J. Schwartz

Time to Ban the 'Bloatware' When Manufacturers Preload 'Free' Apps, Buyers Lose

What will it take to make hardware manufacturers ditch "bloatware"?

See Also: Creating a User-Centric Authentication and Identity Platform for the Healthcare Industry

That's one of the more charitable names for the software that so many manufacturers - Apple and Google being notable exceptions - preinstall on the devices they sell. Such software includes screensavers, toolbars, utilities or even Superfish Visual Discovery. That's the adware that Lenovo, the world's biggest PC manufacturer, was preinstalling on many of its consumer laptops until earlier this month, when security experts - including the U.S. Computer Emergency Response Team - began warning that the software poses an information security risk to users (see Lenovo Hits 'Kill Switch' on Adware).

Manufacturers should be obliged to offer the option of buying all PCs as a bare-metal option, i.e. with no operating system preinstalled. 

The practice of adding bloatware - a.k.a. junkware or trialware - to PCs is common, Microsoft says, warning that such software may "slow down your computer and junk up your Start screen or desktop." That's why Microsoft in 2012 began selling "Signature" Windows systems that come with a vanilla version of Windows, with no such bloatware or trialware preinstalled, for the added price of just $99.

And therein lies the bloatware flaw: Too often, such software isn't designed to make life easier for paying customers, but rather operates at their expense. Indeed, some users reported that it took them days to track down odd behavior on their PC to the Superfish software, which was relatively hidden on their device, and which can be difficult to fully eradicate (see Lenovo Slammed Over Superfish Adware).

As the Superfish saga has unfolded, with Lenovo apologizing and saying it "messed up," you might think the company would distance itself from bloatware and offer customers the choice of a "clean" install of Windows. "Manufacturers should be obliged to offer the option of buying all PCs as a bare-metal option, i.e. with no operating system preinstalled," says Rik Ferguson, vice president of security research for security software vendor Trend Micro, and a cybersecurity adviser to Europol, which is the association of European police agencies.

"Not only would this reduce cost to the user, it would also increase freedom of choice of operating system and hand full control back to the owner of the device," he says.

Lenovo Promises Listening Sessions

But Lenovo's chief technology officer, Peter Hortensius, tells the The Wall Street Journal that "in general, we get pretty good feedback from users on what software we preinstall on computers."

Hortensius paints a picture of customers clamoring for more of these add-ons. "What we're going to do in the next few weeks is dig deeper, and work with users, industry experts and others to see how we can improve what we do around software that comes installed on consumers' computers," he says. "The outcome could be a clearer description of what software is on a user's machine, and why it's there."

Likewise, Lenovo spokeswoman Wendy Fung tells me Superfish was preinstalled "in our effort to enhance our user experience." But that's false logic. When Apple, for example, wants to improve its Mac OS X user-experience design, does it preinstall software that alters the images displayed in search results, even for supposedly secure HTTPS pages? That's what Superfish Visual Discovery was designed to do.

Fung also confirms that Lenovo received compensation from Superfish to preinstall its software, although it claims it wasn't a "financially significant" arrangement.

But following the bloatware money suggests a lot - including manufacturers taking advantage of consumers and small businesses who don't know better. One defense of PC manufacturers' bloatware practices could be that their profit margins are razor-thin, and that unless consumers want to pay more, they should expect to see privacy or even security tradeoffs. Consumers, however, aren't being clearly presented with that choice.

Can Bloatware Be Battled?

Unfortunately, it's not clear how we might rid the world of bloatware. In the U.S., the Federal Trade Commission could get involved and investigate bloatware-bundling practices, per its ability to police "unfair or deceptive acts." So far, one U.S. lawsuit has been filed that takes aim at Lenovo having preinstalled Superfish. In the United Kingdom, meanwhile, the Information Commissioner's Office, which enforces EU privacy protections, says it's planning to demand Superfish-related answers from Lenovo.

With luck, sharp questions from regulators and Lenovo's Superfish debacle will lead more manufacturers to rethink their business practices, and begin offering consumers a clean install. But too many will likely just default to offering the same old raw deal.

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the Executive Editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, amongst other publications. He lives in Scotland.

Around the Network