An Open Letter to Lenovo

Posted on August 25, 2015 by Jeff Hicks in Security with 0 Comments

DISCLAIMER: I belong to an advisory and social media group called Lenovo Insiders. The purpose of the group is to share our experiences with Lenovo products and help promote brand awareness. However, membership does not preclude me from speaking my mind and voicing my opinions, both positive and negative. All opinions in this article are mine and would be the same even if I wasn’t a part of the Lenovo Insiders group.

Lenovo Faces Diminished Credibility and Reputation

This year has not been especially kind to Lenovo from a public relations perspective. I had hoped that after the SuperFish fiasco, Lenovo would have learned a valuable lesson. I tried to get Lenovo’s attention with my article, “An IT Pro Perspective on Lenovo Superfish.”

Recently Lenovo has come under fire for another feature that’s centered on a BIOS feature called the Lenovo Service Engine. Once again, the perception of the end result, which is ultimately all that matters, is that Lenovo is at it again with more spyware, malware, and crapware. So, let me share my latest thoughts on all of this in the hopes that someone from Lenovo will at least take a few minutes to understand my position.

To frame my comments, it is important that you understand my audience. The people I write for, create video training, present at conferences and interact with on a daily basis are IT professionals. These are the men and women who keep Windows networks, humming along. Very often these are the same people who might influence buying decisions for their organizations, friends, and family. Sadly, the Lenovo experience in 2015 is having a negative impact on this group.

This is unfortunate because I think the real problem you face is with your consumer products. I appreciate that Lenovo has gone on the record with explanations about Superfish and the Lenovo Service Engine. But, the IT community and media haven’t always picked up on these announcements. The bottom line is that some poor decisions regarding consumer products is tainting the entire brand, including ThinkPad, which was never involved in any these messes. People don’t always separate a Lenovo Yoga Pro laptop from a Thinkpad T450s. All they see is “Lenovo.” I have heard from more than a few IT pros who are giving up on Lenovo products altogether or at least hesitating before making new purchases.

I have to believe, and I hope I don’t prove naïve, that the public relations disasters this year are merely the result of poor implementations of something that Lenovo felt was truly in the customer’s best interests. In other words, I think Lenovo meant well, but failed miserably with the final result. One of the reasons I believe this is the case is because it appears the majority of products involved were in Lenovo’s consumer line. I can imagine a product manager saying, “What can we do to solve this problem for the customer or provide a better ownership experience?” On the surface, the problem products seem like a good idea, but I think that is as far as anyone went.

Sponsored

Advice for Lenovo

I’m all for providing a positive experience for the customer, but someone needs to take ownership of the process and consider the bigger picture because one mistake can affect the entire company. Here are my suggestions.

Let’s say someone decides that Lenovo should implement a product or feature that we’ll call FooWonderful. The first question someone should ask is “Are any of our competitors using FooWonderful?” If they aren’t, don’t assume you win the first to market race. Maybe there’s a reason why nobody has implemented FooWonderful. This is when you have to involve engineers and security experts. At minimum I think you have to answer these questions:

  • What benefit does FooWonderful provide to the customer?
  • Can FooWonderful be seen as only benefiting Lenovo?
  • What is the downside if you do not include FooWonderful?
  • How transparent is FooWonderful to the user?
  • Can FooWonderful be completely uninstalled?
  • Does FooWonderful have any attack vectors?
  • What are the resource requirements for FooWonderful?
  • Is there anything in how FooWonderful works that could be construed as spyware or malware?

I hope you get the idea. Even if FooWonderful is intended for a consumer product, have it examined by an IT professional. Do they think it is a valuable addition or do they interpret it as spyware or malware? If IT pros think that Lenovo products are riddled with spyware, and some people share this belief, then the reputation to Lenovo’s brand will suffer greatly. It seems that I can’t mention something positive about a Lenovo product without someone mentioning this year’s problems.

But if Lenovo really wants to avoid problems altogether, then they need to stop shipping products with any additional software or features with one exception. I have no problems with Lenovo including any utilities that aid in running the operating system on the hardware. I have no qualms about driver update programs or utilities to manage of hardware specific features, provided nothing is hidden from the user and that they can be completely removed. If Lenovo wants to add a link to point to other Lenovo products like ReachIt and ShareIt that the user can download and install, then that’s great, go right ahead. If Lenovo only shipped what’s required to maintain the operating system and hardware, then the company wouldn’t be facing the backlash that they are currently facing today. If Lenovo wants to truly make the customer’s life better, then don’t give them what they didn’t ask for, although they can certainly give them the option to add any recommendations. Frankly, if all hardware vendors did this IT professionals would rejoice.

There is one last point I want to make. Should a similar problem arise in the future, I urge Lenovo to relentlessly own it. This means “coming clean” in a very timely manner and explaining everything involved in the process that led to the problem. What due diligence did you perform? What did you miss? How are your processes changing to correct the issue? What did you learn from the problem? You can’t simply publish an advisory and call it a day.

Sponsored

What’s Next, Lenovo?

So, Lenovo, what’s it going to be? Is someone going to get the message that poor decisions taint the entire brand? Is someone going to provide real, technical oversight to marketing decisions? I really hope so, because I’d hate to see people miss out on some amazing things from Lenovo like the Thinkpad Stack, and the Thinkpad P series of laptops. I really hope we don’t have to have this conversation again.

Sponsored