In re Lenovo Adware Litig.

IN RE: LENOVO ADWARE LITIGATION,

This Document Relates to All Cases

Case No. 15-md-02624-RMW

UNITED STATES DISTRICT COURT NORTHERN DISTRICT OF CALIFORNIA SAN JOSE DIVISION

October 27, 2016

ORDER GRANTING IN PART MOTION TO DISMISS AND MOTION FOR CLASS CERTIFICATION

Re: Dkt. Nos. 98, 131

Plaintiffs bring this putative consumer class action against defendants Lenovo (United States), Inc. and Superfish, Inc. asserting claims under federal, California, and New York law. Plaintiffs allege that Superfish's VisualDiscovery software, which Lenovo installed on the laptops they purchased, created performance, privacy, and security issues. Lenovo moves to dismiss plaintiffs' claims for lack of standing and failure to state a claim. Dkt. No. 98. Plaintiffs move to certify three classes of purchasers: a nationwide class of direct purchasers, a nationwide class of indirect purchasers, and a California class of consumers who purchased laptops from third-party retailers. Dkt. No. 131.

Lenovo's motion to dismiss is granted with leave to amend as to plaintiffs' New York General Business Law claim, Electronic Communications Privacy Act claim, Consumer Protection Against Computer Spyware Act claim, California negligence claim, New Yorknegligence claim, and plaintiffs' claim for injunctive relief. Lenovo's motion to dismiss is denied as to all other claims. Plaintiffs' motion for certification of the indirect purchaser class and the California class is granted. Plaintiffs' motion for certification of the direct purchaser class is denied.

I. BACKGROUND

Lenovo Inc. is a Delaware corporation with its principal place of business in Morrisville, North Carolina. Dkt. No. 96, Compl. ¶ 18. Lenovo manufactures laptop computers, which it sells directly to consumers and indirectly through stores and online retailers. Id. ¶¶ 1, 121-24. Superfish Inc. is a Delaware corporation with its principal place of business in Palo Alto, California. Id. ¶ 19. Superfish develops adware programs—in particular, image-to-image search technology that enables consumers to search for items based on the appearance of the item, rather than on the text description. Id. ¶¶ 1, 34. Named plaintiffs are six consumers in different states who purchased Lenovo computers with Superfish's VisualDiscovery software preinstalled. Id. ¶¶ 10-17. Plaintiffs assert twelve causes of actions against Lenovo based on the following allegations.

Plaintiffs allege that Lenovo routinely accepts payments from software development companies like Superfish, which has a history of disseminating spyware and malware, to preload software onto Lenovo computers. Id. ¶¶ 37-38, 25-27. In early 2014, Superfish and Lenovo began discussing a partnership for the purpose of loading VisualDiscovery onto certain Lenovo computers. Id. ¶ 65. VisualDiscovery functions by "intercepting data sent between a computer user and a website, redirecting it for analysis to generate relevant advertisements, and then transmitting those advertisements back to the user's computer" where the advertisements are injected into the user's web browser as part of a webpage or in a pop-up ad. Id. ¶¶ 2, 40, 42. For example, if a user views the webpage for a stand mixer on a shopping website, VisualDiscovery presents the user with ads featuring similar stand mixer images found on other shopping websites. Id. ¶ 42.

VisualDiscovery employs a proxy component that handles web transmissions to and from a user's web browser, both encrypted and unencrypted. Id. ¶¶ 44, 45. When users seek encrypted HTTPS connections, the proxy acts as a "man-in-the-middle" proxy. Id. VisualDiscoveryterminates the direct connection between a user's computer and a secure website's server that otherwise would have been established by an HTTPS request and redirects the user's encrypted data to the VisualDiscovery proxy. Id. ¶ 46. The proxy decrypts the user's data and transmits certain data to Superfish servers to be analyzed for use in generating advertisements. Id. ¶¶ 42, 46. The proxy then re-encrypts the user's data before forwarding it to the originally requested website's server. Id. ¶ 46.

In order to decrypt the data sent by users' browsers, VisualDiscovery uses a tool called the "SSL hijacker," that was provided to Superfish by another software company, B.W. Komodia. Id. ¶¶ 55-57. The "SSL hijacker" allows VisualDiscovery to impersonate any SSL-enabled site, essentially "vouch[ing] for itself as a trusted root-certificate authority," and presenting Superfish's digital certificate as trusted. Id. ¶ 57. During the relevant time period, the private key for this tool—which enables decryption and the creation of an apparently trusted digital certificate—was protected only by a very weak password. Id. ¶¶ 50, 61.

While some Lenovo executives expressed concern about VisualDiscovery, Lenovo and Superfish finalized a profit sharing agreement in June 2014. Id. ¶¶ 2, 71, 72. Lenovo began shipping laptops with VisualDiscovery installed in August 2014. Id. ¶¶ 80-81, 84. Lenovo did not disclose to consumers that VisualDiscovery was installed on its computers, although other third-party software installed on the computers was listed on Lenovo's website. Id. ¶ 3. Plaintiffs allege that Lenovo and Superfish buried the software deep within the operating system "to avoid detection by anti-malware programs." Id. ¶¶ 3, 85-86. Users were presented with an option to "opt out" the first time they used a web browser on their new laptops, but opting out only disabled VisualDiscovery—it did not remove the software from the laptop. Id. ¶ 70.

Plaintiffs allege that VisualDiscovery had a negative impact on the Lenovo laptops. The program "increased CPU usage, which increased power consumption" and decreased both "the lifespan of the battery (number of times it could be recharged before being replaced) and the number of hours that the laptop could operate on a single charge." Id. ¶¶ 5, 59. These problems "were so severe that they violated the product specifications of certain Lenovo computer models." Id. ¶ 79. VisualDiscovery caused problems with internet connectivity and "subjected users tounwanted advertising and pop-ups that were difficult to remove and to stop." Id. ¶ 5. Plaintiffs also allege that VisualDiscovery made the Lenovo laptops vulnerable to third-party hackers and other malicious actors who could take advantage of Visual Discovery's ability to act as a certificate authority to conceal their own interception of Plaintiffs' and other Class members communications. Id. ¶ 60.

Lenovo began receiving consumer complaints about VisualDiscovery "almost immediately." Id. ¶ 90; see also id. ¶¶ 95, 97, 100-101, 113. In mid-September 2014, an IT manager at a major bank "complained that VisualDiscovery was interfering with encrypted sites and that it was intercepting secure communications by inserting a fake root certificate that effectively created a MitM attack." Id. ¶ 90. In response to the complaints, "Lenovo claims . . . that it instructed Superfish to disable the HTTPS functionality of VisualDiscovery at the server level and that Superfish did so." Id. ¶ 92. "According to Lenovo, Superfish then designed a new version of VisualDiscovery that would not operate on HTTPS sites and did not contain a self-signed root certificate." Id. ¶ 93. "This version started to be loaded onto Lenovo computers in November 2014." Id. Then, "[d]ue to ongoing consumer complaints," Lenovo "ordered Superfish to turn off the server connections in January and stopped installing the program on new computers at the same time." Id. ¶ 110.

On February 19, 2015, a computer researcher figured out the password for Superfish's certificate authority—"komodia"—and made it public, which increased the security vulnerability for computers with the original version of VisualDiscovery installed. Id. ¶¶ 62-64. Anyone with the password could extract the Superfish digital certificate and private key and then issue his or her own digital certificate, which in turn would allow access to whatever information a user happened to be transmitting. Id. ¶¶ 62-64. Lenovo then severed its relationship with Superfish entirely and provided an automated removal tool and free 6-month subscription to a security service to consumers. Id. ¶ 117. Plaintiffs allege however, that some consumers may not have been aware of these offers and that the removal tool leaves behind several VisualDiscovery files. Id. ¶¶ 118-20.

Plaintiffs assert twelve causes of action against Lenovo on behalf of the various classes:(1) violation of Computer Fraud and Abuse Act; (2) violation of the Electronic Communications Privacy Act;¹ (3) violation of the California's Unfair Competition Law; (4) violation of California's Consumer Legal Remedies Act; (5) violation of California's Computer Crime Law; (6) violation of California's Consumer Protection Against Computer Spyware Act; (7) violation of California's Invasion of Privacy Act; (8) negligence under California law; (9) trespass to chattels under California law; (10) violation of New York's Deceptive Acts & Practice; (11) negligence under New York law; and (12) trespass to chattels under New York law.

II. MOTION TO DISMISS FOR LACK OF ARTICLE III STANDING

"[T]he 'irreducible constitutional minimum' of standing consists of three elements." Spokeo, Inc. v. Robins, 136 S. Ct. 1540, 1547 (2016), as revised (May 24, 2016) (quoting Lujan v. Defenders of Wildlife, 504 U.S. 555, 560 (1992)). "Plaintiff must have (1) suffered an injury in fact, (2) that is fairly traceable to the challenged conduct of the defendant, and (3) that is likely to be redressed by a favorable judicial decision." Id. (citing Lujan, 504 U.S. at 560-561; Friends of the Earth, Inc. v. Laidlaw Environmental Services (TOC), Inc., 528 U.S. 167, 180-181 (2000)). "To establish injury in fact, a plaintiff must show that he or she suffered 'an invasion of a legally protected interest' that is 'concrete and particularized' and 'actual or imminent, not...