Over the past several months, Lenovo has gotten negative press multiple times for preinstalling dangerous bloatware on their laptops. First it was Superfish, the ad injecting bloatware that unintentionally created a major security risk in every laptop it was installed in. Lenovo's next embarrassment was when it was caught taking advantage of a feature of Windows 8 and 10 to preinstall undeletable bloatware in the computer's firmware. While it wasn't a serious security risk like Superfish, the bloatware did eat up valuable CPU cycles for no real benefit, and preventing a user from ever deleting it was a nasty move. However, only certain models were affected by the preinstalled bloatware. Lenovo's ThinkPad brand in particular was believed to be untouched by these debacles.
That may no longer be the case. Michael Horowitz of Computerworld, has uncovered some preinstalled software on ThinkPad laptops which may be cause for concern. In October of 2014 and June of this year, he purchased a refurbished T520 and T420 of the ThinkPad line, both with clean copies of Windows 7 installed. After checking the scheduled tasks, he discovered both laptops were running a program called Lenovo Customer Feedback Program 64, which was scheduled to run daily.
After searching online, Horowitz found a Lenovo support document which sheds some light on the matter. The "Customer Feedback" program is one of two programs used by Lenovo to contact servers and transmit usage data relating to Lenovo software. The document claims no personally identifiable information is transmitted. This software is installed on all ThinkPad, ThinkCentre and ThinkStation computers running Windows 7 or 8. The document was updated February 27 of this year, soon after Superfish made the headlines.
The support document also claims that users should already be aware of this behavior because it's described in the EULA, and it mentions the directory where users can find the EULA. The folder contains 39 files, and according to Horowitz, it is not obvious which one is the EULA. Lenovo's attempts to inform users about this preinstalled software are a failure.
Out of the 3 preinstalled programs Lenovo was caught installing recently, this is the least egregious, if the support document was completely accurate about the behavior of the software. It does not appear to introduce major security risks like Superfish, at least no one has discovered them yet. It also doesn't tenaciously stick around in the firmware, but is actually quite easy to remove once you know it's there.
The biggest issue is privacy, and that largely depends on what information is being transmitted to the servers. If Lenovo is being completely honest, and no personally identifiable information is being sent, it really isn't a huge issue. However some may not be quite so willing to trust Lenovo, after they insisted Superfish posed no security risk. The fact that Lenovo's reputation is already in tatters makes this a bigger issue than it otherwise would have been, and tarnishing the once respected ThinkPad name just makes this worse.