After typing this reply, I noticed that @Plum already covered what I am saying here using many fewer words. Hopefully, the following is not redundant and can instead serve to expand upon what @Plum has said.
Although Lenovo has historically been a trusted company for corporate and personal security alike, in the past decade its reputation has been sullied by a number of frankly unacceptable scandals. Among them include the fact that in 2015, some Lenovo computers came pre-installed with adware called Superfish, which “injects advertisements into users’ browsers and impersonates security certificates”, acting as a man in the middle. It was effectively malware. Even Lenovo eventually labelled it a “vulnerability” and provided instructions for how to uninstall it. This was not before it became the subject of a class-action lawsuit, however, whose initial settlement costed the company $1 million, then $3.5 million, then $7.3 million, but which was eventually finalized at $8.3 million with 32 states.
Later that same year, some Lenovo computers were discovered to be shipping with a “utility” called the Lenovo Service Engine, which leverages Microsoft Windows to update and reinstall both itself and software by Lenovo even when they are uninstalled, which has earned it the characterization of being a “rootkit” or “‘rootkit’-style covert installer”.
Incidentally, in 2013 (before all the above incidents), it was reported that Lenovo was banned from use in the spy agencies of multiple nation-states over concerns about the possibility of Chinese backdoors and malware being surreptitiously installed on Lenovo devices. This ban has existed since the 2000s and may have been introduced in 2005 by Five Eyes agencies. Shortly after, in 2006, the State Department of the United States followed suit. Whether any of this was actually based on any concrete evidence, and not just used as a proxy for political tensions between the countries, is unclear. Maybe Lenovo was unfairly distrusted for merely being a Chinese company; this news came only a month after the Snowden revelations, so this may have been part of an attempt at changing the subject. Whatever the case may have been, Lenovo devices were still distrusted and decommissioned from work in spy agencies, so take from that what you will.
Since then, other parts of the United States government also began blacklisting Lenovo:
Lenovo products have been banned, investigated or deemed vulnerable by the State Department in 2006, the Department of Homeland Security in 2015, the Joint Chiefs of Staff Intelligence Directorate in 2016, and the DoD Information Network in 2018. (source)
Most of the United States government apparently does not trust Lenovo computers at all, though its reasons are unclear and its evidence for those reasons is lacking. The extent to which you trust the United States government (and consider the Chinese government a threat) may be what determines how much this will matter to you, though.
So, should you trust Lenovo products? That’s your call to make. I distrust the infrastructure, and personally extend that to the endpoint as well, so I do not trust Lenovo—or, put differently, I do not have faith that the company will unwaveringly protect my interests. But do I trust Lenovo significantly less than others? Honestly, not really, so I do not try to avoid Lenovo products like I would if I did.
Given what I liked about Lenovo products in the first place, however, I would probably not use one made after 2013 and so would have to buy a pre-owned computer. But that is not a security assessment so much as it is a personal preference for powerful and ruggedized business laptops that can be almost completely disassembled with only a few basic tools, something exceedingly rare in today’s consumer technologies.
Lastly, on data collection through firmware and hardware, I am unaware of any publicly documented evidence of that. At that level, however, you have far more notorious attack vectors to worry about, such as a malicious Intel Management Engine. Whatever threat something like a malicious Intel ME may pose to you is unlikely to be coming from Lenovo, unless you assume Lenovo to engage in mass supply-chain attacks at the behest of an entity like the Chinese government. Barring that, Lenovo’s culpability in any such potential threat is probably low to nonexistent, especially since that would otherwise expose Lenovo to much more than just another class-action lawsuit.
Regards,
John