In Defense of Free Software: My Case Against Lenovo in Mexico

Photo: Pixabay. Used under CC0 license.

Keyboard. Image: Pixabay. Used under CC0 license.

This article gives the history of a purchase of a personal computer. In November 2014, I bought the Lenovo Yoga 2 for its operational functions, capacity and price. I intended to install GNU/Linux, a free and open source operating system which allows for users to run, study, redistribute and improve computer software so that the whole user community benefits.

That was how I discovered a hidden feature on my new computer called Secure Boot, which restricts users from installing operating systems that are not compatible with discrete factory settings. I was not informed of this feature at the time of purchase.

At first I tried to resolve the issue with the help of colleagues, but our various technical attempts were not successful. Then I chose to pursue the matter through legal channels with the support of Enjambre Digital (Digital Hive), an organization that advocates for Internet freedom in Mexico. After a series of meetings with Lenovo's attorneys and the Mexican Federal Attorney of Consumer Protection (aka PROFECO), a judge ruled that Lenovo had violated Mexico's Federal Consumer Protection Law.

A 2011 letter from the Free Software Foundation and signed by more than 48,000 people demonstrates the restrictive nature of Secure Boot. In the letter, FSF urged manufacturers to either “allow computer owners to disable the boot restrictions, or provide a sure-fire way for them to install and run a free software operating system of their choice.” In my case, and surely in others like it, it is evident that we have not yet arrived at the ideal proposed in FSF's letter.

On the other hand, my case proves that even though Lenovo admitted that the Secure Boot function sets a restriction, they failed to disable it during litigation. And the violation of Mexican law, declared by the authority responsible for the defense of consumer rights, has not been rectified.

The case

I bought a model Lenovo Yoga 2 laptop through Intelcompras, a Mexican distributor, and it was delivered on November 19, 2014.

When I tried to install the operating system of my choice, I found it wasn't possible because the computer had a Secure Boot loading option. This feature requires that any operating system installed on the computer must be authorized through digital signatures issued by Microsoft. I tried to disable Secure Boot since it prevented the installation of the operating system I wanted, but my attempts to deactivate the feature were unsuccessful.

I sought support from Enjambre Digital and Rancho Electrónico, a hackerspace in Mexico City.

I also attended Hackmitin, an annual hacker conference in Mexico. There, myself and several friends tried to fix the problem but we were not able to install the new operating system, thanks to Secure Boot.

The hackers confirmed that with Secure Boot activated it is impossible to install software without a Microsoft signature. Therefore, in order to install another operating system such as Debian GNU/Linux, it was necessary to either disable this loading option or obtain a version authorized by Microsoft.

My next step was to communicate with the supplier and request technical support. On November 26, 2014, I tweeted the following to the verified Lenovo Mexico account:

.@lenovoMX Why can't I deactivate Secure Boot? It's illegal. #UEFI https://www.fsf.org/campaigns/secure-boot-vs-restricted-boot

They referred me to call a 1-800 number for support. I called and explained the problem, but they refused to help me. They claimed that they could not advise me how to disable Secure Boot because it was prohibited by company policy.

The legal solution

After exhausting the available technical alternatives and manufacturer support, on January 15, 2015 I finally decided to file a complaint with the the Federal Attorney of Consumer Protection (PROFECO), in which I presented my case.

In a settlement hearing on April 17, 2015, I explained the problem that I had with the computer to the supplier, the arbitrator from PROFECO and the attorney from Enjambre Digital. I asked Lenovo's attorney for information explaining how to disable Secure Boot. He replied that he wasn't familiar with the problem but would review it with the corresponding department to find a solution, and asked for the serial number and model. PROFECO scheduled a second hearing for June 10, 2015.

Lenovo's diagnosis

Ten days later, I received a phone call from Miguel Díaz, who identified himself as a “Customer Support Analyst” from Lenovo. He said it was very easy to disable Secure Boot and gave me several options that I could use which he forwarded to me via email:

Buenas tarde estimado Jacobo:
En acuerdo a nuestra llamada telefónica las opciones para la correcta instalación del su sistema operativo y configuración del “secure boot” son:
Ingresar el equipo a un centro de servicio autorizado por Lenovo, ahí realizarán la configuración correcta, además a manera de excepción instalarán el sistema operativo de su preferencia mismo que debe ser proporcionado por usted junto con la licencia del software.
Envío por esta vía de un paso a paso (manual) de como activa y desactivar el “secure boot”.
Quedo atento a sus comentarios.
Saludos
Nota: Una vez el centro de servicio haya realizado las pruebas suficientes de funcionamiento será entregado el equipo, incluso podría verificar le enseñaran como activar y desactivar la opción.

Good afternoon Jacobo:
As per our phone call the options for the correct installation of your operating system and configuration of Secure Boot are:
Send the computer to an authorized Lenovo service center where they will perform the right configuration. Also, as an exception, they will install the operating system of your choice, which should be provided by you along with the software license. I am including a step-by-step manual on how to activate and deactivate “Secure Boot.” Please contact me with further questions or comments.
Regards
Note: Once the service center has completed sufficient performance tests the computer will be delivered back, you can even verify they showed you how to activate and deactivate the option.

I asked him to send me the aforementioned manual so I could do it myself, but I was unable to deactivate it. So I decided to send the computer to an authorized Lenovo service center. They told me they would review it to make a diagnosis. The diagnosis concluded that it was impossible to install the operating system of my choice “due to the computer's factory settings.” The diagnosis was noted on the document that Lenovo's legal representative gave to PROFECO in the second conciliation meeting, which turned out to be fruitless.

Lenovo's legal representative stated:

Solicito se envíe el expediente al archivo general toda vez que mi representada ingresó el equipo materia de queja al centro de servicio y este fue revisado y no muestra algún problema en su funcionamiento solamente la limitante que el consumidor manifiesta y ya le fue notificado que eso se deriva de la fabricación del equipo y sus características aclarando que mi representada no omitió información en la venta toda vez que esta fue hecha por otro proveedor denominada Intelcompras.

I file the following request before the general archive as my client took the computer – which is the matter of complaint – to the service center, it was checked and showed no functional problem, only the limitation stated by the consumer, who was already notified that this is due to the manufacturer's settings and characteristics; thus we want to make clear that my client didn't omit the information at the time of sale, as it was sold by another provider named Intelcompras.

The attorney from Enjambre Digital and I decided to reject the proposed settlement because my problem from the beginning (disabling Secure Boot) was not resolved.

My complaint against Lenovo

Since the mediation was not successful, PROFECO formally initiated proceedings against Lenovo for legal violations, granting a it a term of ten working days to offer evidence and present their response in writing.

The attorney from Enjambre Digital and I delivered a letter in the following days in which we reiterated the points outlined in the complaint, and further noted that the the distributor, Intelcompras, was not responsible to advise its customers regarding Secure Boot, as Lenovo's legal representative argued, for two basic reasons: first, because Lenovo was the manufacturer of the computer and thus responsible for the intrinsic features of the product and for informing the consumer of said features; and second, that legally Lenovo cannot shift responsibility for said features to the seller/distributor, which in this case was Intelcompras.

With those facts submitted, the Federal Attorney of Consumer Protection (PROFECO) ruled that “Lenovo Mexico S. de R.L. de C.V. violated the provisions of Article 7 of the Federal Law of Consumer Protection, as was shown in the resolution.”

Article 7 of the Federal Law of Consumer Protection states that:

Todo proveedor está obligado a informar y respetar los precios, tarifas, garantías, cantidades, calidades, medidas, intereses, cargos, términos, plazos, fechas, modalidades, reservaciones y demás condiciones conforme a las cuales se hubiera ofrecido, obligado o convenido con el consumidor la entrega del bien o prestación del servicio, y bajo ninguna circunstancia serán negados estos bienes o servicios a persona alguna”.

Every supplier is obligated to inform and respect the prices, taxes, guarantees, quantities, qualities, measures, interests, fees, terms deadlines, dates, modalities, reservations and other conditions under which a product was offered, or a good or service was obligated or agreed to with the consumer, and under no circumstances will these goods or services be denied to anyone.

Looking ahead

Currently the Lenovo Yoga 2 model remains on the market with Secure Boot installed and without the option to disable it. The official documentation continues to fail to mention this feature.

Communities developing free software are seeking technical strategies so the operating systems they develop are authorized by Microsoft and work with Secure Boot. However, this should not be a one-sided issue as the conditions of the software with which computers function are also the decision of a third party, in addition to the manufacturer.

Faced with a violation of the law that has the potential to massively impact our rights, we are not expecting some minor actions to deal with the situation. Rather, we would like to see the company take an active role on the matter. Since PROFECO's financial penalty does not solve the problem of Lenovo omitting this key information about the purchase, together with Enjambre Digital we are considering other ways to ensure that PROFECO's ruling, which was qualified as serious, has tangible effects.

9 comments

  • […] by Jacobo NájeraTranslated by Erin Gallagher · · View original post [es] · comments (0) Donate · Share this: twitter facebook reddit […]

  • atrioom

    UEFI secure boot is worth an outrage. Remember when Microsoft had it’s lawsuit because of preinstalled IE on windows? I mean… this is a thousand times worse and there is zero help from the government.
    Thanks for being a hero man. I wish I’d hear more about UEFI triggering lawsuits.

  • moldor

    I’ve had absolutely zero issues disabling Secure Boot on my Lenovo T430S and running Debian. I’m guessing the implementation of the BIOS switch in the Yoga is broken.

    I have no issues per se with Secure Boot – if Microsoft want to use it as a tool to enforce their licencing, that’s fine. As long as I can turn the damn thing off.

    As for atrioom’s comments about IE pre-installed on Windows – well, that whole event was a complete and utter joke. You don’t like IE, install something else. It was that simple.

  • stephanwehner123

    What a waste of resources and time. “SecureBoot ” is secure in which way?

    • shadoweo

      Secure Boot was made to provide operating system manufacturers with pre-boot integrity checks. Under Secure Boot, your PC may refuse to boot if it’s infected with a bootkit/rootkit. i’d say that it helps avoid pre-boot malware.

      • Neel Gupta

        “your PC may refuse to boot if it’s infected with a bootkit/rootkit”
        “it helps avoid pre-boot malware”
        Your two statements contradict each other !
        Secureboot dosent help with anything, SecureBoot disables your computer if it detects some malicious activity.
        …so even a hacker could purposely disable your computer permanently, through SecureBoot !

        • shadoweo

          No, my comments are not contradictory. Secureboot disables the boot process if the chain of trust has been broken, this can only happen if there is an unsigned, or mis-signed component in that chain. Secure Boot does indeed help prevent pre-boot malware and may indeed cause the PC to refuse to boot. You need to do some more research on the subject before necrobumping a two month old thread. If anything, those two statements are supplementary.

          • Neel Gupta

            Either you don’t know the meaning of PREVENTtion,
            …or you are just trolling me :(

             
          • shadoweo

            You are misunderstanding the word HELPS. I do not state that it is the sole preventative measure. Nor am I trolling you. Secure Boot and it’s code signed chain of trust were perfectly good security measures to HELP PREVENT installation and execution of pre-boot malware such as EFI-based bootkits (since if the executable isn’t signed by a key the firmware knows, it fails to execute), at least up until MS’s recent blunder giving a way to bypass it completely.

            Either way, Secure Boot is meant to ensure the integrity of EFI firmware and drivers before the OS boots, and to ensure that your boot environment hasn’t been tampered. So no, I am most certainly not trolling you, I am stating real facts.

             

Join the conversation

Authors, please log in »

Guidelines

  • All comments are reviewed by a moderator. Do not submit your comment more than once or it may be identified as spam.
  • Please treat others with respect. Comments containing hate speech, obscenity, and personal attacks will not be approved.