This article gives the history of a purchase of a personal computer. In November 2014, I bought the Lenovo Yoga 2 for its operational functions, capacity and price. I intended to install GNU/Linux, a free and open source operating system which allows for users to run, study, redistribute and improve computer software so that the whole user community benefits.
That was how I discovered a hidden feature on my new computer called Secure Boot, which restricts users from installing operating systems that are not compatible with discrete factory settings. I was not informed of this feature at the time of purchase.
At first I tried to resolve the issue with the help of colleagues, but our various technical attempts were not successful. Then I chose to pursue the matter through legal channels with the support of Enjambre Digital (Digital Hive), an organization that advocates for Internet freedom in Mexico. After a series of meetings with Lenovo's attorneys and the Mexican Federal Attorney of Consumer Protection (aka PROFECO), a judge ruled that Lenovo had violated Mexico's Federal Consumer Protection Law.
A 2011 letter from the Free Software Foundation and signed by more than 48,000 people demonstrates the restrictive nature of Secure Boot. In the letter, FSF urged manufacturers to either “allow computer owners to disable the boot restrictions, or provide a sure-fire way for them to install and run a free software operating system of their choice.” In my case, and surely in others like it, it is evident that we have not yet arrived at the ideal proposed in FSF's letter.
On the other hand, my case proves that even though Lenovo admitted that the Secure Boot function sets a restriction, they failed to disable it during litigation. And the violation of Mexican law, declared by the authority responsible for the defense of consumer rights, has not been rectified.
I bought a model Lenovo Yoga 2 laptop through Intelcompras, a Mexican distributor, and it was delivered on November 19, 2014.
When I tried to install the operating system of my choice, I found it wasn't possible because the computer had a Secure Boot loading option. This feature requires that any operating system installed on the computer must be authorized through digital signatures issued by Microsoft. I tried to disable Secure Boot since it prevented the installation of the operating system I wanted, but my attempts to deactivate the feature were unsuccessful.
I also attended Hackmitin, an annual hacker conference in Mexico. There, myself and several friends tried to fix the problem but we were not able to install the new operating system, thanks to Secure Boot.
The hackers confirmed that with Secure Boot activated it is impossible to install software without a Microsoft signature. Therefore, in order to install another operating system such as Debian GNU/Linux, it was necessary to either disable this loading option or obtain a version authorized by Microsoft.
My next step was to communicate with the supplier and request technical support. On November 26, 2014, I tweeted the following to the verified Lenovo Mexico account:
— Jacobo Nájera (@jacobonajera) November 26, 2014
.@lenovoMX Why can't I deactivate Secure Boot? It's illegal. #UEFI https://www.fsf.org/campaigns/secure-boot-vs-restricted-boot
They referred me to call a 1-800 number for support. I called and explained the problem, but they refused to help me. They claimed that they could not advise me how to disable Secure Boot because it was prohibited by company policy.
The legal solution
After exhausting the available technical alternatives and manufacturer support, on January 15, 2015 I finally decided to file a complaint with the the Federal Attorney of Consumer Protection (PROFECO), in which I presented my case.
In a settlement hearing on April 17, 2015, I explained the problem that I had with the computer to the supplier, the arbitrator from PROFECO and the attorney from Enjambre Digital. I asked Lenovo's attorney for information explaining how to disable Secure Boot. He replied that he wasn't familiar with the problem but would review it with the corresponding department to find a solution, and asked for the serial number and model. PROFECO scheduled a second hearing for June 10, 2015.
Ten days later, I received a phone call from Miguel Díaz, who identified himself as a “Customer Support Analyst” from Lenovo. He said it was very easy to disable Secure Boot and gave me several options that I could use which he forwarded to me via email:
Buenas tarde estimado Jacobo:
En acuerdo a nuestra llamada telefónica las opciones para la correcta instalación del su sistema operativo y configuración del “secure boot” son:
Ingresar el equipo a un centro de servicio autorizado por Lenovo, ahí realizarán la configuración correcta, además a manera de excepción instalarán el sistema operativo de su preferencia mismo que debe ser proporcionado por usted junto con la licencia del software.
Envío por esta vía de un paso a paso (manual) de como activa y desactivar el “secure boot”.
Quedo atento a sus comentarios.
Nota: Una vez el centro de servicio haya realizado las pruebas suficientes de funcionamiento será entregado el equipo, incluso podría verificar le enseñaran como activar y desactivar la opción.
Good afternoon Jacobo:
As per our phone call the options for the correct installation of your operating system and configuration of Secure Boot are:
Send the computer to an authorized Lenovo service center where they will perform the right configuration. Also, as an exception, they will install the operating system of your choice, which should be provided by you along with the software license. I am including a step-by-step manual on how to activate and deactivate “Secure Boot.” Please contact me with further questions or comments.
Note: Once the service center has completed sufficient performance tests the computer will be delivered back, you can even verify they showed you how to activate and deactivate the option.
I asked him to send me the aforementioned manual so I could do it myself, but I was unable to deactivate it. So I decided to send the computer to an authorized Lenovo service center. They told me they would review it to make a diagnosis. The diagnosis concluded that it was impossible to install the operating system of my choice “due to the computer's factory settings.” The diagnosis was noted on the document that Lenovo's legal representative gave to PROFECO in the second conciliation meeting, which turned out to be fruitless.
Lenovo's legal representative stated:
Solicito se envíe el expediente al archivo general toda vez que mi representada ingresó el equipo materia de queja al centro de servicio y este fue revisado y no muestra algún problema en su funcionamiento solamente la limitante que el consumidor manifiesta y ya le fue notificado que eso se deriva de la fabricación del equipo y sus características aclarando que mi representada no omitió información en la venta toda vez que esta fue hecha por otro proveedor denominada Intelcompras.
I file the following request before the general archive as my client took the computer – which is the matter of complaint – to the service center, it was checked and showed no functional problem, only the limitation stated by the consumer, who was already notified that this is due to the manufacturer's settings and characteristics; thus we want to make clear that my client didn't omit the information at the time of sale, as it was sold by another provider named Intelcompras.
The attorney from Enjambre Digital and I decided to reject the proposed settlement because my problem from the beginning (disabling Secure Boot) was not resolved.
My complaint against Lenovo
Since the mediation was not successful, PROFECO formally initiated proceedings against Lenovo for legal violations, granting a it a term of ten working days to offer evidence and present their response in writing.
The attorney from Enjambre Digital and I delivered a letter in the following days in which we reiterated the points outlined in the complaint, and further noted that the the distributor, Intelcompras, was not responsible to advise its customers regarding Secure Boot, as Lenovo's legal representative argued, for two basic reasons: first, because Lenovo was the manufacturer of the computer and thus responsible for the intrinsic features of the product and for informing the consumer of said features; and second, that legally Lenovo cannot shift responsibility for said features to the seller/distributor, which in this case was Intelcompras.
With those facts submitted, the Federal Attorney of Consumer Protection (PROFECO) ruled that “Lenovo Mexico S. de R.L. de C.V. violated the provisions of Article 7 of the Federal Law of Consumer Protection, as was shown in the resolution.”
Article 7 of the Federal Law of Consumer Protection states that:
Todo proveedor está obligado a informar y respetar los precios, tarifas, garantías, cantidades, calidades, medidas, intereses, cargos, términos, plazos, fechas, modalidades, reservaciones y demás condiciones conforme a las cuales se hubiera ofrecido, obligado o convenido con el consumidor la entrega del bien o prestación del servicio, y bajo ninguna circunstancia serán negados estos bienes o servicios a persona alguna”.
Every supplier is obligated to inform and respect the prices, taxes, guarantees, quantities, qualities, measures, interests, fees, terms deadlines, dates, modalities, reservations and other conditions under which a product was offered, or a good or service was obligated or agreed to with the consumer, and under no circumstances will these goods or services be denied to anyone.
Currently the Lenovo Yoga 2 model remains on the market with Secure Boot installed and without the option to disable it. The official documentation continues to fail to mention this feature.
Communities developing free software are seeking technical strategies so the operating systems they develop are authorized by Microsoft and work with Secure Boot. However, this should not be a one-sided issue as the conditions of the software with which computers function are also the decision of a third party, in addition to the manufacturer.
Faced with a violation of the law that has the potential to massively impact our rights, we are not expecting some minor actions to deal with the situation. Rather, we would like to see the company take an active role on the matter. Since PROFECO's financial penalty does not solve the problem of Lenovo omitting this key information about the purchase, together with Enjambre Digital we are considering other ways to ensure that PROFECO's ruling, which was qualified as serious, has tangible effects.