Steps toward a privacy-preserving phone

Please consider subscribing to LWN Subscriptions are the lifeblood of LWN.net. If you appreciate this content and would like to see more of it, your subscription will help to ensure that LWN continues to thrive. Please visit this page to join up and keep LWN on the net.

What kind of cell phone would emerge from a concerted effort to design privacy in from the beginning, using free software as much as possible? Some answers are provided by a crowdfunding campaign launched in August by Purism SPC, which has used two such campaigns successfully in the past to build a business around secure laptops. The Librem 5, with a five-inch screen and radio chip for communicating with cell phone companies, represents Purism's hope to bring the same privacy-enhancing vision to the mobile space, which is much more demanding in its threats, technology components, and user experience.

The abuse of mobile phone data has become a matter of worldwide concern. The capture and sale of personal data by apps is so notorious that it has been covered in USA Today; concerns over snooping contribute to the appeal of WhatsApp (which has topped 1.3 billion users) and other encrypted and privacy-conscious apps. But apps are only one attack vector. I got in touch with Todd Weaver, founder and CEO of Purism, to find out what the company is doing to plug the leaks in mobile devices.

Many free operating systems have been developed for mobile devices; the best-known is probably the Ubuntu phone, which never really got off the ground. A combined approach with both hardware and software to maximize security, however, is a new idea. Purism is built on a philosophy of protecting its users, and has registered as a social purpose corporation to emphasize its commitment to benefiting customers. Although less than three weeks are left in the Librem 5 campaign, Weaver is confident that it will reach its goal. The company also recently announced that it will port the KDE Plasma framework to the phone, in addition to its support for GTK+ and GNOME.

The design principles for the Librem 5 provide a valuable model for building privacy by design into devices. This article looks at the various levels of privacy protection, from bottom to top.

Hardware protections

Weaver explained to me that the radio components with which current phones communicate to the baseband provider (AT&T, for instance) share a chip with the phone's CPU. This gives complete access to everything the user does on the phone to the mobile provider—and to anyone else who gets access to its chip, whether government agents with warrants or malicious intruders.

We don't know whether baseband providers exploit the unprecedented access they have over user's private data, but Weaver plans on offering more peace of mind by separating the CPU running apps from the CPU that communicates with the baseband provider. Thus, the provider has no access to app data unless the data is transmitted unencrypted. Interestingly, this architectural choice hearkens back to early cell phones, which also ran the apps and baseband on separate CPUs.

Numerous reports describe malware that secretly records user activity from the device's camera or GPS. There is little one can do to protect against such attacks on current devices. Some laptops contain physical, hardware switches that allow the user to turn off WiFi, but they are becoming less common. And even the laptops that offer such switches do a halfhearted job of disabling the device, simply setting a standard software bit that disables the connection between the WiFi device and the PCI bus. A malicious app might be able to turn access back on. In fact, a simple software bug can leave the hardware capabilities vulnerable.

Purism plans to add three or four physical kill switches to the side of the Librem 5 phone. The architecture envisioned by Weaver is simple: the switches will cut power to the devices, making it look as if the devices don't exist at all. No software can turn the device on once the user sets the switch. The user can verify this because the device disappears from the output of commands such as lspci and lsusb . There will be one switch to turn off WiFi and Bluetooth, another for the radio to the baseband provider, and a third for the camera. The camera switch is particularly useful on a mobile device because few people want to put tape over their cameras on such devices. A possible fourth switch will turn off GPS.

Purism will offer a high-resolution photo of the Librem 5 motherboard, so that a user can compare it to the motherboard in their device and catch attacks where someone substitutes a different motherboard. Although the Librem 5 is not open hardware, Purism may open the schematics of older models at some point.

Trusted systems are a double-edged sword, widely distrusted in the free software community because of their potential for heavy-handed copyright restrictions and disabling access to software that the manufacturer wants to suppress for any reason. Yet free software advocates understand that in the right hands, trusted systems offer protection from malicious apps. A Trusted Platform Module (TPM) is not part of Purism's current initiative, but it plans to support TPM in the future, while putting control over keys in the hands of the user.

Software protections

Purism's operating system, called PureOS, will be based on the Debian distribution. Purism staff (which contains several Debian developers) will keep PureOS in sync with future releases of Debian. If the company makes any enhancements to the Linux kernel or the Debian distribution that would be of value to the community, Purism will contribute them back upstream. Except for WiFi and Bluetooth, which may require a binary driver for the form factor of the Librem 5 phone, Purism plans to use free software for all the devices on the phone. The company may also be able to reverse-engineer and free some drivers or firmware, as it did for its laptops.

Purism handles data security by making sure to store data in an encrypted format. For all communications, including phone calls, it provides the popular free Matrix software. Any two correspondents who use Matrix-based applications, such as the Riot chat tool, have strong privacy guarantees. These applications can recognize when you are communicating with a correspondent who doesn't use Matrix, and fall back on communicating in the clear. So you can still call a friend or company who doesn't have a secure client; you just don't get the protection of encryption. The Librem 5 could also potentially join a mesh network of secure devices that communicate without the need for centralized, proprietary network providers.

Although operating systems enforce isolation between processes, graphical user interfaces (GUIs) tend to be more lax, including that artifact of the permissive 1980s, the X Window System. One X client can easily view data passed to others. The free-software community, including GNOME and KDE, is therefore moving to a more secure display manager called Wayland, which is more careful to check which window is meant to receive input and to ensure that the input goes only to that window. Practically speaking, app isolation means that an exploit in an app cannot compromise other apps. Thanks to Wayland, isolation is the default on the Librem 5.

Business model

Although Purism uses crowdfunding campaigns for major new ventures such as the Librem 5, it has developed a robust business plan that supports the continued maintenance and development of software through the sales of its hardware along with some angel investment (often from its own customers). The company is three years old and gives back money to important middleware components like GNOME as well as to app developers for apps requested by users.

Purism will set up its own software store, offering free software apps that have been vetted to ensure they uphold the company's commitment to privacy. Other app developers can offer apps outside the store, and users will still benefit from app isolation and the other protections in the Librem 5. There is a precedent for a secure app store in CopperheadOS, but it is based on Android, which does not contain the same protections that Purism plans to build into the Librem 5.

I asked Weaver whether he is worried about government interference. He pointed out that competing forces pull both governments and corporations in different directions: while some actors want to snoop on the public, others recognize the need to protect their own communications and the value of being part of a community that protects its data. It's worth remembering the role the Navy played, for instance, in the development of the Tor onion routing network—the Navy didn't create Tor, as is sometimes claimed, but did offer funding. Weaver is already working with sympathetic government agencies that want his equipment. We can expect a secure phone to be greeted enthusiastically from many quarters.