Thursday, November 23, 2017

Android has been a bit naughty with its location tracking

I was pointed to this article today:

https://qz.com/1131515/google-collects-android-users-locations-even-when-location-services-are-disabled/

Basically it points out that Android has been tracking location of phones for the past year or so, even when location tracking is disabled.  More specifically, it tells Google whenever you come in range of a cell tower.  By doing this for each cell tower a phone can hear, can provide a fairly good location, especially if you integrate it over time.

The use of spyware in mobile devices is a topic we have talked about previously, both for people living in dangerous places, as well as for victims of domestic violence and other contexts where being able to locate someone further compounds their vulnerability and tips the power-imbalance in the favour of an abusive person, organisation or otherwise.

The really naughty part in this current situation, is that this was happening even without a SIM card in the phone, and even when location services were disabled in Android: There was no way to know it was happening, and no way to disable it, even if you knew.  In fact, Google realised it was naughty by more or less immediately phasing it out as soon as they had been called out on it.

This leads me to a topic that we have been quietly working on in the background for the past couple of years, that is, how can we trust modern computers and communications devices, when they are so complex that it almost requires accidental discovery by dedicated researchers to find these significant privacy and safety damaging functions, which have been silently introduced to our devices -- often through software updates long after the initial purchase.

Our response to this is to explore the creation of "simply secure" communications devices, i.e., communications devices so simple, that their security can be quickly and confidently audited by a reasonably determined user, rather than requiring a team of researchers to explore.  Such devices should also make it much easier to be assured that the device cannot communicate with the outside world -- including getting a location fix -- when you don't want it to. 

Such devices are easy to make. After all, a brick is a secure communications device, in that there isn't really any way to subvert the function of a lump of burnt clay.   But it isn't useful.  This is the opposite extreme from current devices, that are almost omnipotent, but are so easy to subvert.

The challenge is to design and create devices that sit on some sweet spot in the middle, where they are still simple enough to be confident in their correct function, yet not so simple as to be practically useless.

This is exactly the kind of device that we are currently designing, in the form of a specialised smart-phone, that will still be capable of secure email, telephone calls, SMS and so on, while being much more resistent to attack or subversion, due to its simplicity and transparent auditability. 

For example, it will have physical switches to power off the cellular modem, and the cellular modem will be completely sandboxed from the rest of the phone -- including the GPS receiver, microphone and so on. Many of these modules will also be completely removable.

It will also allow full out-of-band memory inspection of the entire system, transparent to, and independent of the processor, and provide a secure compartmentalised architecture that allows a paranoid process, for example an email decryption program, to be sure that even the hypervisor cannot interrupt it to exfiltrate private information.

We know that there are some other folks active in similar spaces, including the excellent folks at Purism. We love what they are doing, and see our thinking in this space as complementary.  The Purism laptops (and soon phone) use all open-hardware, so that if you need a full-function computer, it is as trust-worthy as possible.  What we are looking to do is a little different: We want to see how simple we can go, while preserving enough function to be useful. We are expecting the core operating system to fit in kilo-bytes of memory, not mega-bytes, and applications to be tens to hundreds of kilo-bytes, not mega-bytes. 

There are lots of questions unanswered, not the least whether the thing will actually be useful enough for anyone, but we are exploring, and all going well, hope to be able to produce a few prototype devices by the end of 2018.  We have also secured the necessary defence-related export clearance for such a device, precisely because its combined security measures place it in risk of tipping over into the category of dual-use equipment, so we have a green light there.

So my questions for all of you reading:


  1. Would any of you buy a "phone for the paranoid" along the lines of what I am describing?
  2. What are the absolute core functions that you would require, compared to the list below:
    • Make and receive telephone calls (en claire, and quite possibly end-to-end encrypted).
    • Send and receive SMS messages (en claire or encrypted).
    • Send and receive Email, including GPG or similar encrypted.
    • Very basic web browsing, using a purposely cut-down browser.
    • Ability to run 3rd-party apps in a sand-box environment.



19 comments:

  1. Nice idea!

    On other side, please consider:

    The time and power you put into such device developement are too "weak" in comparision to industry's possibilities. We (concerned developers/users) are too slow to be on same technology level as industry. Each day dozens of new "usefull" functions invented and implemented in our devices, so there is no insurance, that yesterday's technology will work tomorrow.

    IMHO, there should be other way to clean this mess...

    Best regards,
    Ivan

    ReplyDelete
    Replies
    1. Hello Ivan,

      Yes, I quite agree that the limited resources we can bring to bear is too small to keep up with commercial industry, which does create the risk you talk about. Nonetheless, we will try.

      Paul.

      Delete
    2. My English is too weak to translate it, but still, wanted to say: "Dem Wahnsinn der Kühnen verkünden wir Ruhm!" (this is nearest translation from Russian, by understanding, to original)
      I like your optimistic vision, keep it up! Wish you good luck!!!

      Delete
    3. Thanks :) Wenn es dir einfacher ist, auf Deutsch zu reden, das ist mir kein Problem.

      For those following along in English, the phrase translates roughly as "To the insanity of the brave, we proclaim them fame"

      Delete
    4. Unfortunately, I don't speak German (well, Google translate not counted)

      I've used German because given phrase is "checked for quality by time" - A. von Krusenstjerna did all hard job already. I can't do it better, so here is language choice :)

      Delete
  2. The idea sounds great. Yes, I would buy a phone like the one you dream about. And I would describe most of the functions from your list as essential core functions. SMS, is that something people still use?

    But to be able to communicate securely with my friends, it needs the ease of use from an iPhone and the modern design from an Samsung S8 (or similar). Otherwise I couldn't communicate securely with the people I want to communicate with. As much as I wish, I don't think you can pull that of.

    So how about instead focusing on secure communications for existing hardware?

    Christian

    ReplyDelete
    Replies
    1. Thanks for your reply. The trouble with trying to secure existing hardware, is that it just isn't possible to do with any confidence, because the attack surfaces are too large. I agree that in the first instance at least, that making something that is super user-friendly will be hard to do. Although, by keeping the functionality very narrow, it is at least attainable with sufficient effort. But our intention is really to make functional hardware and software in the first instance to prove the concept. It will all be open-source, so refinement can occur after that. At least that's our thinking at this stage.

      Delete
  3. Paul,

    An excellent post that, once again, shows we can never rest in terms of protecting our privacy. In terms of developing this, I would be inclined to go for the most basic device and 'ride the next wave' which is a decentralised AR ecosystem e.g. this link - https://www.lucyd.co/

    We'd love to have the security of your system integrated into such glasses for our mobility use by our 'ZipQuad ATV Oilot' drivers.

    Regards
    Ed Bell-King
    Ed Bell-King

    ReplyDelete
    Replies
    1. Always happy to talk. You have my contact details.

      Paul.

      Delete
  4. In terms of isolateable hardware, yes. However, they are still offering what amounts to a full-function android phone. I still can't imagine how I would verify the security of the software running on this device, and thus I couldn't fully trust it. It's that gap that I am trying to find ways to close. I know my solution will be imperfect, nonetheless, but I think it is important to experiment in this space.

    Paul.

    ReplyDelete
  5. I think this is a fascinating idea. Because it is simple, it will likely be quite energy efficient -- and because the design is necessarily modular, extremely extensible (eg rugged low-power variant where you want very specific features at specific times). I would also prefer analog switches for such control between sensors because of immediacy and ease of use. I am also a fan of just simple indicator LEDs that indicate when parts of hardware are active, like to have the power to the camera or microphone going physically through an indicator LED.

    Got any hardware in mind?

    As far as features go.. 3rd Party App support would probably be the most important I would say, but I'm not sure how restrictive of a sandbox, or if the 3rd party apps would be open to scrutiny as well. Is it bad that I would put "voice calls" at the bottom of this list, of key features for a super-simple phone....

    Very cool!

    ReplyDelete
    Replies
    1. Hello,

      Thanks for your thoughts. Yes, it will likely be quite energy efficient, although exactly how efficient we will have to wait and see. We will likely provide it with a much larger than normal battery, with a goal of 1/2 a week or longer battery life under typical usage. I agree regarding analog switches and simple indicator LEDs. This is exactly the design we are going for.

      As for the specific hardware, you will unfortunately need to wait a little while before we will be in a position to share that.

      We also agree that 3rd party app support is important. We have some good ideas on how to make very robust sandboxes. In part, this is enabled by only having one program running at a time. That way a naughty program simply can't access any privileged information from another process, because there aren't any.

      Paul.

      Delete
  6. Dear Paul,

    In religious language, I say you are God sent. The projects you are doing are real liberation and salvation to the privacy and safety of humanity.

    First start with the those basic features and we will proceed from there. Everything must have the beginning.

    Since Snowden's revelations, very many people have been yearning and are still yearning for the paranoid devices.

    Best,
    Tito.

    ReplyDelete
  7. My English is too weak to translate it, but still, wanted to say: "Dem Wahnsinn der Kühnen verkünden wir Ruhm!" (this is nearest translation from Russian, by understanding, to original)
    I like your optimistic vision, keep it up! Wish you good luck!!!prothom
    alo

    ReplyDelete
  8. Dear friend Paul.

    Greetings from the city of Tacna, and I wanted to ask if you could detail the use of the serval application, from the menu that appears in the application.

    and the details for the construction of the extenders.

    Greetings from the city of Tacna, Peru, Latin America

    ReplyDelete
  9. I love this concept and that you are trying to bring it to reality. I have been looking for something similar that would work in an off-the-grid type situation, where communication needs to be open but the location of the device needs to remain private. You never know, right? lol

    It may sound a little old-fashioned, but what about the classic two-way push-to-talk function being put into the equation? It's just an idea, and I'm sure that you have already thought of this, but I thought I would throw it out there just in case you hadn't.

    Thank you for your continued efforts and for being open to suggestions and comments. I hope to see your vision come to fruition. I would be willing to invest in an invaluable piece of tech such as this.

    ReplyDelete
  10. I realize it's not quite what you were thinking of, but it made me think of these LoRa Pagers: http://www.snaponair.com

    ReplyDelete
  11. The idea is good. Hardware is getting cheaper too. A good example of this sort of philosophy is the Baofeng uv3r. Cheap and simple. Other advantage is that simple things tend to break less often and are easier, as in less complicated, to use.
    The industry keeps inventing and adding new hard and software but simple phone calling does not improve a lot. I would like to buy a phone that I like and still be able to use in 20 years time. Sounds like a joke but then again: I have been using my wrist watch for the last 20 years and it still works as good as the day I bought it. I still like and use this old watch and its not out of fashion to use this watch. It can compete with any new watch on the market.

    ReplyDelete