I would not want this.
There needs to be an On/Off checkbox in Settings.
On top of that, the Librem 5 will have physical switches for WiFi and the Lockdown Mode for GNSS.
When the AML is turned on in Settings + hardware switches are set to ON + emergency number is called THEN turn on the software buttons for Wifi and GNSS (if they are only disabled from Settings but not from the switch) and send the location.
This is a life saving feature, I would not want a phone without it.
haha. this is funny like the “trusting trust” whitepaper
Which emergency number? (there’s the mobile ‘standard’ number and then a different real emergency number in each country)
An added complication for your question is that some cellular modems have built-in GNSS that potentially operates independently of the dedicated GNSS. This may or may not work depending on how it is wired up.
In a closed-source phone, yes. It could easily be that if you enable this functionality, you are enabling additional tracking functionality that you wouldn’t like. In the Librem 5, not so much - and if you don’t like some aspect of the implementation, you can change it, or disable it
I didn’t find the specific answer to my question on that page but the FAQ contains
Who must configure AML (end-point, emergency numbers…) in the smartphones before the deployment in a country?
The configuration of how AML will be implemented in one country is done by discussions between emergency services in the country and the OS-provider. This includes the definition of the end-point for the country, the transmission (SMS or HTTPS) and the emergency numbers for which AML will be activated.
(my emphasis for the part that would in theory answer the question)
It’s the PDF called AML Country by Country in the Documentation section, just before the FAQ. I didn’t link to it directly.
It’s not just a list of numbers like on Wikipedia.
For each country where AML is implemented, it gives some details and it has a section called For which emergency numbers is AML activated?.
Edited the first post.
AML is required for smartphones sold in the European Union.
This has to be implemented in userspace, since the modem itself does not have access to either WiFi or GPS.
Implementation in userspace for a user-controlled device (this excludes iOS devices and unrooted android devices) implicates, that the user has full control whether or not the feature is active.
This means a userspace daemon has to be written to implement the feature and the user could decide if they want to run it.
(You are right on that of course - and the WiFi may in any case be hardware off.)
That is doubly complicated.
The documentation says use WiFi for positioning if that will be better than GPS.
However if the documentation also says send the location via HTTPS (looks like only Austria at the moment) then that could also require access to WiFi if and only if the cellular modem has no signal or is hardware off - and even where the cellular modem is working, if WiFi is available it may be appropriate to send the location via HTTPS via the WiFi.
Are there any buyers in Austria yet? That’s Austria, the place with the snow, not Australia, the place with the kangaroos.
That may be a confusing term. It has to be implemented by the software running on the phone, not by the cellular modem itself. Whether that’s kernel or userspace - or a combination of the two - is another question. For an open source phone, either way it is theoretically within the control of the owner of the phone.
That’s a pointless argument.
AML can only be originated via an emergency call and that can only happen if there is cell service available.
WiFi calling (which we very likely won’t see for the Librem) would be the singular exception, but implies that WiFi is on anyway.
Apart from that, HTTPS traffic is merely a (future-proof) alternative to SMS, the transmitted data will be the same, and again, controllable by the user.
Fair enough, more correctly it would have to run on the application processor which is fully controllable by the user (though kernel space would be far too difficult and pointless to implement and is not going to happen).
AML is a very useful feature, and if done correctly has no problematic impact on privacy.
If you originate an emergency call, you likely will prefer if emergency services can locate you, to help.
However in my experience mobile phones tend to prefer to send data via WiFi (as compared with via the cellular modem) so the HTTPS alternative may well go via WiFi if WiFi is hardware on and an accessible Wireless Access Point is available.
My point was not that “this can’t be done” but rather that there is lots to think about.
(Since a user may have global roaming enabled and be overseas, ideally the phone would understand the AML rules for all countries all of the time and select the appropriate rule based on where the phone is.)
Except that let’s say some country says “no AML, no mobile phone” and let’s say that AML is not working today on the Librem 5 then AML does have a problematic impact on privacy - because you are sacrificing privacy during the 99.9999% of the time that you are not calling emergency services for the perhaps once in a lifetime that you call emergency services.
Fortunately there’s no AML yet in my country, as far as I can tell, so that’s one obstacle that I don’t have to contend with.
(The original post suggests that it is only required in the EU from 2022 so perhaps Purism / someone has a bit of time to get this sorted out.)
Common phones (Android and iOS, and most others) use WiFi if available, since that’s usually the cheaper option and users tend to prefer it - that’s why they turn on WiFi and connect to a WiFi network.
Of course, if WiFi is available, and the emergency services as well as the phone support AML messages via HTTPS, it will be used.
Again, likely the same data will be sent, though HTTPS could be used to transfer more data more easily. This remains simply an implementation detail.
Of course any legislature can require you to have AML support and forbid the sale and or use of devices without it.
If AML was required for all sales, this is again a non-issue, since Purism could ship all phones with AML and the user could simply chose to disable it.
If AML was required for use of the device, you don’t have any choice anyway - either use it or break the law and deal with the (possible) consequences.
The mere existence of the AML feature remains a non-issue as long as the user is in control.
Also, AML remains a positive feature in any sense, since it could save your life at no cost monetarily or in a privacy sense.
If it is implemented in open source software and running on the application processor you can verify that it is only used when you initiate an emergency call, and even disable it at any point.
It would certainly be worse if the feature wasn’t at all available due to unfounded privacy concerns, since its absence cannot improve privacy beyond what is available, and could cause much worse help in case of an emergency.
I would much rather live in a country that enables its emergency services to have the possibility to gain useful location information, as long as it is the users choice, than in one where the only choice would be not to have it at all.
I had a really quick look at the Regulation mentioned above and it appears that it is demanding a “capability” i.e. “support” for AML, rather than use of same.
I couldn’t see whether it is retrospective but I would guess not i.e. if your current phone does not have the capability, you can continue to use that phone.
HTTPS is also a guarantee of either immediate delivery or immediate knowledge of failure. When things are going badly I have seen SMSs turn up many hours after being sent, which might not contribute much to an emergency situation.
(I don’t know whether these particular SMSs can be “expedited” within the cellular network. That might be a “nice to have” for those countries that implement AML but that is outside the scope of what the mobile phone can control.)
HTTPS is also secure (not subject to failures of confidentiality or integrity during transmission from original source to ultimate destination).
This is indeed a common problem, owing to the fact that SMS is delivered in signalling channels and deemed non-critical, which means in overload-scenarios they will basically be the last services to be delivered.
However, there are priority services, as used for emergency services, where SMS is delivered almost instantly and very reliably. Usually it will be delivered before a TLS handshake could be established.
the emergency operator is trained to ask for the location - but that sometimes backfires if the victim is incapacitated or if another person who is unfamiliar with the area is speaking. geo-location is a fallback.
I think AML is certainly a good feature to have. I would probably want to use it if I was making an emergency call.
Using Wi-Fi to determine location is potentially problematic, because that relies upon having a way of querying a regularly-updated dataset mapping Wi-FI SSIDs (or BSSIDS) to geographic locations.
I highly doubt that Purism has the resources to create a database of Wi-Fi network locations, so in practice Wi-Fi geolocation means querying someone else’s database through a web service API. The user’s location and IP address are inherently shared with the web service whenever it is queried.
If we’re using a geolocation web API, then someone probably has to pay for access to the API. Who pays, and how is it funded? Really you need per-device API keys, otherwise users could simply extract the API key from the software and use it for their own purposes, potentially creating high costs for whoever is being billed for usage under that key.
If a suitable Wi-Fi geolocation database, available under a Libre license, can be stored on the phone itself and queried locally, it will take up a lot of storage space. The Mylnikov Geo database is over 600MB, and it’s not even the largest one. Mozilla has a database that it chooses not to distribute, because, it says, doing so could be considered a privacy violation against operators of Wi-Fi networks.
On the other hand, I suppose the regulation C(2018)8383 linked in the edited original post doesn’t appear to specify in what way Wi-Fi should be used for determining location, so perhaps it could be as simple as allowing the user to program in a list of SSIDs which should be associated with specific location coordinates. Or, perhaps, the phone could build its own offline database of WiFi network locations in the locality as it is moved around. (Though, clearly users have the right to disable such data gathering, even if it is only held on the device.)
The regulation says that “Smartphone manufacturers face negligible costs as the solution is software driven,” but it seems to me that this statement can only reasonably be applied to the existing, big players in the market, who already have costly, privacy-violating infrastructure in place that can determine location for other purposes. For Purism, it is clearly going to be disproportionately costly to put in place something equivalent just to facilitate AML for emergency calls.
That is assuming that the Librem 5 isn’t exempt from the regulation on a technicality (e.g. perhaps only the radio modules are classified as radio equipment, and the entire device is simply a portable computer).
Alternatively, couldn’t the database of hotspots be stored on the receiving end and the phone just send the information of what’s around it?
Do you mean the AML standard should be amended so that the recipient of the location data should perform the database lookup/API call? Yes, that would be a good solution, if sufficient influence could be applied to get it implemented. (Mind you, SMS messages have limited length, so it might not be entirely practical.)
AML is a very benevolent specification.
It does not require handset providers to deliver very specific information, it only requires them to deliver the best location information available to the handset.
This is GNSS if it already has a fix, a WiFi location database if no GNSS coordinates are available, or a Cell-ID database.
If neither is available, a “null”-SMS should be sent to signal this to emergency-services.
This means, that the AML standard specifically gives the phone (and for a user-controlled phone therefore the user) full control over the procedure.
While privacy-friendly non-GNSS location services might be tricky for Purism, the user can be given a choice to use the freely-available location services of for example Mozilla for an emergency-only, if the user wishes not to transmit his location to said service providers in other situations.
All in all, this means, that this is a non-issue. AML is purely benevolent in any sense and can be implemented in full support of the specification without any privacy concerns.