Ambivalence of Librem 5 being made in China

Being a privacy & security aware individual with no hardware / software background
I can’t help being struck by the contrast of interest between Purism’s goal of producing
“a security focused smart phone that does not track you” - and the hardware being developed and manufactured in China - representing the opposite goal, known for making and selling phones that track you & collect your information, providing computer
components with spy chips to major western firms.

Following a quick web search i bumped into a report which suggest that my concern
has roots in reality :

This Tech Would Have Spotted the Secret Chinese Chip in Seconds
University of Florida engineers use X-rays, optical imaging, and AI to spot spy chips in computer systems

https://spectrum.ieee.org/riskfactor/computing/hardware/this-tech-would-have-spotted-the-secret-chinese-chip-in-seconds

What has Purism done to deal with this threat - conflict of interests -
to actually deliver the secure & privacy smart phone as promised ?

Hi,
thank you for raising these not totally unfounded concerns. But I can assure to you that chances are very low that anything like this could happen to the Librem5 and here is why.

First of all please keep in mind that we are not using some kind of OEM design to base the Librem5 upon. The design of Librem5 is 100% exclusively done for Purism and we control and monitor every step in this design process. We review schematics and our hardware engineers regularly request changes to match the very specific needs of Purism and our goals of privacy and security.

Second before and during the design process we create the hardware requirements that go into the product and hardware design. Every component, every part and every chip is 100% known to us and if we figure that some choices would endanger our goals, we will change it to match our goals again. It is almost not possible for the Chinese contractors to slip anything into the design without us knowing (more see below).

Third we are very closely monitoring the production process, from golden samples of PCBs to prototypes and first products. We do not only do this from remote analyzing the final products handed to us but we have a contracted supply chain manager located in China regularly doing supplier audits and also members of our engineering team are personally present in China at all critical moments - including myself.

Fourth we control the supply chain, also for all parts going into the device. Critical components will be sourced from trustworthy partners and supplied to the factory by us.

Finally we will, before we ship the products, very thoroughly inspect random picked samples from the production to make sure that absolutely nothing was changed - this inspection will include X-rays at a partner company in California.

But this does not mean there is no risk at all. With a lot of criminal energy it might still be possible to slip in counterfeit parts into our design which could be hard to detect. But this is, let’s be reasonable here, very unlikely. For this e.g. it would need to exist a counterfeit and weakened i.MX8 CPU made somewhere, which is not impossible but highly unlikely. And if there would be such a thing you would not even be able to easily avoid or detect it when making the device anywhere else in the world. Another critical component is the cellular baseband momde which might be concerning and for that we will use a modem Made in Germany, put on a modem PCB in the USA and which will be implemented into the devices in the USA during final assembly.

So bottom line, I think, is - we do everything we possibly can to make sure that malicious parts or design changes can not be made without us recognizing and we think that the risk is as low as we can possibly make it, almost regardless of design/fabrication location.

Cheers
nicole

What about working in China all together ?
I guess one or several members of the team have some analysis kept up to date about the situation in China, declaration and policy put in place by the secretary of the communist party, that it comprehends also analysis of other experts around the world etc etc
So I guess you pretty well know the 2025 engagement of China and the ultimate goal of 2049. Also I’m sure that you are up to date about the consortium where huawei is the coordinator and the origin of its CEO.
And so in some way you will be part of this plan and maybe they could even inspire themselves from your design and different engineering choices. And so you could be one more pawn of this plan where you could maybe enforce the already more advanced technological situation of huawei and others.
Experts around the world are beginning to wake up about the situation and we already know that huawei is more advanced than Errikson and Nokia about the antennas or phone exchange node and that’s partly the reason where we are beginning to prohibit huawei 's hardware’s deployment in EU, USA, AU and JP.
So yeah the hardware’s compromising side is covered but what about the rest?

Would it not have been more safer and more cautious or ethical or smart to limit your assembly from China and move it elsewhere?

I’m very cool with that. Except maybe with possible conditions for the workers.
If authorities bother at all investing their billions on messing with a device where the first batch will be ~ 10000 devices, then I would be more worried about authorities in the US. Partially because I’m pretty sure almost all buyers are not located in China, partially because my mistrust against US authorities is more thoroughly backed with facts.

On the other hand, I think it’s pretty naive to think that any agency is limited by the borders of their homeland. If it was produced in Germany, I could still end up with a device tampered with by multiple differenent agencies (US/UK/DE/CZ).

What are actually the alternatives? I’m sure they explored them well and would have gone with a different option if it was realistically (e.g. without doubling the price) possible.

Also, please keep in mind that there will not be a product if you want to go from 99% purity to 99.999%. One has to make trade-offs and be realistic about it. for example, the modem contains closed software (but with no access to other hardware), because it is simply impossible/unrealistic at this point of time to have it otherwise. Also, a RISC-V chip would be cooler than ARM, but then there would be no phone this year (I assume).

So, the thing has to get started. And it will be the purest phone right from the start. But further iterations can become even purer, if we support them along the way

To be implicated in others projects, I would not take this hypothesis as granted. There are some other alternatives out there, about where to assembly. you could ask from parts from china and make the assembly elsewhere in another asian country with the same QC if not better even. Plus as you pointed out, some hardware come from EU or USA so for me that’s okey, I’m in complete confidence about that and I wasn’t speaking even about the opensource perspective and its ethic on this point of view. So you are mixing what I wanted to say partly with something else.

So I would like a note of the Team reassuring us that they keep a close monitor on those things and that maybe they think about moving their assembly line somewhere else in a near future. That would be considered as progress for me at least. And if it’s about the price of the assembly, be aware that china have raised their salaries so other countries around are less costly even and sometimes even more democratic.

To my knowledge, the final assembly of the laptops takes place in the US.
Dev-boards were also assembled in the US.
The former precisely for QC reasons, i believe. The latter more like an emergency plan.
But it seems likely that the phone can follow at some point.

I got the impression that the choice made many things simpler and possibly cheaper, because ways are short and finding partners that do exactly what is needed is easy. It is very helpful if the logistics for the (possibly half a dozen) involved companies are basically nothing you have to worry about, because they collaborate on a regular basis. It’s not just salaries. It’s logistics and finding a company that will do small runs for a reasonable price.

From https://puri.sm/posts/librem5-2018-09-hardware-report/

Shenzhen is where two-thirds of the current worldwide production of smartphones happens, where over a billion devices per year are produced. That’s where the optimized supply chain logistics have been developed over the past few decades, and that’s where the physical electronics engineering expertise is these days.

Like @Caliga alluded to in his post above, I think it should also be mentioned, that it is nearly impossible to do anything without using china for something. The phone could MAYBE be done completely in the US, for example, but would probably be four times as expensive, and possibly have some inferior components.

Such is the nature of manufacturing today. Europe might be a possible alternative but once again price would sky rocket.

Nicole has really put together a strong narrative and there’s little I can add except that while China has a poor reputation for its surveillance, I don’t believe there’s any viable country that wouldn’t require the exacting processes Purism has over their supply chain. From the 5 Eyes to the 14 Eyes, manufacturing in the West might be suspect as well. So just take a zero trust model and do your best.

A lot of this speculation and we’re caught in the middle of weird geo-political games and unprecedented domestic surveillance. I’m glad we opposed the Soviets only to surpass them at their own game. But that’s a different conversation for another time. And one I can’t claim to know more than what’s been released by Snowden and interpreted by the press.

I totally understand the predicament about the supply chain expertise and the electronics expertise. At least in manufacturing because to the last bit of knowledge here, Samsung has a nearly monopoly over memory and other component parts and Samsung is still corean so are their engineers at HQ. And we can say the same things about other electronic parts designed by japanese companies and Taiwanese companies.
And yes China is the world factory so, most of the suppliers are there.
Does that mean that we shouldn’t try ? I don’t think so. Other brands in electronics have succeeded over time to build elsewhere. Intel does it, amd does it, Samsung does it for some parts, some European phone have been made without the help of China either. So it’s feasible. And to my knowledge I didn’t speak about make the whole phone in EU or USA, but even if I did, at least for USA that doesn’t mean that the phone would be 4 times more. That’s an old myth because actually because the policy of Trump (which I’m not pro for him, more the opposite) we can see that you always find a way to afford to build things there without really raising the price. But we can talk about the studies who explained it in another thread if you want.
But I was speaking about other Asian countries around China which are totally equipped to build electronical parts even in Latin America like Costa Rica.
More that I wanted to point out, is that because of the communist strategy put in place by the Xi jinping and huawei we should be cautious and anticipate and start a process where we can cut loose of China in the manufacturing… that’s what I’m saying. And I’m not sure it’s on the way to start. And I can totally be empathetic about why as you demonstrated earlier, it’s convenient.

What I would like to see is a process where every 3-6 months the situation is re-evaluating and contact been made to other companies around the world to change the supply line. That’s all. If a possibility is seen in those analysis for whatever parts it is, I think it should be great to talke it.

And when corbeau is saying wierd geopolitical game, I disagree.
The situation is simple. China is still a dictatorship. Still a land when you have country-scale censorship, still a country where you can’t say something against the regime without being punished in some ways and it’s not on the verge to change since the last update of the communist party. A country where some people are disappearing because of their actions against the regime without a trace. A country where children are in the factory even if it’s against the law in that same country. A country which is not really afraid anymore to invade another one because it’s supposed to be part of their national territory in their history. Speak with a Taiwanese or a japanese about it, I’m sure you will be welcomed.
A country where the policy of being business is way more harsh than the US one actually, ask the dockers in Greece where China bought a port or in The whole African continent.
A country where now the president is in place for life.
It’s not like they would have a twisted discourse, their intentions are clear and are made public in every communist party convention. And the goal for China and the consortium around huawei are clear and made public also. It’s nothing more than a take-over.
So no, it’s not a wierd geopolitical game. It’s a reaction to a situation and to a clear declaration. Nothing more. And yes we have also economical interests in it but if it has to come to that point to change our way of thinking about manufacturing everything in China then why not.

I’m not here for propaganda. I’m actually tired of listing all those things which are facts, demonstrated and refreshed every years or 2 years at least by European investigation journalism or NGO’, because people tend to forget all that and to think that it is a standard country since we are making business with them. I didn’t say we should stop immediately, but I would like some reassuring word where there are actually someone in the company who does that kind of analysis and try to find solutions in the long term for those things or if there is not, then engage a process to make something about that.

If even to ask questions and ask if someone is working on this or if we can start a process to do this is too much then waouw … why are we even here then if not to try to improve our world… was it not our primary goal after all or what ? Make tools that are not controlled or submissive to someone else control than the owner and show to the world that you can do it and surely in an open source way even.

And if having no control over a company or product, like you have potentially for a US or EU or other nationalities, doesn’t bother you more than that, then really why are we even buying purism ? To be able to brag about it or what ? Because everyone here is so afraid of the big brother but did you have ever read or experienced about a conflict in China (company or individual)? You can always dream to have control over the situation without being a Chinese national with connections.

After that I said my part. I’m not here to convince but to ask questions and hopefully find answers.

If companies are not different from the countries they are based on, than:
1 - I won’t buy from US manufacturers because US gov. practice mass surveilance (NSA), it kills for oil (wars in middle east and Venezuela), it organizes coup d’etats (Honduras, Paraguay, etc.), it tortures and don’t respect the due process of law (Guantánamo), it…;
2 - I won’t buy from Latin American manufacturers, because their govs. act as occupation forces, removing worker’s rights, letting the expoliators destroy the nature (catastrophies like “Brumadinho”), destroying solidarity (removing social righs in benefit of banks), acting against human rights actvists, etc…;
3 - I won’t buy from EU countries, since they engage in similar practices of US;
4 - Same goes to China;
5 - And I won’t buy from anyone, because it’s very likely that every country engage on illicit and/or unethical actions.
But companies are not the countries they’re based on, individuals are not the countries they live on, not every individual share the same views of their current govts.
It’s easy to take one event and extrapolate and make everything look simple, but reality is complex.
Out of US came FSF and Purism, and certainly out of China there are companies, organizations and individuals with good practices and ethics.
Let’s stop prejudice.

I think luisfsr hit it on the head here. China has some issues, yes, but so does everywhere. Individuals and companies in any given country are not necessarily guilty of the sins of their home country. As long as Purism is instituting the safeties and checks that Nicole mentioned above, there isn’t really that greater a concern with safety in manufacturing there versus anywhere else. I mean certainly, the US government even has agendas similar to the Chinese communist party when it comes to surveillance.

As an American citizen, I would actually be more concerned about our government trying to pull that kind of shit to spy on us more than I would be concerned about the Chinese government. The Chinese government might target industry, but what cause would they have to try to use the Librem as a means of spying on Americans (or citizens of any other country that isn’t China) when so few of them are being made at this point?

I don’t really want to do any politics here but China’s “communism” is just like the one that was in USSR, there’s only the name as it’s a lot more of a cult of personality than anything else. BTW it’s as capitalist as the USA so they do have financial interest in selling people’s data.

In democracies, companies can be different from their countries. In dictatorships, companies may not be allowed to act or even think different from their country.

I’ll leave it open for you to decide whether or not the US is a democracy according to your definition, but I’d like to point out that there is a reason why Purism does have a warrant canary.

Can you explain with 1 sentence, what having a warrant canary
means to a would be Librem 5 user ?

Like a canary for coal mining, if it dies (is removed/not updated in the case of the online canary) that is your warning something is wrong.

If the US authorities force Purism to put a backdoor in the Librem (yes, they can),
and force them to not speak about it (yes they can),
then the Canary shall not be updated.
Well described on the linked pages.

Very good idea
As soon as we have a Chinese canary - we’re all set

The canary is not US bound. But China has no legal power over Purism, as they are based in CA.