CALEA proof/anonymous calling even possible?

Extremely newbie question here

From what I understand, every US carrier (obviously) is CALEA compliant

Also WiFi service providers, such as those with networks found in public spaces/shopping malls/offices etc are also required to be CALEA compliant

So basically no matter what, as soon as you connect to any network your capable of being tracked and logged

There are posts in this forum from people asking if they can use the Librem 5 with their Verizon account…I mean at that point if your using a major network they already have all your info as a monthly subscriber, so does the hardware of choice even matter at that point?

I mean if you were to ask Snowden, who has said he never uses smartphones for this reason, he’d tell you, as soon as your connected to a major network, carrier or WiFi, it’s over right? The NSA has tools we can only imagine, so they could probably circumvent every countermeasure Purism could possibly deploy once your connected to a network.

So other than low level hackers, which can be mostly protected against with mainstream hardware like an iPhone, I’ve read that even security researcher Kevin Mitnick uses an iPhone, what are you really even protecting against if it can all ultimately be circumvented by the state anyway?

Hi @Voyager,

Your question is valid, and worth asking. It is totally legitimate and even necessary to wonder if Purism is doing something useful, if it solves an actual problem, and is heading in the right direction. I can’t speak for others, but I can tell you what I expect from the Librem 5

Libre Software

Basically, I have been a Free Libre Open Source Software user for many years, mostly because I’m more comfortable with knowing/having the possibility to know/having a community of users who can check what the software on my machine does.

The state of mobile today

The Apple case

On the mobile phone side today, there is Apple with its iPhones, which has a reputation for security. But in the end, we simply don’t know what iOS does. In the article below, you can find a discussion between FBI agents about the San Bernardino shooting case, in which Tim Cook stood publicly against the unlocking of the iPhone.

Among other texts:

And what makes me really angry about that Apple thing? The fact that Tim Cook plays such the privacy advocate. Yeah jerky, your entire OS is designed to track me without me even knowing it.

This does not prove anything of course. We still have hints at Apples mindset: it has been compliant with China’s censorship rules. I do believe that Apple is not that committed to privacy, but it’s well engineered marketing.

With closed source, you simply cannot know.

The Google case

On the other hand, you have Android, made by Google. The open source part of Android is getting thinner and thinner every day, and Google ships most of the new features in the closed source Google Play Services. It has been long known spying on its users, even tracking their location while the setting of location tracking was disabled.

The news are plethoric about what google collects. Event a mainstream TV channel in the US lately showed how much data an Android phone on Airplane mode all day and with no SIM card can collect an report to the mothership as soon as it is connected to a Wi-Fi network. They did this by performing a MitM on an AP they set-up.

Plus, they are working on Fushia, another OS we don’t know many things about yet. Android Google Edition is pure spyware, while Android AOSP (somewhat “Google-free”) does not seem to be the good solution in the long run.

The web

Finally, there are all the trackers on the web. There have been numerous scandals about third party javascript on some site that record your every move and every keystroke, including your passwords. These were put intentionnaly by the first party company. Officially those are for analytics (e.g. how long you’ve stayed on a web page), or in order to offer better support. Of course, technically this has been a disaster: sometime the whole session logged is sent over an unencrypted stream, sometimes the passwords are not erased before being showed to the dashboard of that third party solution…

Facebook also has all these “Like” or “Share” buttons everywhere on the web. Yes, those track you too. Everytime you go somewhere and see that button, Facebook knows you have been there. Browser fingerprinting, among other techniques, allows them to track you specifically, even if you logged out, even if you’re in private mode. They also build a “shadow profile”: some information you didn’t give them but they have gotten anyway (by reading all your friends’ contacts, as an example).

So… tinfoil hat?

Basic rule of security: you cannot be protected against everything. If you have a resource to protect, you can only raise the amount of effort it takes for an attacker to get what he wants.

Basic rule of security #2: if a government really wants to spy on you, they do have the resources necessary to do it, even on an Android AOSP up to date with no GCM installed.

What I’m protecting mostly against are companies. I don’t wan’t to have to trust Apple. I want to know they are not tracking me. I don’t want to give all my data to Google. I don’t want Facebook to know anything about me. To put it simply: I don’t want any company to be able to gather massively data about people. The surveilance has to be hard and costly in order for it to be targetted.

Why though? After all I’m just an average Joe like any other. Let’s imagine for a minute my country turns into some sort of totalitarianism. And they want to eradicate people with some opinion. Do I really want a company to be able to give my whole browsing history, habits, location to anyone? Today I’m compliant with the idea the government has of what is acceptable, but who can guarantee that will last?

Purism

Purism is the only company I know with already successfuly selling products, and a credible project to change the game. Their commitment to FLOSS and privacy means a lot to me. We know we can’t trust our devices, so their kill switches are necessary to raise the bar in terms of efforts it takes to spy on you.

I want a mobile device with 100% free software running on it, and with the ability to shut the camera and microphone down. This does not exist today, and this is what Purism is offering to make. Kudos to them for that!

Before anyone points it out: I do know that some research shown that it is possible to track a conversation with the accelerometers on the device. But let’s not get our hands down: every improvement any company can make is welcome! Maybe we’ll have killswitches for the accelerometers on Librem 5v2

How do you get around government spying on telecom systems? Presumably, you’d need to use some sort of VOIP software with good end to end encryption (to avoid the contents being detected) and you’d want to combine that with TOR and most likely a decent VPN as well (to interfere with them determining who you’re calling).

It’s basically the same procedure you’d use when you’re on any hostile network. If you’re really determined, you’d also need to get a fresh pre-paid SIM card for every call and randomise your IMEI every time you change it (which is not easy to do, and various governments have outlawed altering that particular number because they don’t like you evading their tentacles).

There’s a difference between being capable of being watched and being watched. The people are asking whether they can be made aware that they are being watched. Which is fair point.
There’s a law (in some countries) demanding private person to put a lable next to cctv camera that there’s cctv camera. But there’s no law (in any country) for the same requirements towards government body.

You did not clearly state which kind of protection you’re asking for.

Tracking by SIM / IMEI / phone number: Obviously, you can not be signed in at a cell tower and yet insist nobody knows about it. Of course your provider knows that you are signed in. Otherwise you could not possibly make or receive calls. And of course the agencies have that information, too. The question is, is that information useful? If you manage to obtain a Librem 5 plus a SIM card without attaching you name to it, they just know that your SIM+IMEI is booked in, but not who you are. But still, they can read all your SMS text messages, listen to your phone calls and track your position with an accuracy of guesstimated 10…100m by triangulation from the cell towers you are booked in. That last part you can effectively avoid by switching the baseband chip off. That’s why you get a hardware switch for that.

Tracking by MAC address The Librem 5 is designed so it can be used without a SIM card, which means you do all your communication via wifi. In that case, if you have a really high privacy need, you might want to change your MAC address from time to time after using public wifi. But make sure to clear your browser cache, too, else it’s worthless

Private conversations: You can use end-to-end encrypted messengers to exchange messages and make VoIP calls that can not be intercepted (given that there are no bugs and backdoors). Depending on the sophistication of the messenger, the NSA could easily / hardly / impossibly know whom you are talking to. (I think a messenger using something like Tor would qualify for “hardly”. Reaching “impossibly” might itself be almost impossible)

Tamper proof device: If you are following the announcements of Purism, you might be aware of their efforts to create laptops with a completely FLOSS bootchain (firmware, bios, TPM, heads…). For the Librem 5 they go in the same direction, but I’m not sure if there is / will be a TPM equivalent. Ultimately, all your end-to-end encryption is of course almost worthless if you cannot verify that the software is unmodified.

The NSA has lots of power, but it does not have super powers. You seem to have the impression that connecting to a cell tower basically gives them the ability to take over your device. While that is probably the case for most of the devices currently out there (including iPhones), there is no necessity for that. If the baseband chip is cleanly separated (=has no access to RAM, CPU and other devices), then the NSA can send every command they like to the chip, but it will have no effect. If, additionally, the baseband firmware is free and open, then YOU decide how to handle some of the funny commands they might send. Maybe you can send funny answers back, I don’t know. At the very least, the user can be informed about strange commands that come from the cell tower.