With the imminent arrival of the L5 and the question of a messaging app…
In Australia the government is hell bent on neutralising the effectiveness of encyption in messaging apps. To this end they passed legislation at the end of last year compelling companies and telcos to cooperate in some way if the government wants to get into messages, presumably emails and whatever else takes their fancy. It is not clear how they will gain access to end to end encrypted messages and the like. One possibility that was floated in the UK and that had caught the eye of our guardians in Oz is that of compelling companies to allow law enforcement to become a “ghost partner” in a chat group so they they can monitor from within.
I departed WhatsApp some time back due to Facebook and went to the more secure (open source?) Signal. If I have to go to the Librem suite of apps which are closed source (? I’d stand corrected here) could Australian authorities compel Pure to put in a backdoor vulnerability via update (which is one of the methods being spoken of) or could/would they emain steadfast on their privacy ethos? Closed source apps may well have to do this in Oz soon.
I assume that Pure are a USA based company but I am not sure what that means with this stuff.
I’m interested to see what people think about this.
Everything being built/deployed on the Librem 5 (and Librem One) is open-source. If you built backdoors into closed source that is one thing. But if you built a back door into open source everyone could see it
For email, I can encrypt an email to my contacts using their public key on my system (specifically using Thunderbird and Enigmail) before the emails leave my system. There is no opportunity for someone else to get an unencrypted copy of the email, assuming neither my system nor the recipient’s is compromised.
This is one reason the Librem 5, Librem One and other Purism products (as well as other open products) are so important.
Honestly, I don’t see how the Aussie government can force Purism to do anything here. They have no presence in the Land Down Under, nobody to arrest for ignoring their ridiculous laws by distributing software that isn’t malicious, and no real way of stopping you from getting and using a version which doesn’t have such a vulnerability.
Especially given that it’s all FOSS and that you can very easily either fork the code yourself or use a “fork” which isn’t broken by design (and in this case, the “fork” will actually be the main branch). The “ghost user” concept is especially amusing, given that anybody with a non-damaged version of the software will see this “ghost” and say something like “who invited them to the conversation?”.
I have yet to find the source to the Librem.One apps. If that source is “out there” it sure isn’t easy to find from their site.
Their site still isn’t very upfront about the heart-and-souls worth of work others put in to making the original apps either. I like a lot about Purism and I love the people there I’ve interacted with, but the whole Librem.One thing really made me sad.
I don’t think I’d ever use Librem.One myself – I’m just not the target audience I think, and that’s fine – but that whole rollout and continued existence of issues will certainly make me much more suspicious of any Puri.sm moves. Maybe that’s a good thing though, heheh. It’s all actually a big plan to help us, as we’d become too implicitly trusting of Puri.sm.
Thanks for that source link! Wish it was somewhere on the librem.one site. If a tech expert (if might be presumptuous enough to declare myself that) like me found it rather difficult to locate…
For that matter, if you didn’t know anything about librem.one or purism before hitting the librem.one front page, you’d have almost zero hint that the source was available, even if you were a FOSS person. Pretty much a cold look at it would indicate a closed-source, privacy focused set of offerings – kind of like Apple proclaims to be.
The first offhand mention of open source, free software, foss, etc. I see is waaaaay down the page, pretty much the last section, when you hit the Technical Specifications part, and even then, no links, no mentions of Amarok, Tusky, PIA, Riot, etc. without even mentioning whatever they’re running on the backends. They do mention the open protocols they use, but lots of closed-source companies do that!
Anyway, sorry for ranting on about this. It has just been disappointing to me. I want so much from Puri.sm that I probably hold them to too high a standard.
Mutual Legal Assistance (MLA) - that’s right, the Australian government can’t in practice force a foreign company to do anything, but the Australian government can ask the government where that foreign company is domiciled to exert the necessary pressure.
Network harassment - the Australian government can obligate Australian ISPs and telcos to block or misdirect or corrupt all traffic relating to the foreign company until that foreign company’s products and services become unusable in Australia.
At the moment, I see the latter part as more likely than the former.
I’d assume that the laws in both countries would have to line up in order to use this mutual legal assistance, otherwise we’d have cases like Saudi Arabia demanding that all the heretics and female drivers (yes, I know that this is no longer a crime there) be punished, or Thailand demanding that anyone in the entire world who insults their king be locked away. While various agencies of the US government have been demanding encryption backdoors (or banning it outright), this has yet to happen. I imagine that there are still a few in the US government who would like to keep it that way and that they would proudly trumpet this as a defence of personal freedoms.
I also don’t expect that Australia will be able to bully the US into sending goons to Purism’s door either, as they are simply not big enough to do it (compare and contrast to the US walking over New Zealand and getting them to storm Kim Dotcom’s house with a small army for something that wasn’t illegal over there).
Network interference - yeah, I can see this happening. The problems with this are twofold: firstly is that they’d be trying to slay a hydra using a butter knife. ISP blocking has never worked that well. I’d also hope that the technical staff in your ISPs really do not care for censorship and will “accidentally” do the minimum required and no more.
Secondly is that despite the disturbing trends to the contrary, Australia is still supposedly a country which respects personal freedom, and whose government is still accountable to the people. Blocking a legitimate service from a company which has done no wrong and who tries to hold to principles which your part of the world (at least supposedly) values highly (various parts of the US constitution which guarantee free speech and suchlike) will not be looked upon kindly. I imagine that you’d be able to kick up a massive storm in the press if this happens.
