Feature: Add Find My iPhone like service to Librem.one Isn’t this an inherent security flaw? In theory, you could always password lock this feature using OTP. This way Purism couldn’t lock or track your phone without your code.
When you re-find you phone you can generate a new code and disable the old one.
How? I’m not a developer, but I know that Prey is mostly open-source:
https:// github .com/prey
Their android client does have some non-free dependencies with some discussion to change this:
https:// github .com/prey/prey-android-client/issues/82#issuecomment-93989938
Technically it’s impossible, either the phone has the tracking beacons sent to the tracking service every
x seconds, or the service is completely disabled. Another mode is asking the server if tracking should
be enabled every x seconds, and in case the answer is yes start the tracking. But then it defeats the
whole purpose of real-time tracking, and will still make the vendor know your location
Mobile carriers know your location. But not Purism or your phone manufacturer.
And not when you are on Wi-Fi only.
A web-server on the phone to receive “start location services and report back” event? No need for
a web-server for that, only a web-client that polls the Purism server every x seconds as I said above.
The whole keys thing does not make any sense. If the data is sent to Purism (i.e. GPS) so they will
have inevitable access to this data. Same for authorities who can just then force Purism to turn this
event on in order to track a user.
You can make some web-interface where you will have get access to this data with 2FA, key or password,
but it doesn’t change the above.
Just like when you need iCloud password +2FA to access the “Find my iPhone” map, but it doesn’t mean
Apple doesn’t have access to it, hope I made it more clear.
Also, to buy a phone which is almost entirely marketed around the tracking-free experience, and
force tracking to it? Just get an Android with AOSP and it will probably serve your needs better.
Data can always be sent E2EE.
E2EE platforms are already fairly active thanks to communities like ProtonMail.
And a big part of the thought process is that the u never send the communication, Purism does.
In theory, this adds more anonymity since you don’t need to send signals, just receive them.
But if you are already using I2p or TOR there isn’t much of a reason for this.
To keep the device from keeping location data when user does want to you can always force it to receive a user-generated pin. Apple uses something similar called an APN.
I lost you. The data is sent encrypted, fine, who will be the recipient of the data?
And why to involve Purism in the process?
You create a system service that measures GPS coordinates, encrypts them and sends it to your server.
Not entirely user friendly but with some work can be improved. Fine.
You have a Purism service that sends them your GPS data, which you can access similarly to Prey,
Cerberus or Find my iPhone. But then it will require Purism to know this data, you cannot encrypt it since
then they cannot show it to you on the map, toggle it on/off etc. You can limit the access to this page with
10 passwords, 5 OTPs, a 2FA via sms and a GPG key. This still won’t prevent them from having the data.
The device doesn’t have to store anything in any case, with a pin or without. It’s enough to get the GPS reading
once and send it over to the network, without writing anything to the storage.
Wait, what? Push notifications are just one-way signaling method, to notify the OS that there is a pending
event for an app without actually awaking the app. How is it related to anything in this thread?
This is the only possible option. Since when you do it in the browser, it doesn’t matter which data you receive,
and how it is encrypted, you still need to send to the web app (with the map) the cleartext GPS coordinates. Because a browser cannot load the full world OpenStreetMap locally.
Your key enrollment suggestion still has many implementation flaws, and actually Purism is not needed for any
part of this “plugin”. You can host a web-service on a trusted platform, that will send the “on/off” switch
for each client device. Each client device can ask this web-service every 5 minutes what is the current action.
Off - keep sleeping for another 5 minutes, On - start sending GPS data to that web-service each 30 seconds.
Then you don’t need all those key enrollment parts since you sync the device with the trusted web service
once. All the data can be downloaded locally and you can parse it with the desktop OpenStreetMap client.
The web-service can actually be hosted on a VPS and serve hundreds of clients, the load for such thing is minimal. But Purism has a long to-do list and I doubt they will make this service even after the phone is released.
As this is unlikely to be a feature anytime soon, you could possibly craft a simple proof-of-concept.
Write a little shell script (to run in the background) that polls the GPS coordinates and sends an encrypted mail to yourself.
No map integration, but does not reveal you position to anybody and possibly good enough when you really need it
Automatic filtering is advised to keep your inbox tidy
Noting though that in some jurisdictions you could be forced to decrypt the emails and thereby provide information to the authorities regarding your movements. So that would be another reason to keep your inbox tidy. You probably also would want some restricted mechanism on the phone to disable sending of GPS information temporarily.
A different approach would be: use NFC and have the phone poll for proximity of an independent device and only send GPS info when proximity is not detected. So most of the time nothing would be transmitted but if you put your phone down and leave it behind then transmission commences.
I don’t really like any of these ideas. They don’t sit well with prioritising privacy.
I seriously don’t expect that I will ever be in the situation where govt would demand that.
If that would be my threat model, i would just stop monitoring the location and accept the chance that I lose it.
I survived the last ~20 years that I owned a phone that way, and never lost one
If you need an additional protection layer, you can still try with some obfuscation. A good start would be to not use “My phone’s location” as title
I’d would amuse me to send myself mails of the “helo, im Olga from Moscva, looking sirius men for marry” kind, and have a semi-plausible random location in the EXIF data, but then hide the real location data with steganography in the (obligatory) image itself. (Caution, if you do that last step wrong, e.g. by using the same image every time, you might shoot yourself in the foot very hard, at least if the agancy is worth their money and notices that not only the EXIF data is different… )
Unfortunately, nobody would ever appreciate the cleverness of this, so rather than implementing it, I’ll just leave it here
Admittedly though, an encrypted spam mail might raise some suspicion DISCLAIMER: This was purely for amusement. Don’t try this at home, kids and whistle blowers.
On your other remark: NFC is way to complicated. Just have a threshold of ~100m position delta before actually sending an update.
Never really worked with that. Depends a bit on the representation of the coords. I would assume it’s not more than 2x64 bit, and if you really try hard you could possibly make it less by reducing precision and encoding only a reasonable area around you.
It’s not 2 x something. You get latitude, longitude, altitude, speed and heading, and the last two are not simply derived from consecutive measurements, but calculated directly from doppler shift of sattelite signals. So at least 5x something (probably six, as speed in 3D has three numbers aswell) . How much you’d send home is of course different story.
In the context of this discussion (find my phone) you might do without that. When I wrote “GPS info” I did not make clear the scope of the question.
For clarity then … 59 bytes of values in EXIF for latitude, longitude and altitude … and I agreed with the suggestion that that can easily be crunched into 128 bits (if allowing centimetre precision, which is probably more than you would want or need). If attempting to use stego then every bit counts so you would likely want to do better than 128 bits.
If you already have Librem One and it includes a VPN tunnel, why to even go the EXIF/stego sado masochism
way? just set a non-default VPN route to your destination server via the VPN interface and as long as VPN
usage is not criminalized in your jurisdiction, you will be fine.