@anon10067017 @Caliga I do not like the idea of accessible “Primary Kill Switches” and “Secondary Kill Switches / Internal DIP switches” under the cover. Yes, it may look like a good compromise, however it is a) opinionated b) not security/privacy based categorization.
Why it is opinionated and why I think this is wrong approach? Because I would prefer to have WiFi almost always on (so secondary kill switch on WiFi for me). In general, there is no proper poll on kill switch preferences so Purism should not just follow “the oblivious preference” because there is no such thing as “oblivious preference”. There may be “most popular one”, however, there is not yet.
It goes deeper, because Librem 5 is the only smartphone of its kind so there is no other device as alternative consumer choice. This is obviously bad for users. On the other hand, it could be profitable for Purism in future as well as it could be profitable for Purism competitors to create more devices with more kill-switch options. However, “I do not believe” that security features should be used for such profit games. See one pathetic example.
This leads to why it is not security/privacy based categorization. The reason why there are kill switches at all is that software can be hacked, backdoored, contain critical bugs and some people want to have strong assurance that it will not interfere with their physical world.
The best security/privacy solution is to have no software with sensors at all. As far as I know there is no risk analysis of sensors from Purism - so there should be one. For the time, I will argue that sound waves can in theory be used to extract both conversation content and location of a phone owner (with machine learning if you want). However, WiFi could extract just location. Sensors sensitive to sound waves are more privacy/security problem when they interfere with physical world than sensors sensitive to high frequency radio waves. So, gyroscope kill switch should be in the same category as microphone kill switch.
What is the best approach? All kill switches should be “Primary kill switches” and accessible. This is both non-opinionated and security/privacy-first approach. Just take that DIP switch with fancy sliders and place it on the back of the phone. There is like 90% of unused and useless area. And it would be cool to have ~10 fancy kill switches with cool icons with high readability on the back of the phone. Do not worry about usability of “too many choices” - people are used to 3x3 icon slider in Android phones.