Some discussions in IRC about hardware killswitches were interesting enough (thinking dobey and others!) to post an idea. I know crowdfunding does not equal to open development, let’s put it as a naive submission hoping this part of the design has not yet been finalized.
The idea is to have hardware killswitches centralized on a dipswitch. And to shelter the control panel under a hatch, to prevent mishandling when in pocket.
Personal taste for the placement of this panel :
1 on the side, if the small bezel route is not taken
2 on the back, separated from battery compartment
3 on the back, integrated into battery compartment
I think such a contrast between an antique dipswitch and a beautiful phone design could make sense : people, when opening the hatch, would feel like accessing to the very deep electrical internals of the phone, and get an awaited sentiment of being in control. One could check with a multimeter his module is indeed off.
There are drawbacks: lenghtening power lines to all those components adds both complexity in the PCB traces and impedance, which asks for bigger capacitors.
Time for a picture alas. We talk functionality here, you got to imagine the glitter
Not sure if the thick phone will please most users though.
Maybe a fully removable backplate with integrated sliding covers would suit better.
I use this Samsung one and it serves at the same time as a protective case.
I’m actually less fan of the centralized dipswitch with tiny switches and even smaller labels. But would instead propose small lock buttons near the peripheral, similar to the lock button on the iPod Nano.
The big advantage is that it is very obvious what each switch does. For instance when the user wants to use the USB port they would first look at the USB port itself. A small switch near the port (perhaps on the back) that flips to green or red would be very self-explanatory.
These switches can be built into the case so they don’t protrude too much and should be strong enough to prevent accidental flipping.
Disadvantage is the need for more space and perhaps a bit busy design.
Similar for the sliding camera cover: it is just so easy to understand how it works. I can imagine a dense dipswitch being very overwhelming for non-tech users or just inconvenient for people on the go.
I love the movie suspense central control panel aesthetic of the central panel (think Jurassic Park), but it seems a bit overkill(switch) and fiddly to operate!
I’m imagining suspenseful music playing as the hassled Librem user receives an incoming call and hurriedly attempts to open the dipswitch hatch to turn on the microphone.
They fumble with a stylus and drop it. The caller looks impatient and glances at his watch: it’s ten seconds before the hour! The user is resorting to the fingernail method. Oh no! They accidentally turned off the WiFi! An ominous red warning message flashes on the screen, producing a “dee dee dee dee dee” noise. “CONNECTION LOST! ATTEMPTING TRANSFER!” The music ramps up.
“Ding!” “CALL REROUTED TO 4G NETWORK.” Our user breathes a sigh of relief, visibly sweating from the stress. The caller glances back at his watch; four seconds to go. He rolls his eyes and continues to wait, unaware of the drama unfolding at the other end.
Finally, the Librem user manages to arrive at the correct configuration of switches. “MICROPHONE ACTIVATED!” states the unrealistically obvious green message filling the entire screen. The caller’s watch is now 1 second away from the hour. His finger hovers, ready to hang up. The music hits a crescendo, the user hits the call accept button…
“Ah. Hi! It’s Dave here from Your Best Accident Claims. Just calling to see if you’re eligible to claim compensation for a recent accident.”
The Librem user hangs up.
I think we need something a little more ergonomic and physically robust, but I agree that the switches should either be properly labelled so you can tell what they do, or placed near to the things they affect.
Just about the same time as @anon10067017 I wrote a similar suggestion in the gyroscope thread. As there seems to be some consensus that this might work (security-wise/technically, ergonomically, aesthetically), I couldn’t resist the urge to create a drawing
Camera is hidden by a slider as suggested by @uzanto
Slider optionally doubles as shutter-release button. Sliding itself might toggle camera power, implicitly notifying OS about camera status, launching camera app
Kill switches for Microphone, WiFi/BT, Baseband
sliders visually represent their state, as shown in @koenaad’s example above
(bonus points if the red/green tones are made from anodized aluminum)
Internal DIP switches for all the above (Cam, Mic, WiFi, BT, Baseband) plus all other sensors (GPS, Accelerometer, Gyroscope, Compass, Ambient Light, Proximity), really small DIPs
Why duplicate external switches? Because internal switches are never toggeled by accident, if people want to turn them off for good. Also, by turning off BT internally, the external Wifi/BT switch becomes a WiFi switch.
Why additional switches? Because even the gyroscope could spy on you… (*) Or to save energy on unused sensors.
(*) which also means, as a sane default, a web browser should not give access to any sensor data.
Hm. I admit I did not think about the front camera…
Without changing the design, you still would have an internal switch for it. Also, the back-camera slider could cut the power for both cameras. Those two options might actually already please most people. Those with extraordinary privacy needs won’t do much selfies anyway, so they can turn it off for good. For most, it might be sufficient if it is only on when the back slider is open? (Just like Purism had originally planned it: a normal switch)
It should, however, be possible to have a slider below the surface glass for the front camera. It could be placed next to the WiFi slider and look just the same. In my concept I purposefully avoided sliders between surface and lens, because I think it’s really hard (but probably possible) to seal it against dust.
A completely different approach would be to have a swivel camera (maybe not motorized like the Oppo N3, that might be a bit too much )
But turning the camera to the inside would turn it off. Also, you only need one instead of two. And whereever it goes, the flashlight follows
But I’m indecisive about this…
@anon10067017@Caliga I do not like the idea of accessible “Primary Kill Switches” and “Secondary Kill Switches / Internal DIP switches” under the cover. Yes, it may look like a good compromise, however it is a) opinionated b) not security/privacy based categorization.
Why it is opinionated and why I think this is wrong approach? Because I would prefer to have WiFi almost always on (so secondary kill switch on WiFi for me). In general, there is no proper poll on kill switch preferences so Purism should not just follow “the oblivious preference” because there is no such thing as “oblivious preference”. There may be “most popular one”, however, there is not yet.
It goes deeper, because Librem 5 is the only smartphone of its kind so there is no other device as alternative consumer choice. This is obviously bad for users. On the other hand, it could be profitable for Purism in future as well as it could be profitable for Purism competitors to create more devices with more kill-switch options. However, “I do not believe” that security features should be used for such profit games. See one pathetic example.
This leads to why it is not security/privacy based categorization. The reason why there are kill switches at all is that software can be hacked, backdoored, contain critical bugs and some people want to have strong assurance that it will not interfere with their physical world.
The best security/privacy solution is to have no software with sensors at all. As far as I know there is no risk analysis of sensors from Purism - so there should be one. For the time, I will argue that sound waves can in theory be used to extract both conversation content and location of a phone owner (with machine learning if you want). However, WiFi could extract just location. Sensors sensitive to sound waves are more privacy/security problem when they interfere with physical world than sensors sensitive to high frequency radio waves. So, gyroscope kill switch should be in the same category as microphone kill switch.
What is the best approach? All kill switches should be “Primary kill switches” and accessible. This is both non-opinionated and security/privacy-first approach. Just take that DIP switch with fancy sliders and place it on the back of the phone. There is like 90% of unused and useless area. And it would be cool to have ~10 fancy kill switches with cool icons with high readability on the back of the phone. Do not worry about usability of “too many choices” - people are used to 3x3 icon slider in Android phones.
my suggestion is surely opinionated, we’re on a forum after all
When you say 10 fancy kill switches on the back of the phone you mean right on top or under the cover?
If you meant on top, then we should not forget about balance. 10 very visible kill switches to me is overkill. It also might look too geeky, and thus it may look unappealing to people who are not that much into Linux or security, but would like to give it a shot. So we’re really limiting the market.
If you meant under the cover, then as others have said in this thread, it might be inconvenient in some cases. For example, you turned the microphone switch off and then the day after you receive an important call, maybe during a business meeting, and you pick up, you scream like crazy and can’t understand why the person on the other end is always repeating “hello!”, “hello!”, “hello!”. So you realize the issue, you open the cover and maybe you also have a case, possible a case that is hard to remove and then you have to look for the right kill switch, turn it on, put back the case, the cover and call back the person that called you.
Finding the balance is really tricky and all we’re doing here is just trying to offer some ideas/help to the Purism team, in case they are looking for them. Maybe they already have decided on that and all this discussion is pointless.
I mean right on top, visible and accessible. People are used to 3x3 icons in Android quick access panel, people are used to 5x4 app icons in iPhone and Android, so for such a critical feature as kill switches on the back of the phone it would be usable enough (my thinking is security/privacy-first and not usability-first). And after all, this is not “ours grandmas phone”
If you meant on top, then we should not forget about balance.
My understanding of Purism is that this is not Apple-like world. Apple decides for users many security and design decisions. Apple customers just want delegate security/privacy responsibilities and customization options to Apple and its centralized and potentially corrupt decision makers. In short, it is all about who takes responsibility and then it is about convenience and usability and then it should be about marketing.
Purism offer kill switches so customers are can be responsible for effective security/privacy decisions. Nice first and the most important principle so far.
Next, the best thing what Purism can do is to make it very convenient to decide the state of each kill switch. As I mentioned, one central area for all kill switches would be acceptable. However, some frequently used could be on other places. Maybe I could argue against that - you can use software toggles for causal use just like on Android/iPhone devices and if you really want strong assurance, just check and change the one central area for all kill switches. Anyhow, to hide some kill switches under the cover is really bad usability, so this should be avoided. Moreover, hidden kill switches ca be used to fool user - an attacker can silently switch on all hidden kill switches and the victim will not know about it because it is too bothering to open the cover after every time you leave your phone out of sight. If one of the hidden kill switches is for gyro, the attacker can record many hours of your voice and use it with machine learning to extract information as was mentioned.
Next, Purism should think about marketing as you mentioned. Well, there are no worries, because Librem 5 first gen will not be mass product. We pay high price for it because we have to pay for development of something new and for the very small production capacity compared to other companies in the business. All this is baked to the price and Purism does not need that collective financial support from our grandmas and teenagers who “do not care”.
It also might look too geeky, and thus it may look unappealing to people who are not that much into Linux or security, but would like to give it a shot. So we’re really limiting the market.
General people just “do not care”. They buy Apple because it is trendy and convenient and other companies such as Samsung, Xiaomi, Huawei, … LG compete for those people who do not care. If some people who do not care start to care, all the companies will create a phone with one or two kill switches and provide false assurance of security and privacy - one good example is this: http://www.businessinsider.com/lenovo-thinkshutter-laptops-webcam-covers-2018-1. The moment Purism will try to make mass product for the general public, the moment it will fail.
Finding the balance is really tricky
I agree. So if the balance is tricky, Purism should not balancing and instead it should stick to the core principles and use smart engineers to implement the phone based on the core principles and with the best possible usability - and “geeks” will buy it. Geek media will love it. Wannabe geeks will know about it. Success.
I agree. There is no good way to decide which ones should be secondary.
My first reaction to this is to disagree. It seems like the switches would get in the way when putting the phone down on a surface, and might get knocked easily. I also think it would draw too much attention. I don’t want an attention-grabbing phone!
But actually, switches can get knocked wherever they are positioned on the outside of the phone, so I think my concern about back-of-phone placement is mostly aesthetic. But it doesn’t have to look awful if we have all the switches on the outside. It would look better if they were positioned down one side of the back rather than in the middle, for example, making them visually less prominent.
I think, then, my main concern is accidentally operating the switches. That could be mitigated against with good design of the switch mechanism. Maybe one (or a mixture) of the following techniques could be used:
Make the switches flush with the body of the phone, so that things can’t catch on them and change the switch state
Make the switch mechanisms stiff
Require a two-step motion in order to operate the switches.
For example, the user might need to squeeze the switch or pull it outwards in order to be able to operate it. (Some washing machines used to require the program dial to be pulled outwards in order to turn it, for example.)
Or have a slide-switch in a U-shaped slot with spring pressure holding it towards the top of the U shape, which has to be overcome in order to slide it to the other end. (Probably a bit expensive to develop!)
Or have a small secondary slide switch on top of a larger main slide switch, which locks its position.
Or a rotary switch with a small handle that normally lies flat but can be hinged up to allow the switch to turn.
Require the use of a tool to operate the switch e.g. a stylus/toothpick, a screwdriver, a coin (rotary switch)
Do the switching electronically (with no programmable hardware involved). Use momentary switches which only function when an ‘enable’ button is pressed. Show the kill switch state using a custom monochrome LCD or some LEDs which illuminate when the enable button is pressed. Take the risk of a switching semiconductor failing closed or leaking current when the kill switch was meant to be open. (Maybe derive the state indication from the switched output, not the control input, so that failure is at least evident.)
The main limitation is likely to be cost. Mechanical switches are costly. Unusual mechanical switches are costlier. Custom-designed mechanical switches are even more costly. I will not be surprised to see the number of switches kept to a minimum on cost grounds. If they are all the same, then I suppose you only need to design one switch and the rest are “free” from a development point of view. But you still have to pay someone to faff about with tiny switch components at the assembly stage, and pay for the holes to mount them in, and route PCB traces to them, and those costs add up per switch.
When in pocket and standing, the pressure on phone edges and near that area is greater then the pressure on the center of the back of the phone. So I think center of the back is much better location to place switches. They should be vertically and horizontally aligned to the center because this is the location with the lowest pressure from clothes material. When sitting, the pressure from thigh can be eliminated by placing the switches deep inside the surface, like 1 - 2 millimeters deep.
As you mentioned, while putting phone to the pocket or out of pocket there is some risk of knocking/switching by fingers or clothes. This can be fixed by left-to-right instead of up-to-down switches (phone is usually in portrait orientation in pockets).