In the security world there is a concept called “Defense in Depth” that refers to setting up layers of defense so that if an attacker bypasses one layer there are other layers they must contend with. In physical security this might take the form of a lock on the outside door of an office building, a security guard inside the foyer who identifies a visitor, access to different floors in the building protected by keycards in the elevator, additional locked rooms or safes on a particular floor for particularly sensitive property, and security guards patrolling the building and reviewing security camera footage. In the digital world this might take the form of firewalls, network segmentation, multi-factor authentication, event log monitoring, and malware scanners.

A similar approach, which I’ll call “Privacy in Depth” applies the same principles to privacy. When you have an attacker who is attempting to violate your privacy, you can assume that at some point they may be able to bypass one layer of defense, and if they do, you want to have additional layers available to protect your personal data. Protecting our customers’ privacy is a core tenet in our Social Purpose and in this post I will describe the layers of privacy defenses we have built into the Librem 14, Librem Mini, Librem 5 and Librem 5 USA product lines.

Privacy and Security

As I go into our different defenses, something that you might notice is that there is a lot of overlap between defenses that help protect your security and your privacy. Yet there is a distinct difference as well. Privacy defenses help protect you from attacks that attempt to access your personal data without your consent. Security defenses help protect you from attempts to steal or harm your property (including data).

It may seem that security defenses encompass both privacy and security, but there are subtle differences and areas where the two diverge. You don’t always need to resort to security measures to protect privacy. To take an example from the physical world, most clothing serves a privacy function but not a security function. A bullet-proof vest, a helmet, or work gloves are examples of clothing that primarily serve a security function but not a privacy function. To take an example from the digital world, one can protect privacy simply by not collecting data to begin with, but to secure data you would likely resort to encryption or forms of access control.

Read the rest of the post here:

I love OpenSnitch. Super glad to see it mentioned. Would be great to see it get some of the Purism mobile interface love. Make it a little easier to manipulate on the L5.

Yeah I guess OpenSnitch could be a bit better from an adaptive front (in particular the pop-up windows) but I’ve been pleasantly surprised how well it does fit on the L5 screen considering the complexity of the UI.

This month’s Crypo-Gram came out today. (Every 15th of the month.)

It top posted, lasted articles at the top:

Schneier on Security

My favorites this month:

Tracking People via Bluetooth on Their Phones
Hertzbleed: A New Side-Channel Attack
Symbiote Backdoor in Linux
When Security Locks You Out of Everything

There is one more step below the Social Contract that you overlooked, and that is the creation of truly privacy-friendly hardware, software, and services actually being lawful. If we allow legislation like the EARN IT, Chat Control, and Online Safety Bill to become law, this may soon cease to be the case.

And to make matters worse, there is a terrible, deafening silence on this issue among the privacy community. I think we need to treat this like an emergency, talk about this non-stop, and seize every opportunity to spread awareness (even persistent nag bars in programs like LibreOffice shouldn’t be off-limits). But everyone keeps acting like everything is OK…

Would you kindly be the ones to shatter it at last? Please?

I don’t know why they used the word “friendly”. Privacy is more effective when it is rude.

Yes “privacy-rude” hardware should be the term!