Private Internet Access integration into Librem products


#1

I don’t get it. Will we be getting a free VPN service from PIA?

The post said:

PIA’s popular VPN platform will be fully integrated into Purism’s software and hardware

Does this mean we get the VPN without paying anything? Fully integrated can be taken from different angles. I did not see anything about it being free nor paid. And why have it preinstalled “out of the box”? Does this truly mean we get it free? Or do users have to uninstall this manually, like bloatware coming with the device.
Something here needs answers.

It also said at the bottom of the page: About Purism

Purism designs and assembles its hardware by carefully selecting internationally sourced components to be privacy-respecting and fully Free-Software-compliant

Then fully Free-Software-compliant. Means we get it freeee? hmm? Or are we talking about it being Free Software, as in, open source and privacy respecting…?


#2

Free as in freedom, not necessarily as in free beer.

Also, gratis (no cost) Software does not mean gratis hardware.


#3

This is what Todd Weaver said in “News & Events” yesterday: “Purism plans to include PIA-based VPN by default in the Librem 5 phone, as well as within PureOS for its Librem 13 and Librem 15 laptops. Purism will also collaborate with PIA on a future services bundle.”

It seems like we’ll get vpn with laptops and phone. It would not be “free” as in “gratis” since we paid for the phone already. To me it is included in the price. O no? :confused:


#4

Not a fan of this at all. PIA is a US based service, so that’s an automatic no from me already. On top of this, it comes ‘integrated’ which I read as bloatware. I’ll have to go and look at PIAs source code, I don’t know if there’s any telemetry in it. In short, I don’t want PIA on my phone or laptop


#5

Hello
surely we need detailed explanations in order to avoid confusion. it would be necessary for the company to do it.
regards


#6

Until then…

Any service has to get money regularly somehow, which if they value privacy, usually means getting paid directly by the customers. As far as I can see they don’t offer a free version of their service. The cost of the phone not only pays for the hardware but also the development. So to answer your question, I don’t think so. I would say at most, maybe a trial period.

Some web browsers receive financial benefit for including Google as the default search engine. Perhaps there is a financial benefit for Purism from the deal with PIA. That would benefit development and therefore the customers, even if they don’t use the service. Then again, I might be way off with that…

I believe the integration is intended to provide convenience, which is one of the things they stand for: privacy, security and freedom without sacrificing convenience. I don’t appreciate bloatware either, but I don’t see this as necessarily a bad thing.

For sure, I can understand that. It will be your device, so you can install/remove what you like. This is one of the reasons I think this phone will be great.


#7

Exactly. @Nami: What is free software?

I don’t want to scare you, but Purism hardware, software and services are too.
PIA might even become a (re-branded?) part of the ethical services bundle Purism is working on, for example mentioned at the end of Purism Origin Story.

  1. did you check a single line of PureOS yet?
  2. why would you trust Purism, but not PIA? What makes you think that Purism suddenly makes stupid choices? What makes you think they did not evaluate that choice well? What makes you think they didn’t do their research better than you did?
    If you just briefly check their website, you’ll notice that they sponsor the Free Software Foundation plus two dozen other like minded organizations. Their beliefs seem to be exactly aligned with Purism.
  3. Do you even know for a fact that you would need to use the client software?
    It is also possible to just configure the network settings so the VPN is used.

The client software is mostly for convenience, but also for added security for people who don’t really understand how all this works and how to configure it safely. Because those are two of the main problems with security today. Make it easy and safe to use. You should reconsider it.

Finally, do you even understand just how useless it would be to collect telemetry data on the client side? If they want to do that, they can collect it at the exit node.
And no, you don’t avoid that problem by using TOR.
And no, you don’t avoid the NSA by using a non-US VPN service.

The things a VPN can do for you:

  • avoid geo-targeting
  • avoid censorship
  • prevent your ISP from collecting data about you
  • prevent an untrusted network (public wireless hotspot) from spying on you *
  • some degree of privacy
  • in the case of PIA additionally:
    • blocked trackers
    • blocked ads
    • blocked malware

The things a VPN (and TOR) can not really do for you:

  • avoid the NSA
  • avoid law enforcement / criminal prosecution
  • 100% anonymity

(*) By the way, mobile data (3G/4G/5G) is also insecure. In theory, it is safer than an unencrypted hotspot, because is is encrypted, but that encryption layer is weak/broken.
So, a VPN can protect you from attackers that read you mobile data, and even from attackers who created their own portable cell tower for $500, so you log in to theirs to be able to intercept you data.

So, the only way how using a VPN service can make you LESS safe is:

  • you act heedless, because you wrongly assume it makes you invincible
  • the NSA targets you, because you use a VPN and therefore must have a dark secret

While a canary surely would be nice, I can hardly see the benefit. The only thing PIA could collect about you is meta data, unless you are uncautious enough to use unencrypted traffic (http) for your illegal activites. And that meta data is collected by the NSA anyway. So why would they bother and request it from PIA?
Also, the NSA probably read the PIA documentation, stating that they don’t keep any logs.

By the way, should Purism integrate PIA in their own service bundle, it might be covered by Purism’s own services canary.

Sure. But until then, please don’t assume the worst, based on lack of understanding.
The sane thing to assume is:

  • Purism does this because it perfectly fits their mission, not despite it
  • It will be pre-configured, but opt-in (YOU say, yes I want this)
  • You will get several months of free (as in beer) VPN service, IF YOU opt in.

“Several months” here would mean 3…12. In the original campaign of the Librem 5, one year of free VPN was stretch goal #3. We did no reach that, but as they now found a partner who will surely sponsor a few months in exchange for the promotion, I assume we will get at least some.


#8

I am very aware that Purism is based in the US, so is Mozilla and even though they’re prob the best option for browser privacy, they’ve also made some questionable choices. No company or business is immune from scrutiny or even skepticism. I do, however, trust Purism’s intentions, but that doesn’t mean I will blindly follow whatever course of action they take every time.

Your response seems overreactive, I’m not trying to diss Purism here. Of course I’ve looked at their distros’ code, why are you asking such infantile questions? What I said is, I haven’t looked at PIA’s. In fact I am right now, and about the telemetry, I was referring to the data collected on the client, not what’s browsed duh.

Lastly, I’m not trying to hide from the NSA, I think most people here are smart enough to realize if they want to get you they will; I’m talking about sharing as less data as possible with third parties (PIA in this case) is that clear to you? Next time, try to be a little more civil with your responses, and not assume people are stupid or don’t know what they’re talking about.


#9

Pleaes re-read your original statement. I thought the same thing about it.
You said, US-based means an automatic no. Now you basically revoked that statment.

You also spread uncertainty in the sense “who knows what they collect about me”. That is a very unfair thing to do towards a party that appears to do everything right (including a statement to not collect any logs). Unless there is a real, fact-based reason to mistrust that company, I see that as damaging their reputation.
In case they actually are not shady, think a second how such comments make the people at PIA feel.

In extension, somebody browsing the forums to learn about Purism, might take away that they partner with shady companies. There’s almost no proper way to respond for Purism. Neither trying to dispel doubts nor deleting negative comments does anything good.

So, if my negativity hit you, I’m sorry for that. But you are a single person.
Are you sorry that your statment might have a negative impact on two companies and all their employees, who, until proven otherwise, work hand in hand to make privacy accessible to ordinary people?


#10

Caliga do you know that years ago when working in the AI lab at MIT Richard Stallman was also firmly opposed to passwords ? In fact he advised fellow hackers to just use the “carriage return” as password.

all this talk about privacy and security is making my head hurt - why not look at it from a freedom standpoint ?

Accepting the 1999 LinuxWorld show’s Linus Torvalds Award for Community Service – an award named after Linux creator Linus Torvalds – on behalf of the Free Software Foundation, Stallman wisecracks, “Giving the Linus Torvalds Award to the Free Software Foundation is a bit like giving the Han Solo Award to the Rebel Alliance.” Richard M. Stallman, Free as in Freedom 2.0

so instead of going in circles around VPNs and Tor maybe we should be more concerned of the state of current hardware and software infrastructure. you detailed very well alot of things above but they only serve to distract attention from the real issue at hand.

i think that what Purism is trying to achieve now is very similar to what the rebel aliance did from the above quote. beware the death star.


#11

Who is going circles around it?
For Purism, it is just one of dozens of useful initiatives.
For me… I tried TOR for a day and never used a VPN.
Personally, I don’t really feel the need for a it. For now, I can live without it. But maybe that will change. It’s surely good to have it available.

But… why? If each and every PC on this planet were a RISC-V based Librem machine running PureOS, that’d be pretty awesome (freedom), but it would not solve many privacy issues, unless you leave the killswitches in the OFF position.

I see lots of problems in this world that are troubling, but the state of hard- and software is, for me, not among them. The root cause of just about any real problem on this planet is greed.
Greed brought you war, famine, the domination of proprietary software, Windows, Google, Facebook …
Greed is basically the rationale behind every walled garden, and every purposeful incompatibility.

You can’t fix that. Neither with hardware, nor with software. But a VPN can help you avoid a few negative effects of the broken world we live in.


#12

Fine. You can turn off the VPN, phone full disk encryption and password if you’d like :slight_smile:


#13

might as well … those things don’t stop interested people from going in … if they deem it necessary … but my example was more related to the pure spirit of sharing and cooperation that was present in Stallman’s lab in the beginning … BEFORE greed took over :stuck_out_tongue:


#14

They can. Have fun getting into a full disk encrypted hard drive with a gazillion character passphrase from just a disk image. Oops quantum computer.

I otherwise understand the point of your post.


#15

nowadays there are backdoors, side-doors, front-doors … you name it. the librem 5 still has the baseband that is non-free so … but it can be removed phisically with the m2 slot


#16

If your careful you can mitigate most of the concerns for truly sensitive information (AIR GAP, etc). I’m not naive to what can be done.

My point


#17

My comment didn’t have any malicious intent behind it. I was merely expressing my dislike of the situation and even though I am a single person like you mention, there’s a reason this discussion was started by other people here as well; I’m not the only one who had concerns. Yes, PIA seem very transparent, I hope there’s positive things coming for Purism with this. Have a nice day. :slight_smile:


#18

PIA looks legit, but they are still vulnerable to a US government warrant or NSA-type coercion. That is, PIA doesn’t collect logs by default, but they can be compelled to do so.


#19

I think it’s incredibly naive that people think this is a US exclusive issue. Every major European power has agencies doing the exact same things, and posing the exact same risks. The only difference is that most countries are capable of hiding their intentions and negative behaviors better than the Americans are. No matter where a company is based, this will always be a concern.


#20

I agree with you. PIA has great service for various platforms but I will stick with Proton VPN. Proton is based in Switzerland not USA. Proton also has VPN servers in Iceland and the other top EU countries that have strict laws about online security. Our privacy rights are protected by the companies rights of privacy of that country they are from.