When Windows Vista first came out, I was one of the earliest adopters (or tried to be an early adopter) who beta tested it before most people would even know about it. It was terrible. Every mouse-click caused the screen to go dark and a warning about specific security issues showed on the dark screen. You had to agree to the security risks at almost every click before you could do anything. Since I had no clue about most of these security issues or even what the implications even were, I just agreed to everything without understanding the risks. I did the same where ever I could, to change all of the defaults to get rid of the screen darkening and warnings with almost every click. Agree, agree, agree. Since I didn’t usually understand the risks, I quit even trying to understand them and just agreed to everything to make the OS useable.
When you use Pure OS, I imagine that Purism has configured the O S to protect your privacy. Most of us are not security and software experts. We need many different things to just work without understanding all of the technical issues. How does Purism balance getting everything to work for average users who are not experts, while maintaining security? The first time I need something to work that I don’t understand the risks of and that Purism has tried to protect me from, I am likely to agree to whatever is asked because the OS is useless if I can’t use the apps I need. So I get to decide if I want to be safe against unknown risks or to have a tool that is practical for me to use. How does Purism recommend the average user address these issues? What does Purism do to mitigate these kinds of challenges?
Purism gives you, what they estimate as, reasonable defaults. They do not prevent you from changing these as the primary focus is your freedom. As such each person is responsible for their own free choices.
Ignorance (not knowing) when combined with apathy (not caring/not caring to know) is a dangerous thing. It sounds, to me, as if you are looking for freedom of choice without the responsibility of the consequences of your actions. To give up the responsibility is to give up the freedom Purism is trying to return to the consumer.
My recommendation is that if you don’t understand something, ask. This applies not just to technology, but rather is a life recommendation as it is not feasible to know everything there is to know. Yes, this will result in some tasks taking longer initially as there is a time spent seeking some amount of knowledge, but it also means that in the future you can perform that same task more quickly while maintaining a certain level of both understanding and risk acceptance/avoidance.
So while there is no technical competency requirement, by having freedom that includes the freedom to choose convenience over privacy without putting forth the effort to learn the amount of each you’re choosing between, there may be a perception of needing a certain level of technical competency; though I’d argue you rather need trust and patience and a willingness to learn as there may be alternatives that allow for accomplishing the same tasks you’re trying to accomplish only in a more privacy respecting way.
I don’t speak for Purism but you can see that issue in play in your browser.
How do you balance
an annoying browser that asks you a thousand questions just to use one web page
a browser that just compromises your security and privacy on every web page
a browser that tries to prioritise your security and privacy
?
I don’t think there are any easy answers.
The hardline security and privacy answer is that the browser should not have to be in that position. The interface between the web client and the web server should have security and privacy designed in. The web site should have security and privacy designed in. But that’s never going to fly.
So, in the web browser scenario, you end up with something like: secure and private defaults out-of-the-box, with a discrete warning somewhere on the window when the browser has blocked web site nasties, but you can override the settings for particular web sites (that don’t work perfectly when operating at the highest level of security and privacy but which you choose to trust).
This isn’t perfect by any stretch of the imagination e.g. web pages that cause your browser to access content from other web sites (CSS, JavaScript, images, …) and e.g. too many web sites that simply rely on “bad” functionality.
Ironically, this general solution also creates a privacy problem of its own … since every web site where you override the settings in order to make it work creates a permanent record on your computer that you have (presumably) visited that web site. In some countries that would be a serious problem.
The UI side of security is the most challenging part. Most vendors solve the problem by completely removing control and trust from the user and resting it with the vendor. We make it even more challenging for ourselves because we believe the user should be empowered to control and own their hardware and software, not the vendor, so our solutions end up requiring a lot more careful thought and often go against conventional wisdom in some infosec circles.
That said, you can balance security, privacy, and convenience. I think our hardware kill switches strike that balance very well, and we’ve tried as best we can to make PureBoot tamper detection convenient (boot w/ Librem Key inserted, look for green or red LED on Librem Key) while still putting full control in the user’s hands.
Beyond that like others have mentioned, we do think there is a lot of power in sane defaults and so for the rest of the OS we just try to pick reasonable defaults for the user. Will it protect you from all possible threats past, present and future? Possibly not but then no security solution will. What we can offer is safe software where all the source can be audited, so it’s much harder for someone to implant spyware and unlike some vendors out there we’d never allow 3rd parties to pay us to pre-install spyware on your laptop or phone that you can’t remove.
indeed but we must also take into consideration that each individual is different (i.e not the same genetic gifts). to top it off we also FORGET and overall depending on the individual we are also fragile (some more than others - i.e immuno deficiencies etc)
as always the truth lies somewhere between JUSTICE and MERCY while LOVE is there to encompass all …
i would urge any POWER/AUTHORITY out there to keep this in mind …
great question. on a technicall level i’m in no position to give advice on this matter however experience has thought me that every human balancing act requires a compromise of some sort (some would use the word “sacrifice” here but i’d rather not)
usually that ends up just delaying the inevitable … as some say “anything that can happen will happen” … if it hasn’t already
Some of the Security issues in Windows anyway, are so specific and technically deep, that even an experienced programmer might have reservations about what is being asked by the operating system. The only sure thing is that you can’t do what you want to do without saying “yes”, to the specific risk that it is asking if you want to take. This goes beyond apathy and is more akin to Google’s twenty page user agreement that was written by a staff of lawyers using the most esoteric legal terms they can probably find.
I don’t see Purism ever doing that, but it would be nice if every risk exposure question could be addressed specifically in the OS to the most ignorant of users. Each of us is ignorant about some things at least some of the time. And ignorance leads to Security breaches. As an EE, I sometimes have to hesitate and dumb down what I am about to say to my family and friends, any time the topic touches on Electronics. When you do something 40 hours per week or more and everyone around you at work knows as much as you do about the basics, it’s oh too easy to forget that the basics are not the same for everyone outside of your work.
