FLOSS after Prism: Anonymity by default

In my last blog post I discussed that we have to protect the user’s privacy better by giving the user the choice to decide which data gets submitted to services. In this blog post I want to share some thoughts about the case that the data is submitted and how to protect the user in such a case.

There are of course many legit online communications done by our systems. They should check for security updates, a weather applet might want to check the latest weather for the place you live in and so on and on. While this is obviously data the user wants to be submitted, the process of submitting the data is concerning from a privacy point of view. While it is in fact just meta data, it is telling a lot about the person.

Let’s just look at system updates and what they tell us:

  • Unique identification of the user through IPv6
  • Location of the user through the IP address
  • Identification of the used operating system (e.g. asking debian for updates implies you use Debian)
  • Interval in which the system is used (e.g. daily updates)

This is a rather threatening set of data especially if I think about that some proprietary software installed additional sources.list entries on my system (Google and Steam) without ever asking me.

But there is an easy way to protect the user’s privacy in such cases through anonymity. With the help of the Tor project it is possible to completely hide the information listed above. If the user cannot be uniquely identified any more, the information which can be derived from that gets lost. And that is a good thing.

Of course any user could just install Tor. But let’s face it: it’s difficult and complex and the user needs to know that Tor exists in the first place. It’s a nice solution for informed people like me, but certainly not for the vast majority of people for whom we develop free software.

So it is up to us to improve the situation. Why not integrate Tor (or similar services) directly in our products? For data like the weather applet it could just sent all requests through Tor and by that help to protect the users. Yes it requires more work from us developers, but in the end we are the only ones who really can decide whether it’s useful to use Tor for a given service or not. Let’s face it: for a Facebook status update applet using Tor is rather pointless. So let’s use anonymity where it is possible, where it makes sense and let’s integrate this information into the privacy center I proposed in my last blog post.

FLOSS after Prism: Privacy by Default

The disclosures by Edward Snowden will have a huge impact on our society and by that also on free software. I do not think that we can continue as we used to do, but that we have to adjust our software to fit the new reality, to make our software a true opponent to the surveillance state we live in and to return to 1983.

I have been thinking about what floss can do to protect the people and I want to share my thoughts in a few blog posts. Today I want with this first blog post talk about the fifth freedom:

“The freedom to decide which data is sent to which service”.

As we all know free software offers us the four freedoms. Those are important but they cannot protect the user’s privacy. Unfortunately there is free software out there, which is violating the above fifth freedom. There is software out there which is able to track you, there is software out there which sends all your local search queries to third parties like Amazon, there is software out there which allows to turn your smartphone into a surveillance utility. Thanks to the four freedoms we are able to see that software is doing this but the user has no chance to change it. Yes the four freedoms allow a user to modify the source code, but in practice a user normally cannot do that. Even users who are skilled can only protest.

I know that many users think that it doesn’t matter, because they have “nothing to hide”. But I disagree – I have lots to hide and I am sure that everyone has things to hide. And even if it is not about our private life there are lots of occupation with privacy being a central part. Yes, it’s the job of a lawyer to hide. If a lawyer is not able to use floss software because he cannot even open a client’s file without Amazon and any connected third party (e.g. Tempora) knowing about it, this is a clear violation of the first freedom which forbids discrimination of users.

Given that we have the above fifth freedom which is directly derived from the four freedoms and highly inspired by Germany’s right for informational self-determination:

… in the context of modern data processing, the protection of the individual against unlimited collection, storage, use and disclosure of his/her personal data is encompassed by the general personal rights of the [German Constitution]. This basic right warrants in this respect the capacity of the individual to determine in principle the disclosure and use of his/her personal data.

With informational self-determination every user has to be always aware of which data is sent to where. By default no application may send data to any service without the users consent. Of course it doesn’t make sense to ask the user each time a software wants to connect to the Internet. We need to find a balance between a good usability and still protecting the most important private data.

Therefore I suggest that the FLOSS community designs a new specification which applications can use to tell in machine readable way with which services they interact and which data is submitted to the service. Also such a specification should include ways on how users can easily tell that they don’t want to use this service any more.

With this information provided applications can start to add first run information to tell the users how they interact with services and how the users can configure this.

Furthermore a complete database of all the services would allow to introduce a privacy center directly in the user’s desktop. A center listing all the applications which interact with remote services, a center where the user can directly disable certain services.

Of course there is still one problem: how to force applications to make use of it and to provide all the data. Such a center becomes useless if some applications do not implement it, because it thinks its user are a product which they need to sell. But this is a social problem and we cannot solve social problems with technical merits. If a FLOSS product is violating the user’s privacy we all have to call out and convince the project that this is a bad idea. It’s up to the users to not use software which is violating the user’s privacy and by that force the project to change.

Update: See also the follow-up post FLOSS after Prism: Anonymity by default

KDE – the Prism Breaker

In times of prism, tempora and xkeyscore we have the good chance to differentiate our products as the true prism breaker

I just sent this to a KDE mailing list. And it’s true. The KDE Community’s software is:

  • community controlled, no US-controlled company can introduce “patriotic” changes
  • majority of developers are based outside the US, many in Europe and India (@devs: please provide your data for commit digest, 20 % unknown is too much)
  • our legal entity (KDE e.V.) is Germany based
  • we don’t send any of your data to our (or third party) servers (but you can opt in to shop in Amazon store in Amarok)
  • we provide software to encrypt and protect your communication (KMail, KGpg, Kleopatra and Kopete with OTR plugin)
  • we provide web browsers (rekonq, Konqueror) which are not controlled by an US corporation or US foundation
  • we provide a web browser rendering engine (KHTML/KJS) which is not controlled by an US corporation or US foundation
  • we live open standards with for example excellent ODF support (Calligra suite)
  • we provide a tablet operating system (Plasma Active) following the principle outlined above

And much, much more. If you are concerned about Prism & co consider using KDE software. For a full list of software also check out PRISM ? Break which also gives nice explanations why you shouldn’t use some free software.