Thursday, November 23, 2017

Android has been a bit naughty with its location tracking

I was pointed to this article today:

https://qz.com/1131515/google-collects-android-users-locations-even-when-location-services-are-disabled/

Basically it points out that Android has been tracking location of phones for the past year or so, even when location tracking is disabled.  More specifically, it tells Google whenever you come in range of a cell tower.  By doing this for each cell tower a phone can hear, can provide a fairly good location, especially if you integrate it over time.

The use of spyware in mobile devices is a topic we have talked about previously, both for people living in dangerous places, as well as for victims of domestic violence and other contexts where being able to locate someone further compounds their vulnerability and tips the power-imbalance in the favour of an abusive person, organisation or otherwise.

The really naughty part in this current situation, is that this was happening even without a SIM card in the phone, and even when location services were disabled in Android: There was no way to know it was happening, and no way to disable it, even if you knew.  In fact, Google realised it was naughty by more or less immediately phasing it out as soon as they had been called out on it.

This leads me to a topic that we have been quietly working on in the background for the past couple of years, that is, how can we trust modern computers and communications devices, when they are so complex that it almost requires accidental discovery by dedicated researchers to find these significant privacy and safety damaging functions, which have been silently introduced to our devices -- often through software updates long after the initial purchase.

Our response to this is to explore the creation of "simply secure" communications devices, i.e., communications devices so simple, that their security can be quickly and confidently audited by a reasonably determined user, rather than requiring a team of researchers to explore.  Such devices should also make it much easier to be assured that the device cannot communicate with the outside world -- including getting a location fix -- when you don't want it to. 

Such devices are easy to make. After all, a brick is a secure communications device, in that there isn't really any way to subvert the function of a lump of burnt clay.   But it isn't useful.  This is the opposite extreme from current devices, that are almost omnipotent, but are so easy to subvert.

The challenge is to design and create devices that sit on some sweet spot in the middle, where they are still simple enough to be confident in their correct function, yet not so simple as to be practically useless.

This is exactly the kind of device that we are currently designing, in the form of a specialised smart-phone, that will still be capable of secure email, telephone calls, SMS and so on, while being much more resistent to attack or subversion, due to its simplicity and transparent auditability. 

For example, it will have physical switches to power off the cellular modem, and the cellular modem will be completely sandboxed from the rest of the phone -- including the GPS receiver, microphone and so on. Many of these modules will also be completely removable.

It will also allow full out-of-band memory inspection of the entire system, transparent to, and independent of the processor, and provide a secure compartmentalised architecture that allows a paranoid process, for example an email decryption program, to be sure that even the hypervisor cannot interrupt it to exfiltrate private information.

We know that there are some other folks active in similar spaces, including the excellent folks at Purism. We love what they are doing, and see our thinking in this space as complementary.  The Purism laptops (and soon phone) use all open-hardware, so that if you need a full-function computer, it is as trust-worthy as possible.  What we are looking to do is a little different: We want to see how simple we can go, while preserving enough function to be useful. We are expecting the core operating system to fit in kilo-bytes of memory, not mega-bytes, and applications to be tens to hundreds of kilo-bytes, not mega-bytes. 

There are lots of questions unanswered, not the least whether the thing will actually be useful enough for anyone, but we are exploring, and all going well, hope to be able to produce a few prototype devices by the end of 2018.  We have also secured the necessary defence-related export clearance for such a device, precisely because its combined security measures place it in risk of tipping over into the category of dual-use equipment, so we have a green light there.

So my questions for all of you reading:


  1. Would any of you buy a "phone for the paranoid" along the lines of what I am describing?
  2. What are the absolute core functions that you would require, compared to the list below:
    • Make and receive telephone calls (en claire, and quite possibly end-to-end encrypted).
    • Send and receive SMS messages (en claire or encrypted).
    • Send and receive Email, including GPG or similar encrypted.
    • Very basic web browsing, using a purposely cut-down browser.
    • Ability to run 3rd-party apps in a sand-box environment.