Kill switch for the next fairphone

The slidey thing would also protect the lens.

Just signed up to say that I’ll buy the Fairphone once they add killswitches (mic, cam, wifi) to it

2 Likes

This is clearly a minority opinion – and therefore probably not something that any smartphone OEM would implement . For the majority of users and buyers this is simply something that might cause confusion or break.

Best wishes,
Thomas

2 Likes

Please define “any smartphone OEM” in the presence of Pine64 and Purism, who already build smartphones with kill switches for the minority.

5 Likes

Definitely relevant for me whether I will buy the next Fairphone.

2 Likes

I do think there are some people who would like to have kill switches. Me too. :wink:

@anon9989719 has already given 2 helpful links where you can see the interest of others.

If Fairphone were to include kill switches at some point, a lot more people would stumble upon the issue in the first place and think the switches are good. If you don’t know about something, you can’t wish for it or miss it.

3 Likes

I “second” the need for hardware (physical disconnect) privacy switches for camera, mic, and antennae. It’s the only reason I haven’t gotten a Fairphone already.

I emailed Fairphone about this and didn’t get a response.

Then sent the same email to SHIFTphones and they replied a day later, saying they’d pass on the idea to their developers. In fact SHIFT already has a laptop with a killswitch so my bet is they may actually take this request seriously. Maybe Frame.Work–which made a laptop with such switches from the very start–will make this kind of phone as well in the distant future.

But I caution against killswitches like those in the current version of Pinephone. They’re tiny and located under the cover. Those are not user friendly and are basically useless for intraday needs.

The Librem 5 killswitches are much better in terms of intraday convenience since they’re on the side of the phone. But Purism has some serious problems with its business, customer service, and the phone itself so that’s rather unfortunate.

3 Likes

Hi and welcome to the forum. I have also contacted frame.work asking if they can consider using Fairtrade materials and Fair wages as Fairphone does.

But until someone else does then kill switches are way off the track. Fair trade and Fair wages lead the way for me.

1 Like

I see it the same way. That’s why I wrote in the topic

and added the picture:

1 Like

In which practical situation would a kill switch be useful and user-friendly? Not to mention production friendly. An antenna needs space at the sides of the phone. And a modular phone needs extra space as well. The FP4 is already way too big for my taste. Adding more buttons won’t make it better.

It’s a nice thought to be in control of your hardware. But in reality I don’t see the benefits. Are you protecting yourself against profiling for e.g. personalized ads? Your mic and camera are not used for that (yet). Are you worried about unsanctioned location requests? The moment you turn it on and navigate a few times to your home you lost that battle already. I can go on, also about WiFi and 4/5G connections. From what should this protect you against? Is it even happening? And once you turn it on to use it, isn’t it already futile to turn it off again?

To me this feature is a gimmick that comes at an unacceptable cost. I rather see an improved camera and microphone than a kill switch for it. And I think 99% would agree.

If you’re woried about your privacy, then don’t buy a smartphone. Switching off a part of that device because you’re not using it at that point won’t protect you from governments or ad companies. It will give a false sense of protection.

Switching off the front camera would be the only somewhat sensible feature. Less development cost and may be pushed for a good reason, but it’s still a false sense of privacy IMHO. If you can’t trust the software on your phone, then don’t use it.

10 Likes

Exactly. This chimes with what I was going to contribute to this conversation.

I understand the wish for privacy, I’m sure we all do. However physical switches, as has been said, make the phone more exposed to water and dust ingress and complicate its construction, to say nothing of the additional expense.

It seems to me that the same protection of privacy can be achieved through software … with the proviso that you can trust the software.
This implies using exclusively open source software and, if you’re not a coder, trusting those who are, to peer-review it competently and honestly. And even if you’re a coder, you’re unlikely to ever read all the code you use, so we’re all in the same boat.

If you don’t trust the software, the physical switches will be of no help, because there are plenty of other ways of invading your privacy than just using the mic, camera or antennae. In a way the switches could, as you say UPPERCASE, be said to be counter-productive, giving a false sense of security.

In this search for the protection of privacy I think we should turn to those who are already working on alternative operating systems. I’m interested in iodéOS in this respect. Could they, and others, take it on board? I’d like to see, in the quick-access settings swipe-down panel, two extra icons: a mic and a camera. For the antenna, we already have one, it’s called aeroplane mode …

4 Likes

As there is a phone providing this, if this is really important to me, then why not just ordering this phone? Fairphones main mission is not privacy and I doubt there will ever be any phone covering all needs anyone might require, in my eyes that’s just impossible. So one has to choose what is most important for them and go with this product and accept the obstacles it might bring.

2 Likes

Ideology would forbid it:

The objectives in the conception of this ROM are threefold:

To keep the stability and security level of LineageOS, by minimizing the modifications made to the system. Apart the system modifications required by the adblocker, we mainly only added a few useful options commonly found in other custom ROMs, made some cosmetic changes, modified a few default settings to prevent data leaks to Google servers.

OK so I go up a step and ask the same question of Lineage …

[Edit: Pity. I’d have thought this was just the sort of thing a “very privacy-friendly custom ROM” would be interested in looking at.
Maybe I should just put in a feature request at AOSP. What are my chances …?]

1 Like

Yes we want trustworthy software and we have to assume that Fairphone does their best in this regard. But a physical switch is a protection from malicious hardware (or firmware).

I would only argue for one physical switch - to power off the cellular modem (baseband processor) because that is a proprietary system that runs proprietary software. This part of the phone has network access and often direct access to other parts of the hardware.

@m4ur1c3 mentioned that the cellular modem on the FP2 and FP3 is not well isolated but I don’t know the details.

So using an isolated modem that doesn’t have direct access to the microphone, memory, GPS,… would solve parts of those concerns.

As the Airplane mode was mentioned: do we have any confirmation, that the devices really doesn’t do any communication in this mode? Did anybody ever check or is there a statement from the manufacturer? Searching around I found a comment here:

“Airplane mode” is essentially and AT command sent to the baseband to disassociate and go to sleep, it doesn’t disable the baseband CPU, DSP or anything else.

I’m on Wi-Fi 95% of the time and do all my regular communications “over IP”. So for me it would work to just enable cellular once a day to receive some SMS and enable it once a month when I need to make a legacy phone call.

2 Likes

I wouldn’t trust “Airplane mode”, even if it doesn’t actually transmit any data, it’s way to easy to enable / disable by accident.

If you have a eSIM, you can turn those on and off quite easily. Since only one can be active at a time, switching to a “burner” one might be an option as well. Depending on the threat level, I wouldn’t trust that either, but I’d trust it more than simply “Airplane mode”.

1 Like

So in summary, you would think you’re save when you disconnect your Internet cable from your PC when you don’t use the Internet, correct? A killswitch gives you the false sense of control and supposedly outsmarted someone else. It’s very likely you won’t reach that goal. Once you have Internet (for whatever reason) the malicious software can send any data it collected while there was no network. And a split second can be enough to send it.

Know the problem and work on a solution from there. IMHO a killswitch is a gimmick to try to obtain more privacy and security, but fails by design.

A smartphone inherently is a personal device with a network connection. Just like a PC. I wouldn’t advice people to unplug their network cables if they are just writing an email. Then plug it quickly in, send it, and unplug it again. There are firewalls for that for example. The problem lies in software and who controls that software.

1 Like

So in summary, you would think you’re save when you disconnect your Internet cable from your PC when you don’t use the Internet, correct?

You are safe. The phone would not be able to use the hardware the killswitch is attached to, in this case the wifi and radio module.

the malicious software can send any data it collected while there was no network

And yet there are phones out there, that do have killswitches. Why? Because they have killswitches for the microphone and camera as well. Additionally, on the Librem 5 the GPS as well as other sensors are turned off. So even if the phone was infected and able to collect data, the sensors are physically turned off and useless.

I don’t understand this hate and scepticism towards hardware killswitches. Yes, you’re adding additional buttons to wear and tear, but in terms of privacy, they are clearly superior to software switches.

IMHO a killswitch is a gimmick to try to obtain more privacy and security, but fails by design.

I really cannot understand how you come to this conclusion, it is literally the only way, to work by design, short of not having any hardware able to communicate.

A smartphone inherently is a personal device with a network connection.

Yes, especially if you want to be available all the time. But there is no reason for example for the camera, microphone and gps sensors to be active all the time for a phone to still fulfil that purpose.

Just because you can’t be 100% certain you’re phone isn’t spying on you, doesn’t mean you shouldn’t try to minimize the data points it’s collecting. Privacy is not a black and white thing, many things inbetween exist.

The problem lies in software and who controls that software.

Even if the software is fully open source, you build it yourself, and it has been audited by a team of competent engineers, vulnerabilities or undefined behaviour can still occur. This is exactly what hardware switches prevent, so I can fully understand why some people would want them in their phone.

2 Likes

Let me try to fill in some scenarios you’re trying to protect yourself against. Google perhaps? And companies like it, that build up a profile about you so they can target you with specific ads? Or maybe the CIA? That they can’t spy on you while you have your phone on you? Or perhaps that Russian hacker that wants to blackmail you with pics when you’re on the toilet using your phone?

Like I mentioned, only the front camera would sort of make sense. But that too will still give a false sense of privacy/security. There are a ton of other sensors that can give away so much information. Only if you disable all of those (including things like motion sensors, because of e.g. gait recognition), then you sort of reach that scenario you’re trying to protect yourself against. There is not really a middle ground here, because the R&D investment really shouldn’t be taken lightly. It either works or it’s not worth implementing.

But by having separate switches you basically think you can outsmart everyone else, which is impossible, unless you’re the smartest person that ever lived and knows when to turn something on or off and is in full control of the software running on it. It’s either all off, or it’s just a gimmick. And there is something for that already, it’s the power switch. Or take out the battery if you’re really paranoid. Or, don’t own a smartphone.

You can also buy a face mask with voice amplifier and RBG LEDs, that doesn’t mean it’s useful and we should all have it.

I know this sounds negative, but look at it from a practical point of view. From what are you trying to protect yourself? And do kill switches really do anything? And I’m not even taking into account what you’re sharing already with other companies/governments, and of course what others share about you.

Add it all up and those kill switches are just a waste of money. Money that could be spend on improving the mic and camera quality, so that people use their phone for a longer period. That’s the goal of Fairphone.

1 Like

I’d like to start by saying I don’t think that Fairphones need kill switches. Fairphone’s goal isn’t security or privacy, it’s sustainability and fairness. Pine64 and Librem have done a good job already by offering phones which focus on security and privacy, and include kill switches. Kill switches are only a solution when you already trust your software. That leads me to my main point.

Kill switches are for hardware security. Don’t trust your modem to not send whatever data it wants to some three-letter agency? Kill it in hardware. Of course this requires all upstream components (memory, CPU, etc.) to also be trustworthy, otherwise that kill switch is only good until it gets switched back on (at which point whatever malicious component can just try to send data again). It also requires that to you trust/know that the kill switch actually works. All Fairphones already run Android, which is full of stuff from Google, which isn’t known for trustworthiness, on a Qualcomm SoC, which is closed and proprietary and therefore impossible to 100% trust. That means any kill switch is already potentially defeated, because either the CPU or software could just wait until it can send data again. Pine64 and Librem avoid/reduce that issue by using components (especially CPU/SoC) which have the best FOSS and documentation available.

With a modular phone like Fairphone makes, conceivably you could have modules that you trust and others that you don’t trust. “Upgrading” from hardware that you don’t trust to hardware that you do could be a reasonable reason to flip a module’s killswitch back to on. But then why have the untrusted module installed at all in the first place?

Fairphones also have unlocked bootloaders, so what about using GNU/Linux (that you trust) instead of Android? There have been projects to get Fairphone models to run Ubuntu Touch in the past, so this is actually quite likely to happen again. Assuming low-level firmware is also reverse-engineered or is at least trusted, the only part that could be malicious is the hardware. But it’s still the same issue with the CPU: it’s not trusted any more than the modem.

So basically, hardware kill switches are just as useful as software toggles on a Fairphone. Some people seem to make out the issue of privacy as this boolean, all-or-nothing sort of situation where either you keep all of your data private or it’s not worth worrying about privacy at all. The reality is that you should try to be as private as you want to be, but kill switches are mostly a way of showing others that you are very private, without actually doing anything to provide privacy.

2 Likes