Kill switch for the next fairphone

So in summary, you would think you’re save when you disconnect your Internet cable from your PC when you don’t use the Internet, correct? A killswitch gives you the false sense of control and supposedly outsmarted someone else. It’s very likely you won’t reach that goal. Once you have Internet (for whatever reason) the malicious software can send any data it collected while there was no network. And a split second can be enough to send it.

Know the problem and work on a solution from there. IMHO a killswitch is a gimmick to try to obtain more privacy and security, but fails by design.

A smartphone inherently is a personal device with a network connection. Just like a PC. I wouldn’t advice people to unplug their network cables if they are just writing an email. Then plug it quickly in, send it, and unplug it again. There are firewalls for that for example. The problem lies in software and who controls that software.

1 Like

So in summary, you would think you’re save when you disconnect your Internet cable from your PC when you don’t use the Internet, correct?

You are safe. The phone would not be able to use the hardware the killswitch is attached to, in this case the wifi and radio module.

the malicious software can send any data it collected while there was no network

And yet there are phones out there, that do have killswitches. Why? Because they have killswitches for the microphone and camera as well. Additionally, on the Librem 5 the GPS as well as other sensors are turned off. So even if the phone was infected and able to collect data, the sensors are physically turned off and useless.

I don’t understand this hate and scepticism towards hardware killswitches. Yes, you’re adding additional buttons to wear and tear, but in terms of privacy, they are clearly superior to software switches.

IMHO a killswitch is a gimmick to try to obtain more privacy and security, but fails by design.

I really cannot understand how you come to this conclusion, it is literally the only way, to work by design, short of not having any hardware able to communicate.

A smartphone inherently is a personal device with a network connection.

Yes, especially if you want to be available all the time. But there is no reason for example for the camera, microphone and gps sensors to be active all the time for a phone to still fulfil that purpose.

Just because you can’t be 100% certain you’re phone isn’t spying on you, doesn’t mean you shouldn’t try to minimize the data points it’s collecting. Privacy is not a black and white thing, many things inbetween exist.

The problem lies in software and who controls that software.

Even if the software is fully open source, you build it yourself, and it has been audited by a team of competent engineers, vulnerabilities or undefined behaviour can still occur. This is exactly what hardware switches prevent, so I can fully understand why some people would want them in their phone.

2 Likes

Let me try to fill in some scenarios you’re trying to protect yourself against. Google perhaps? And companies like it, that build up a profile about you so they can target you with specific ads? Or maybe the CIA? That they can’t spy on you while you have your phone on you? Or perhaps that Russian hacker that wants to blackmail you with pics when you’re on the toilet using your phone?

Like I mentioned, only the front camera would sort of make sense. But that too will still give a false sense of privacy/security. There are a ton of other sensors that can give away so much information. Only if you disable all of those (including things like motion sensors, because of e.g. gait recognition), then you sort of reach that scenario you’re trying to protect yourself against. There is not really a middle ground here, because the R&D investment really shouldn’t be taken lightly. It either works or it’s not worth implementing.

But by having separate switches you basically think you can outsmart everyone else, which is impossible, unless you’re the smartest person that ever lived and knows when to turn something on or off and is in full control of the software running on it. It’s either all off, or it’s just a gimmick. And there is something for that already, it’s the power switch. Or take out the battery if you’re really paranoid. Or, don’t own a smartphone.

You can also buy a face mask with voice amplifier and RBG LEDs, that doesn’t mean it’s useful and we should all have it.

I know this sounds negative, but look at it from a practical point of view. From what are you trying to protect yourself? And do kill switches really do anything? And I’m not even taking into account what you’re sharing already with other companies/governments, and of course what others share about you.

Add it all up and those kill switches are just a waste of money. Money that could be spend on improving the mic and camera quality, so that people use their phone for a longer period. That’s the goal of Fairphone.

1 Like

I’d like to start by saying I don’t think that Fairphones need kill switches. Fairphone’s goal isn’t security or privacy, it’s sustainability and fairness. Pine64 and Librem have done a good job already by offering phones which focus on security and privacy, and include kill switches. Kill switches are only a solution when you already trust your software. That leads me to my main point.

Kill switches are for hardware security. Don’t trust your modem to not send whatever data it wants to some three-letter agency? Kill it in hardware. Of course this requires all upstream components (memory, CPU, etc.) to also be trustworthy, otherwise that kill switch is only good until it gets switched back on (at which point whatever malicious component can just try to send data again). It also requires that to you trust/know that the kill switch actually works. All Fairphones already run Android, which is full of stuff from Google, which isn’t known for trustworthiness, on a Qualcomm SoC, which is closed and proprietary and therefore impossible to 100% trust. That means any kill switch is already potentially defeated, because either the CPU or software could just wait until it can send data again. Pine64 and Librem avoid/reduce that issue by using components (especially CPU/SoC) which have the best FOSS and documentation available.

With a modular phone like Fairphone makes, conceivably you could have modules that you trust and others that you don’t trust. “Upgrading” from hardware that you don’t trust to hardware that you do could be a reasonable reason to flip a module’s killswitch back to on. But then why have the untrusted module installed at all in the first place?

Fairphones also have unlocked bootloaders, so what about using GNU/Linux (that you trust) instead of Android? There have been projects to get Fairphone models to run Ubuntu Touch in the past, so this is actually quite likely to happen again. Assuming low-level firmware is also reverse-engineered or is at least trusted, the only part that could be malicious is the hardware. But it’s still the same issue with the CPU: it’s not trusted any more than the modem.

So basically, hardware kill switches are just as useful as software toggles on a Fairphone. Some people seem to make out the issue of privacy as this boolean, all-or-nothing sort of situation where either you keep all of your data private or it’s not worth worrying about privacy at all. The reality is that you should try to be as private as you want to be, but kill switches are mostly a way of showing others that you are very private, without actually doing anything to provide privacy.

2 Likes

I’m not sure this is the focus.
I’m sure some people just want to turn the camera or the mics off.

  • Ensure the camera is off whilst laying naked in the garden
  • Turn the mic off when I want to speak privately to someone in the room whilst I’m still on a video call

Hardware switches can do that

3 Likes

The same applies for any hardware that strictly collects data (ie doesn’t transmit): Software toggles are just as good. Maybe some people want the physical assurance that it’s off? Other than that, I don’t see how that’s any better than a switch in Android to turn off the camera/mic/etc. so that no apps can access it. The former is a large engineering complication when everyone could use the latter.

That requires OS reliance and is not reassuring as a physical lens cover for example.

In certain situations I wouldn’t trust software.

That ‘one’ could use the software is not the point of the topic.

My main reason to start the dialogue about a kill switch for fairphone was to explore if the fairphone community is in favor of enabling the customer to increase choice and responsibility over his own device.

A kill switch contributes to this sense of control, because software has and will fail to deliver privacy. This can be the case of high profile people like Angela Merkel, or ordinary people like you and me who just want to get by and happen to live in the wrong country. In the last case, it was not even a secret service spying on them, but a company who sells their software around the world.

It is as simple as that: If I switch off my phone, my camera, my microphone, I want it to be REALLY off. A kill switch, and only a kill switch can provide that.

Am I a high profile human rights activist? No. Do I voice opinions and do I meet people whose actions undermine the interests of some powerful international companies? It doesn’t matter. If I don’t need to remove the battery before certain meetings because I have a kill switch, it’s less cumbersome. And I can still take my phone and check the public transport schedule on my way back.

Personally, I don’t see the point too much for the GPS, but rather camera, microphone and WiFi/Bluetooth/NFC.

Observations which worry me are the following:
State security agencies actively pursue surveillance of everyone (remember, most people are not criminal) and place huge power in the hands of few. The influence goes down to collaboration with hardware manufacturers to create loopholes or weaken encryption to facilitate access to communication as shown in the crypto leaks affair. The latter was not to find dangerous terrorists, it simply decrypted every customers communication and empowered NSA to read encrypted diplomatic communication of legal governments in plain. And this is not a war situation.
It simply seems that the current Empire seems to follow Friedrich Nietzsche in his Will to Power, rather than Viktor Frankl in his Will to Meaning. That’s allright.

As I understand it, the fairphone community wants to be held accountable and take responsibility for their impact on less powerful people in the supply chain. Likewise, they empower themselves with their purchase power by demanding e.g. increased transparency in situations in which they feel powerless (independent auditing, fairtrade standards).

More about the spy software here:

2 Likes

I’m all for a camera flap, but it has been stated , ‘a sense of control’ isn’t control. Would seem better to control my action rather than hide them behind a switch.

So I fine with no kill switches.

It’s very easy to switch the data off, aeroplane mode, put it in my pocket. I really don’t have anything to hide.

I feel such switches would be a gimmick, gives the impression I have control ~ very dangerous.

I really cherish this discussion. Lovely pros and cons and a deeper dive, too.

If you ask about my opinion:
I love this idea of switches.
It would be simply a big plus from my very own point of view.

One thing (at least I think so) we all probably should have learnt within the past decade(s):
There´s always a way to bypass software.
Worst case it just takes a bit of time and effort … and it seems at least some guys around the globe got it.

Nevertheless Fairphone´s already on a very nice mission which I like to support.
Life´s about making decisions. Decisions may change over time so at the end of the day it´s up to Darwin: Surival of the fittest.

Security and privacy may not be the main target for Fairphone. Pretty good to understand since they´re already on a tough mission.

I´d really like to see also a bit more about sec&priv inside their philosophy in the future but summed up under the line there were also some other good arguments that made me get a FP

… just my few cents thrown into the pot :wink:

2 Likes

This topic was automatically closed 182 days after the last reply. New replies are no longer allowed.

Dear FairPhone Design and Technical Team, and the Community,

As an avid supporter of FairPhone brand and a passionate advocate for user privacy and control. I’ve been closely following the evolution of the FairPhone models and I am eagerly anticipating the release of the FairPhone 5.

One feature that I, along with many privacy enthusiasts, would greatly value in the upcoming model is the inclusion of hardware kill switches. Given FairPhone’s commitment to ethical, sustainable, and user-centric design, this addition seems like a natural progression.

In the next generation FairPhone;

  • Camera: Both front and rear cameras should have a kill switch.
  • Microphone: A dedicated switch to disconnect the microphone physically.
  • WiFi/Bluetooth: A combined switch to disable both.
  • Mobile Data (Modem): A switch to cut off cellular connectivity.

Kill switches can be placed on the side of the phone for easy access, perhaps using sliders or tiny toggles. They should be distinguishable from volume or power buttons, possibly by texture or size.

The switches can be seamlessly integrated, ensuring they don’t disrupt the phone’s aesthetic. Using sustainable materials for these switches, in line with FairPhone’s ethos, would be an added advantage.

Once a switch is toggled, the phone should provide instant software feedback. For instance, if the camera is disabled, the camera app could display a message saying “Camera physically disabled”.

The implementation of these hardware kill switches would not only provide an extra layer of security against potential cyber threats but would also solidify FairPhone’s stance on providing user control, aligning perfectly with the growing trend of tech users seeking higher privacy standards.

Kill switch feature would significantly enhance the appeal of the FairPhone 5 to an even broader audience. I trust that the FairPhone team will consider this suggestion.

Regards.

2 Likes
  1. Purpose of Fairphones:

    • While the primary goal of Fairphone is sustainability and fairness, user security and privacy should not be overlooked. A device that prioritizes sustainability and fairness can, and arguably should, also prioritize the privacy and security of its users.
  2. Kill Switches as a Trust Mechanism:

    • Trust in software is not binary, and while it’s true that kill switches are most effective when software is trustworthy, they can still serve as a physical security layer. The presence of hardware kill switches can give users a tangible control over their device’s features, irrespective of software trustworthiness.
  3. Requirements for Kill Switches:

    • It’s not realistic to expect every component of a device to be 100% trustworthy. Kill switches provide a failsafe against potential lapses in software or hardware security. Even if a malicious component tries to send data after being switched on, the time it’s off prevents any data transmission, providing at least temporary privacy.
  4. Google and Qualcomm Trustworthiness:

    • The critique against Android and Qualcomm is noteworthy, but this highlights the importance of kill switches even more. If users are concerned about the trustworthiness of their software, a kill switch offers an additional layer of defense.
  5. Modularity of Fairphone:

    • The modular nature of Fairphone can be an advantage. Users could have a kill switch for modules they might not fully trust, providing them the flexibility to control the functionality of those specific components.
  6. GNU/Linux as an Alternative to Android:

    • Offering alternatives like GNU/Linux is a step towards software trustworthiness, but relying solely on software solutions is not foolproof. Hardware kill switches can complement these software solutions, ensuring that privacy is maintained at both the software and hardware levels.
  7. Hardware Kill Switches vs. Software Toggles:

    • Comparing hardware kill switches to software toggles oversimplifies the issue. Hardware kill switches offer a tangible and immediate way to disable certain functionalities, irrespective of any potential software vulnerabilities or malfunctions.
  8. Privacy as a Spectrum:

    • While it’s true that privacy is not a binary concept, the presence of kill switches doesn’t necessarily equate to a mere show of privacy. They can be instrumental in providing real, tangible security benefits, especially in scenarios where software may be compromised.
2 Likes

By incorporating kill switches, Fairphone users can prevent unwanted tracking and monitoring of malicious activities. State security agencies and malicious actors sometimes exploit vulnerabilities in software to gain unauthorized access to devices. Kill switches serve as a powerful defense mechanism, providing users with peace of mind that their privacy remains intact even in potentially hostile environments.

Traditional methods of turning off certain features like the camera or microphone can sometimes be deceptive, as these components may still be active in a low-power or standby mode. Kill switches, on the other hand, offer a definitive way to ensure that these functionalities are entirely disabled, removing any ambiguity and guaranteeing user privacy.

The need for enhanced privacy is not limited to high-profile individuals or activists. All of us, ordinary individuals who cherish our privacy, deserve the confidence that our devices are secure and trustworthy. With a kill switch, we can have peace of mind that our data remains under our control, regardless of our status or location.

Kill switches can be seamlessly integrated into the Fairphone user interface, making them easy to use and readily accessible. By incorporating intuitive controls for activating and deactivating the kill switches, Fairphone can maintain its commitment to user-friendly interfaces while providing enhanced privacy features.