General Threats to User Freedom

From Kicksecure

Threats123123.jpg

User Freedom Threats[edit]

Since the inception of the four original essential software freedoms provided by Freedom Software, other issues have emerged such as:

Corporate Objectives[edit]

It is important to examine the objectives of the entities backing up a software project even if the code is apparently released under an open license. The impact on users' freedom in the future is at stake as a captive market is a winner takes all scenario. Consider the examples below.

Android[edit]

https://arstechnica.com/gadgets/2018/07/googles-iron-grip-on-android-controlling-open-source-by-any-means-necessary/

Mono: Microsoft's .NET Implementation for Linux[edit]

Mono was released under dubious language concerning patent assertion, allowing Microsoft to arbitrarily enforce them if advantageous. If there had been high adoption of Mono, it would have given Microsoft enormous leverage over the language's ecosystem. Fortunately, the libre community did not take the bait and shunned the framework. Even though the patent situation changed recently, the well had been poisoned. [5] The SCO patent trolling used by Microsoft as an attempt to kill off Linux in the 2000s was not forgotten.

GCC vs Clang-LLVM[edit]

LLVM [6] was initially heavily funded by Apple in retaliation for the GNU Compiler Collection (GCC) re-licensing under GPLv3. While the permissive licensing is technically libre, it allows companies to close up forks or mandate non-free plugins. This locks in users on hardware platforms which would usher in a new dark age for libre software development and porting, and also lead to significant security and trust issues.

This unscrupulous conduct by industry players was not possible for the longest time because re-inventing another compiler with the same feature-set and architecture support as GCC was cost prohibitive. The widely cited consensus is that the competition has had a healthy outcome for GCC, leading to improved error codes, performance and features like plugin support - albeit carefully, to prevent closed plugins from piggy-backing on the compiler. However, another aspect is that compiler-specific quirks act as a "network effect" whereby if one component of a project only works with LLVM, the rest of the project follows with no interest from the developers to fix bugs or work on compatibility with GCC. For example, Libreoffice (on Windows) is switching to Clang because the the Skia renderer will only compile with it. [7] Over time, this could drain resources from the copyleft GCC as corporations and distributions conclude it is not cost effective to contribute to a compiler with shrinking market share.

Chromium[edit]

Chromium greatly amplifies Google's influence and ability to impose their custom standards and protocols, including on web standards; the impacts on freedom are unconsidered. [8] Google repeatedly snub and bypass the W3C standard body especially when improvements to user privacy are proposed. [9] The features they design also make performance notably worse in competing browsers. [10] When released, the existing plan for new API limitations will prevent current and even possible future rewrites of adblockers.

No attempt to address these concerns have been made by the Chromium developers. [11] [12] Every Firefox installation provides Mozilla with a bit more leverage and diverts advertisement money from Google. The less people use Firefox, the less website creators will care to invest into developing websites for compatibility, thus killing it off indirectly. If Mozilla's revenue dies and they cease to exist, Tor Browser will also disappear - destroying a key component of the privacy ecosystem. The present Chromium engine is unsuitable for privacy projects because it cannot provide equivalent Firefox protections, and there is no willingness to change the design to accommodate such initiatives.

War on General Purpose Computing[edit]

There is a war on general purpose computing. More and more electronic devices sold nowadays are actually general purpose computers, but by default come with artificial restrictions that impede user control over the devices. The user gets only limited user rights to use the device. Administrative capabilities ("root rights") are purposefully withheld by the vendor.

Due to the denial of the ability to observe/modify what the vendor's code is doing, vendors:

  • prevent the user or community to fix issues or add new features,
    • For example if a stock Android device can no longer be started, without administrative rights it is impossible to analyze what is going on let alone fix it. [13]
  • perpetuate privacy violations,
  • force users to buy more expensive models to get features they could have obtained had they been able to unleash the the full potential of their already purchased devices.

Examples:

  • TVs:
  • PlayStation is actually a fully functional computer that could in theory run any program but in practice which programs or games can be run on it is solely decided by Sony, its producer.
  • Console mod-chippers busted in nationwide raids.
  • Restrictions in Mobile Devices: (#mobile_devices_restrictions)
    • An unreasonable restriction is all the bloatware (unwanted default installed applications) which is running on most people's phones nowadays which cannot many users would like to uninstall but lack the technical skill to do so due to great artificially introduced technically difficulties in doing so. Even if uninstallable in theory, there's the The Tyranny of the Default.
    • Most iPhone / Android phones restrict the freedom of the user to choose which programs can run on these devices.
      • Another unreasonable restriction is for example is Google's ban in Android Play Store of YouTube downloaders such as TubeMate.
      • Google bans adblockers that block adds in other apps from its Play Store.
      • YouTube Vanced was an alternative YouTube player.

        On March 13, 2022, the developers of YouTube Vanced announced that the application would be shut down after they received a cease and desist letter from Google, which forced the developers to stop developing and distributing the app.

        [14]
      • A YouTube downloader youtube-dl... Quote EFF:

        Recording Industry Association of America (RIAA) abused the Digital Millennium Copyright Act’s notice-and-takedown procedure to pressure GitHub to remove it.

        It was later re-instated thanks to help by EFF. [15]
      • Installation of apps without using the platforms official app store is sometimes still possible.
        • Google Android: The process of installing an app from sources other than Google Play is still possible for technically advanced users clicking through scary warnings.
        • Apple's iOS: Is even more restricted and does not permit installation of apps without the official iOS App Store.
        • Alternative app stores such as F-Droid are forbidden in Google Play Store as well as in Apple's iOS App Store. At least F-Droid can be installed by technically advanced users on Android but not on iPhone where the user is even more locked out.
      • For example, Apple rejected rejected an endmyopia app citing "medical diagnostic" from its App Store. Without App Store however on iOS devices, no applications can be installed. On iOS there is purposely not even a sideloding feature which is at least available on Google Android stock devices. In theory, devices could be jail broken but that harms security and then many other apps would refuse to run due to attestation.
      • Apple also bans torrent clients and emulators.
      • The unrestricted discussion software Telegram downloadable from Google Play Store or Apple App Store censors topics as the corporate overlords see fit. The Freedom Software version of Telegram downloadable from the Telegram website, web version web.telegram.org as well as downloadable from F-Droid, the Free and Open Source Android App Repository does not have these restrictions.
      • Apple bans GPL licensed software from its app store.
      • Apple banned developers who created software that allowed to disable artificial user freedom restrictions on iPhone devices.
      • These phones are often packaged with spyware installed by default, which cannot be removed.
  • Most phones that are sold by mobile carriers or manufacturers have locked bootloaders which are prohibiting the user from installing alternative operating systems which are not certified by the hardware vendor. For example:
    • The Microsoft Surface RT/2 tablet comes with Windows 8.1 which is nowadays outdated and a locked bootloader. It cannot be updated to Windows 10 or to alternative operating systems such as Linux. [16] Using a jailbreak and lengthy complicated instructions it might be possible. [17]
    • QZ: Google can still use Bluetooth to track your Android phone when Bluetooth is turned off
    • How Google--and everyone else--gets Wi-Fi location data
      • How it works, according to Google, is that the Android Location Services periodically checks on your location using GPS, Cell-ID, and Wi-Fi to locate your device. When it does this, your Android phone will send back publicly broadcast Wi-Fi access points' Service set identifier (SSID) and Media Access Control (MAC) data. Again, this isn't just how Google does it; it's how everyone does it. It's Industry practice for location database vendors.

    • AP Exclusive: Google tracks your movements, like it or not
      • Google wants to know where you go so badly that it records your movements even when you explicitly tell it not to. An Associated Press investigation found that many Google services on Android devices and iPhones store your location data even if you’ve used a privacy setting that says it will prevent Google from doing so. Computer-science researchers at Princeton confirmed these findings at the AP’s request.

    • There may be rare exceptions to this rule, hence "most" and not "all". These exceptions are not the point which shall be made in this comparison. See also Android Privacy Issues and User Freedom Restrictions.
    • In summary, both, restrictions on applications which can/cannot be installed as well as which can/cannot be uninstalled are imposed. People are conditioned into more software freedom restrictions.
  • UEFI SecureBoot is another stumbling stone which makes installation of Freedom Software operating systems as a replacement for Microsoft Windows more difficult on the Intel / AMD64 ("PC") computers.
  • Out-of-band Management Technology can easily subvert user security and control over their machine if running an open alternative is not feasible.
  • Sophisticated civilian accessible drones running software which restricts where it can fly.
  • Cellphone Base-band firmware is not modifiable by the user which prevents updating for security patches once the manufacturer abandons the device.
  • Google banned AGPL licensed software from its code hosting platform. Google has an anti-AGPL policy.

People are reduced to vassals in this relationship involving them and the hardware vendor. For more examples consult Chapter User Freedom Threats to see how some technologies are abused to restrict user freedom.

The fact, that highly technical people are sometimes capable of circumventing some of these technical restrictions, if sufficiently motivated, is besides the point as the censor has succeeded in accomplishing their objective of blocking the majority of the population who do not have a sophisticated knowledge of technology. The root issue is, there is a lock and the vendor refuses to give the key to the user. That root issue does not go away by breaking the lock. Big, most hardware vendors locking down devices is a far more important, powerful movement than a few hackers that can sometimes circumvent technical restrictions in a cat and mouse game which would be lost eventually by the hackers. For example Google's SafetyNet hardware attestation is currently unbreakable. Quote GrapheneOS on Banking apps:

GrapheneOS doesn't attempt to bypass the checks since it would be very fragile and would repeatedly break as the checks are improved. Devices launched with Android 8 or later have hardware attestation support which cannot be bypassed without leaked keys or serious vulnerabilities so the era of being able to bypass these checks by spoofing results is coming to an end regardless.

The trend is clearly going into the direction of the general population of loosing access to general computing rather than gaining more freedom. It won't be happening today, tomorrow or next year. It's a gradual long term trend.

For most device classes (phones, tablets, TVs) the freedom of general computing was already lost without an awareness of the war on general computing. The freedom of general computing remains only on some desktop computers and servers.

Desktop computer's are under attack too with Microsoft's Restricted Boot ("Secure Boot") feature. Restricted Boot did not prevent booting alternative operating systems yet but novice users must either use operating systems who's bootloaders were permitted by Microsoft (suddenly Microsoft is in control which operating system can run) or click through scary security warnings when disabling the restricted boot feature in the BIOS through a procedure in the BIOS which is complicated for non-technical users. With another option of deploying one's own keys which is even more complicated.

Alternative operating systems such as Linux distributions are going into a similar long term direction with Sigstore and the long term vision on image-based OSes with modernized security properties built around immutability. While there are probably good intentions and strong technical advantages for going into that direction (recovery mode boot, factory reset, Verified Boot), the result of requiring to enable a developer mode to be able to modify arbitrary files on the disk, would make it trivial to switch from freedom (unlocked) to non-freedom (locked).

Once most devices are locked down, the few remaining libre compatible options could either be pressured to lockdown by economies of scale (corporations requesting digital restrictions management (DRM) in their hardware and would make custom hardware batches exorbitantly expensive and out of reach), or through outright bans by politicians mandating proprietary, surveillance friendly operating systems, citing the Four Horsemen of the Infocalypse. These would then effectively control which applications can be run.

See also,

Users should own your hardware as well as their software. Avoid non-freedom software. Avoid locked hardware. Use Freedom Software. When purchasing new devices, the user should check:

  • Will I get full administrative rights ("root rights") yes or no?
    • Or is the device at least rootable?
  • Is the bootloader unlocked?
    • Or is the bootloader at least unlockable?

Device Attestation such as SafetyNet[edit]

Many apps nowadays are tapping into Google's SafetyNet. Using SafetyNet allows apps to check and refuse to run on user modified devices running custom operating systems that are freed from spyware, bloatware that comes by default with most Android devices from mainstream OEMs.

SafetyNet is a certification that the device is not modified compared to a state authorized by Google. Google only certifies devices for SafetyNet if these comply with Google's "Android compatibility tests". [19] At minimum Google Play Services need to be running to be eligible for certification. Installed Google Play Services however lead to massive data snooping by Google.

It guarantees "security" not for the user but for the app developer. Many essential applications that does not exactly conform to Google's mandates refuse to run.

Device attestation is a worldview where apps should only be able to operate on the user's device without user or researchers having the ability to audit or stop what the application is doing - such as inspecting what data it is harvesting and phoning home.

Affected are most banking apps, streaming services, some transportation app and messengers (Snapchat).

Device Attestation such as SafetyNet is part of the War on General Purpose Computing.

Conflict of Interest[edit]

There is a conflict of interest between operating system vendors (stock ROM), custom operating system developers (custom ROM), application developers and users. This is a non-comprehensive list of interest of various parties.

What many users want to avoid:

Harvested personal information and user data is used to build a model of the user. That model is then used to manipulate the user such as to influence purchase and political decisions. That data is then sold and resold forever. The stolen data is then used against the user in many immoral ways. Once the data leaves the device, the user looses all control over it and the user will never be able to reign it again. Once leaked, never deleted.

Many users want:

  • Privacy:
    • Knowledge, control and minimization of data collection, snooping, espionage and data leaks the operating system and applications.
    • Prevent applications camera and/or voice recording them without their knowledge and consent, tracing their location history, exfiltration of contacts, media, messages and documents.
    • Prevent future data breach and their personal data leaked to third-parties.
  • Control: Have a basic understanding of and control what their devices are doing and limit applications to their purposes.
  • Audit: Verify that applications are only doing what they say and what is expected from them.
  • Customization: Application modifications such as for example patching the YouTube application on Google Android to enable background play.

Many application developers want:

  • Copyright protection: Allow the user to stream/watch media (such as Netflix), but prohibit retaining or sharing the media with others under reasonable fair use assumptions.
  • Data collection: As much information as possible is extracted (location, call history, browsing history, viewer history and much more) for the purpose of surveillance, market research, advertising, better prediction of user behavior and profit maximization.
  • Secrecy: Prevent the user from learning details on what exactly the application is doing.
  • Integrity: Prevent the user from making modifications to the application. Examples include
    • Google Android's YouTube app restriction (for freemium users) on playing audio in the background while the device's screen locker is enabled.
    • Freemium games want to prevent users getting items or playing levels which would otherwise only be accessible to paying customers.
    • Multi-player games want to to prevent cheating in online games.
    • Banking apps want to confirm that the security model is intact to prevent fraud. It desires to check that no other installed applications can read to or write from the banking app's dedicated storage folder as well as that no malicious kernel module or other malware is running that could steal the user's login credentials or make unauthorized transactions.

Most operating system vendors for mobile devices (stock ROM) want:

  • Adoption: Many users as possible to increase profit.
  • Attractiveness for application developers: Many application developers to provide applications for their platform to attract more users.
  • Security: Prevent any malicious and unapproved party from establishing a foothold in their ecosystem.

Some custom operating system vendors for mobile devices (custom ROM) want:

  • Similar to most operating system vendors.
  • Hardware deals: Getting recognition by a hardware producer that would pay for continued development and adjustment for their custom operating system.

Sigstore[edit]

Sigstore [20] [21] [22] [23] is an industry-led initiative to create a chain of trust for software with the objective of accomplishing something similar to what Let's Encrypt had done for website TLS certificates. At face value, having a curated transparency log for all Linux software and enforcing that only digital signature signed processes run (as part of Verified Boot) seems good, but the devil is in the details. A developer would need to authenticate with an OpenID Connect (OIDC) provider such as Google or GitHub to verify ownership of their email address and possession of previously generated keys. This centralizes trust and would make it trivial for these corporations to censor publishing code they find disagreeable as they are the self-appointed gatekeepers of verification.

An example of software banned by github includes youtube-dl, a YouTube video download utility (homepage, wikipedia). As torrentfreak reported, GitHub Warns Users Reposting YouTube-DL They Could Be Banned. As mentioned in Wikipedia, this was due to a request by the Recording Industry Association of America (RIAA). Fast forward, youtube-dl is now available again on github but this just one of many examples that there are issues.

Publisher anonymity may become impossible as most of the aforementioned entities require invasive proof of identity to allow signing up to their services. While the governance structure allows for multiple developers from different companies to play key roles in a rotating fashion, it is questionable how independent they can really be if pressure comes to bear on following certain orders or risk losing employment or promotion.

Hence it is reasonable to conclude that Sigstore will play a role in the War on General Purpose Computing and further limit which devices laymen users can run programs on without restrictions imposed by the operating system vendor. It might result in as a subversive attempt by corporate interests to create a walled garden that allows only certain "approved code" to run on Freedom Software systems as opposed to the decentralized distribution repository system that all Linux desktop distributions are using nowadays.

Such a design also raises questions about the integrity of the transparency log should one of the OpenID providers become compromised. Freedom Software developers and operating system maintainers would do well to steer clear from Sigstore.

Freedom vs Tyrant Security[edit]

Table: Freedom (Open Source) Security [24]

Category Description
Disk Encryption Disk encryption keys are under the sole control of the user.
End-to-end (E2E) Encryption End-to-end encryption keys are under the sole control of the user.
Security Features Security features are available which do not intentionally restrict user customization.
User Freedoms User freedom restrictions are intentionally minimized.

Table: Tyrant Security

Category Description
Default Privacy, Security and Customization Settings
  • These devices have privacy-intrusive default settings that most users are unaware of and which cannot be disabled.
  • In most cases the user cannot choose the vendor they wish to install (security) upgrades from.
  • Customization of these devices is also limited. For example, many pre-installed applications (often referred to as "bloatware") cannot be uninstalled or at least be hidden from view.
Definitions
  • Tyrant: The Free Software Foundation (FSF) uses the word "tyrant" and has defined it in this article. It refers to devices that refuse to allow the user to modify the software or run what they please. This definition approximates the way it is used in this entry.
  • Anti-features: A feature that a fully aware user would rather not have. The F-Droid project has a nice catalog of undesirable software behaviors, however a few items might be pushing the boundaries of a true anti-feature.
Operating System Selection
  • The freedom to modify the underlying operating system is restricted.
  • Vendors force users who want greater system control to run exploits or jail-breaking suites from untrusted origins, which endangers the integrity of personal devices.
  • While the security provided by unauthorized third parties might be good, security from the vendor itself is poor. This is further elaborated here: Android Privacy Issues and User Freedom Restrictions.
Security Technologies
  • Many popular device operating systems utilize security technologies which undermine the security of the user against meddling and surveillance by the vendor, while suppressing user freedoms. A classic example is most Android phones and iPhone devices.
  • Although an over-simplified argument, users of forks based on the Android Open Source Project (AOSP) and security/privacy-focused Android forks (like GrapheneOS), are exempt from the criticisms in this section. [25] These operating systems include many security features to keep users safe from unauthorized third parties outside the ecosystem of the vendor.

See Also[edit]

Footnotes[edit]

  1. Tivoization is the creation of a system that incorporates software under the terms of a copyleft software license (like the GPL), but uses hardware restrictions or digital rights management to prevent users from running modified versions of the software on that hardware. Richard Stallman coined the term in reference to TiVo's use of GNU GPL licensed software on the TiVo brand digital video recorders (DVR), which actively blocks users from running modified software on its hardware by design.

  2. Antifeatures are flags applied to applications to warn of issues that may be undesirable from the user's perspective. Frequently it is behavior that benefits the developer, but that the end user of the software would prefer not to be there.

  3. https://f-droid.org/en/docs/Anti-Features/
  4. Digital rights management (DRM) tools or technological protection measures (TPM) are a set of access control technologies for restricting the use of proprietary hardware and copyrighted works. DRM technologies try to control the use, modification, and distribution of copyrighted works (such as software and multimedia), as well as systems within devices that enforce these policies.

  5. https://en.wikipedia.org/wiki/Mono_%28software%29#Mono_and_Microsoft's_patents
  6. The LLVM compiler infrastructure project is a collection of modular, reusable compiler and toolchain technologies.
  7. https://www.phoronix.com/news/LibreOffice-Needs-Windows-Clang
  8. https://robert.ocallahan.org/2014/08/choose-firefox-now-or-later-you-wont.html
  9. https://www.bloomberg.com/news/articles/2019-09-24/google-blocks-privacy-push-at-the-group-that-sets-web-standards
  10. https://arstechnica.com/gadgets/2018/12/the-web-now-belongs-to-google-and-that-should-worry-us-all/
  11. https://mspoweruser.com/google-may-make-adblocking-impossible-on-edge-and-chrome/
  12. https://bugs.chromium.org/p/chromium/issues/detail?id=896897&desc=2#c23
  13. In such situations often bootloader unlock is also impossible because that often requires a device that is still bootable. Even when unlocking the bootloader, user data is deleted which might have been the cause for the boot issues.
  14. https://github.blog/2020-11-16-standing-up-for-developers-youtube-dl-is-back/
  15. Quote eff.org:

    The initial Board of Directors included John Perry, Mitch, John, Steve and Stewart Brand.

  16. Quote https://developer.android.com/training/safetynet/attestation

    The SafetyNet Attestation API provides services for determining whether a device running your app satisfies Android compatibility tests.

  17. https://www.sigstore.dev
  18. https://martinheinz.dev/blog/55
  19. https://martinheinz.dev/blog/56
  20. https://forums.whonix.org/t/sigstore-for-improving-verification-of-downloads/11536
  21. Freedom Software / Open Source.
  22. Unfortunately, perhaps 99% of laymen utilize stock operating systems with their phone.


Unfinished: This wiki is a work in progress. Please do not report broken links until this notice is removed, use Search Engines First and contribute improving this wiki.