=Description=
When it comes to permanently connected computers, knowing and limiting what is being sent to a third party and what your computer is doing for a third party become a major concern. In fact, [[ https://www.nytimes.com/2018/12/29/opinion/tech-2018-trends-2019-predictions.html | privacy is the new challenge]] for Free Software. As stated by open source users, **security** ranks as the second priority, after **stability**, and **transparency** ranks as fifth priority for //"what open source users value in software"// (1) . **Security can't be dissociated with privacy because if it isn't secure, it can't be private.**
Providing a perfectly secure and privacy compliant system may be a overwhelming project, but it must be a direction in witch we move forward to. As users gets more exposed to privacy and security features, they will develop a better awareness of it and with time become more proactive in securing their system and protecting their information. [[ https://teachprivacy.com/10-reasons-privacy-matters/ | Users and developers should care about privacy. ]]
As open source operating systems are gaining more popularity, they are adapting in accommodating less tech savvy users. Users are now expecting better control of their computers without all the hassle of hard learning curves. As KDE can be considered a major and one of the leading desktop environment (getting first place is some [[ https://www.reddit.com/r/linux/comments/879ram/poll_which_desktop_environment_do_you_use_on_your/ | reddit user survey]] and [[ https://opensource.com/article/17/5/linux-desktop-environment-poll | opensourcesurvey]]), it has a broader reach and probably a larger spectrum of technically enthusiast users. As such, KDE is in a unique position to offer users a complete software environment that helps them to protect their privacy. KDE, being community-driven and user-focused, has the opportunity to put privacy on top of the agenda, arguably, being in this position, KDE has the obligation to do this, in the interest of the users.
===There are many ways user may have their privacy violated, most notable are : ===
- Passively collected data (ie: when accessing a service)
- Insecure communication (unencrypted packets ie: http and public wifi)
- Global surveillance and mega corporations
- Targeted Surveillance (politically motivated or industrial espionage)
- Actively collected data (by a running application or being monitored from a backdoor)
- Security breach of your system or of a [[ https://www.caprice-community.net/tribute-to-privacy-leaks-the-21-scariest-data-breaches-of-2018/ | company ]] that has your information
- A virus, a worm, a trojan or malware
- A software bug/vulnerability that leads to an exploit
- Rogue local software
- Stolen device
- Physical intrusion
===Aggregating those information may lead to :===
- Possible to identify you personally and where you live ([[ https://www.nytimes.com/2006/08/09/technology/09aol.html | AOL user No. 4417749 ]])
- Know sensible information as health, political opinions, religion beliefs, sentimental life ...
- Targeted publicity and/or attempts to influence your opinions ([[ https://www.theguardian.com/technology/2018/mar/19/facebook-political-ads-social-media-history-online-democracy | the dark art of political advertising online ]])
- Be discriminating or prejudicial; ([[ https://www.smartdatacollective.com/big-data-privacy-issues-worry-every-internet-user/ | unintentional ]] or not; [[ https://www.theguardian.com/technology/2014/may/10/job-hunting-big-data-interview-algorithms-employees | affect job hunting ]])
- Building a psychological profile of you and know your habits
- Used for profiling and blackmailing
- Risk of exposing strategic commercial information or strategic [[ https://www.theguardian.com/world/2018/jan/28/fitness-tracking-app-gives-away-location-of-secret-us-army-bases | gouvernemental ]] information
- Risk of being stolen by criminals
- Risk of identity theft
- Risk of being used by trolls and online abusers
- **Certainty of your information being used somehow by someone without you knowing it**
==KDE is expected to:==
* Offer users the tools to protect privacy and to lead a private and safe digital life without compromising their identity, exposing their habits and communications.
* Setting a high standard and example for others to follow, define the state of the art of privacy protection in the age of big data and force others to follow suit, thereby increasing pressure on the whole industry and eco-system to protect users privacy better.
==Current ways to protect privacy and security==
- Open Source Software [[ https://www.govtech.com/security/Is-Open-Source-Software-More-Secure.html | "proponents say constant peer review creates more secure applications" ]]
- [[ https://en.wikipedia.org/wiki/Secure_by_design | Security by design ]]
- Secure screen saver and user password
- Up to date system and software
- Secure and encrypted connections (ssh, vpn, wireguard)
- Data encryption at rest
- Chkrootkit and antivirus
- Firewall
- SELinux or AppArmor
- [[https://github.com/0xPoly/Centry | Panic button]] in case of intrusion
- Virtualization and containers
- Inspection of what an application ///can do/// and ///has done///
... (Submit any missing) ...
=What it will take=
==Virtualization and containers are the way to the future==
Virtualization and containers are gaining popularity while not really integrated in the graphical user interface as they are relatively new. They also have their own [[ https://meltdownattack.com/ | challenges]] while addressing certain preoccupations related to security and privacy.
They do offer an easy approach to isolate and secure :
- closed source software
- poorly written software
- software that provides large window of attack (email, web browser, etc.; expected to open and execute code that may be malicious).
One such brilliant example is how [[ https://www.qubes-os.org/ | QubesOS ]] integrated the management and visual representations of containers in their custom XFCE. This should be used as a reference on how KDE could evolve to present containerized applications. With the augmentation of AppImage, Flatpak and Snaps distributed application and games, plus the proliferation of [[ https://en.wikipedia.org/wiki/List_of_Linux_containers | containers]], **we can be sure that they are here to stay and KDE must take consideration how it can be integrated and managed**.
Virtualization tools like VmWare and Virtualbox provide ways to disable clipboard sharing easily while containers still require manual command lines arguments to enable/disable them. KDE should provide an universal way of setting those features for GUI applications from the taskbar and in **System Settings** panel.
==Secure by design==
Adopt strict guidelines for KDE framework and application considering that "malicious practices are taken for granted and care is taken to minimize impact in anticipation of security vulnerabilities" (Wikipedia). This includes, but not limited to :
- Have a way to limit and control access to sensible information like identity and credentials.
- Have a way for applications to integrate a system tray icon without it knowing anything else about your system.
- Have a way to limit applications access to memory or functions not deemed needed (ie: reading clipboard/inputs without user consent)
- Have a way to check checksum/signatures of binary files before execution to prevent malicious code injection.
- Make sure all KDE applications are maintained and that code is often reviewed.
==Strong privacy respecting defaults==
* Only collect and send data when necessary and clear and sensible from within the context and using a vetted privacy-preserving methods (e.g. [[ https://github.com/google/rappor | rappor ]] which is used by Chrome and Firefox). No hidden telemetry sending user stats, not HTTP connections downloading content, no search queries to online services without the users explicit consent (or where it's entirely clear from the context, e.g. web browsers, software updater, etc.).
* Use anonymity where it is possible, for example by using Tor connections for things like telemetry and weather updates which don't require third party user identification (because we cannot control third party services and if they will behave)
* No collection of privacy-relevant data without clear purpose and without doing the best we can to preserve your privacy (for example by using differential privacy)
* Privacy-preserving defaults: a user should not have to make changes to the software configuration to avoid leaking data. Secure and private by default. (Software may be configured to be more leaky if that benefits the user, but the risk to that should be clear, either from context or explicitly stated.)
* Use clear and consistent UI and design language around network-related options
==Offering the Right Tools==
KDE needs to make an effort to provide a comprehensive set of tools for most users' needs, for example:
* An email client allowing encrypted communication
* Chat and instant messaging with state-of-the art protocol security (Signal Protocol and derivatives like Briar and Matrix)
* A web-browser that has private default settings
* Allow users to easily scrub metadata from files (e.g. dolphin integration of [[ https://tails.boum.org/blueprint/doc/mat/ | MAT]])
* Other tools that allow offline operation and independence from popular cloud services (e.g. File storage and groupware solutions)
* Support for online services that can be operated as private instances, not depending on a 3rd party providers
* State-of-the-art support and integration for projects like Tor, MAT, [[ http://www.thc.org | secure-delete ]] tools, etc.
* Password creation and sync across devices (Like Keepassx and Firefox sync together)
- Provide GUI applications for command line driven or config file driven security tools.
===For short term, KDE should focus on endorsing and promoting security and privacy :===
- Adopt a **//privacy, security and transparency pledge//**. See [[ https://www.securitypledge.com | this example ]].
- Ask that official KDE applications and contributors adopt and conform to the **//privacy, security and transparency pledge//**.
- Have a general security audit of KDE applications (are them maintained and using up to date libraries?; see @dvratil's comment on legacy code in T11069)
- Promote security and privacy as an integral part of KDE ecosystem.
===For medium term, KDE should focus on providing general security and privacy :===
- Integrate command line [[ https://www.fossmint.com/best-security-tools-for-linux/ | security]] tools in KDE
- Make it possible for users to audit the security of their system in a simple and convenient way.
- **Ksysguard** should expose more about applications and provide some profiling and logging mechanism.
- Better **identity** and **credential** management with possibility to restrict and monitor application usage (see discussion in T11069).
- Review how KDE share information with applications; what are the implications of running malicious code and how could KDE help minimize damage by integrating restrictions.
- Guaranty quick turn-around times for software updates, especially security fixes
- Put in place strong privacy respecting defaults.
- Developing a full featured section called **Security** in KDE's** System Settings**.
- Add a "Audit my system" under "**Security**" in **System Settings**.
===For long term, KDE should focus on conceptualizing how they want to deeply ingrain security and privacy :===
- Put in place a functioning code-review and regular security audits for KDE framework and KDE applications.
- Start to plan and consult users on how to integrate the next generation of security and privacy options in KDE ecosystem for containerized and isolated (sandboxing) applications.
- How to provide a way of knowing where an application is residing (native, container, flatpak, snap, appimage, remote)
- How to provide a way to modify on the fly an application rights/privilege (keyboard, mouse, disk, network, gpu, etc.)
- How to manage all containers that have access to the GUI (be up to date,
- Moving away from inherently insecure technologies and using more secure technologies
- How to develop set of tools to be bundled in KDE for inspecting an application in a convenient and easy way (GUI).
- Develop an **KDE Inspector** application that can provide information on a running task, the process list it is associated with and a log of privilege usage. Initially it would be about open/change of files/devices and internet connectivity monitoring. Things like reading keyboard input while not in focus should also be noted.
===Audit my system===
It should provide a security score after checking presence or absence of features.
- Ex: Disk encryption, Firewall, VPN/Wireguard/Proxy, opened ports, locked screen saver (laptop vs workstation), lunch applications in containers, most used applications adhere to **KDE privacy statement** or have a similar statement ...
The score should be valid for the current year as the scoring values should be updated yearly (elements and values) and be inspired by security audit tools already available.
Static and run-time analysis tools integrated into KDE, such as:
- KDE Inspector
- Wireshark
- gdb
- [...]
Use already available libraries :
- lsof
- sockets
- [...]
===KDE software can be audited for security vulnerabilities by security experts, organizations, and firms, such as:===
* Mozila Open Source Support https://www.mozilla.org/en-US/moss/secure-open-source/
* Open Crypto Audit https://opencryptoaudit.org/
* Cure52 https://cure53.de/
* Least Authority https://leastauthority.com/
* NCC Group https://www.nccgroup.trust/
* Radically Open Security https://radicallyopensecurity.com/
* Trail of Bits https://www.trailofbits.com/
===KDE software can be audited for compliance with common, security related standards, such as:===
* NIST Cybersecurity Framework (NIST CSF)
* ISO 15408
* RFC2196
* Cyber Essentials (UK Government Standard)
=How we know we succeeded=
- KDE adopt a **//privacy, security and transparency pledge//**.
- KDE Framework audited by at least one organization or authority.
- All applications and KDE framework adopt **Secure by design** guidelines.
- KDE is known as a secure and privacy oriented desktop environment.
- KDE has put in place many security functions for developers and users and they are being used.
- When users work on improving their system security score and asking more questions about security and privacy.
==="Soft" criteria include:===
* Press and 3rd party refer to KDE as carrying the //gold-standard// for such software
* Journalists prefer KDE software for their work
* The NSA hates KDE
* The CCC loves KDE ♥
=Relevant links=
* General reading about cyber security standards: https://en.wikipedia.org/wiki/Cyber_security_standards
* NIST CSF: https://en.wikipedia.org/wiki/NIST_Cybersecurity_Framework
* RFC2196: https://tools.ietf.org/html/rfc2196
* Tor Project: https://www.torproject.org
* https://reproducible-builds.org/
* https://trustable.gitlab.io/
* http://blog.martin-graesslin.com/blog/2013/08/floss-after-prism-anonymity-by-default/
* https://blog.martin-graesslin.com/blog/2013/08/floss-after-prism-privacy-by-default/
* Schneier On Security; advocate, security professional: https://www.schneier.com/
* Security pledge. https://www.securitypledge.com
* https://www.qubes-os.org/
* Wikipedia, Secure by design. Source : https://en.wikipedia.org/wiki/Secure_by_design
=I am willing to put work into this=
* Andre Heinecke (@aheinecke)
* Bhushan Shah (@bshah)
* Ivan Čukić (@ivan)
* Jens Reuterberg (@jensreuterberg)
* Martin Flöser (@graesslin)
* Sandro Knauß (@knauss)
* Sebastian Kügler (@sebas)
* Valorie Zimmerman (@valorie) (writing, promo)
* Volker Krause (@vkrause)
=I am interested=
* Adrián Chaves (@adrianchavesfernandez)
* Aleix Pol
* Frederik Schwarzer
* Gregor Mi (@gregormi)
* Jacky Alcine (@jackyalcine)
* Lays Rodrigues (@laysrodrigues)
* Marco Martin (@mart)
* Nathaniel Graham
* Neofytos Kolokotronis (@neofytosk)
* Nicolas Fella (@nicolasfella)
* Olaf Schmidt-Wischhöfer
* Rishabh Gupta
* Sagar Hani (@sagarhani)
* Scott Harvey (@sharvey)
* Thomas Pfeiffer