KDE prioritizing privacy and security as an integral part of KDE ecosystem
Open, Needs TriagePublic

Description

Description

When it comes to permanently connected computers, knowing and limiting what is being sent to a third party and what your computer is doing for a third party become a major concern. In fact, privacy is the new challenge for Free Software as it is for internet users. As stated by open source users, security ranks as the second priority, after stability, and transparency ranks as fifth priority for "what open source users value in software". Security can't be dissociated with privacy because if it isn't secure, it can't be private.

Providing a perfectly secure and privacy compliant system may be a overwhelming project, but it must be a direction in which we move forward to. As users gets more exposed to privacy and security features, they will develop a better awareness of it and with time become more proactive in securing their system and protecting their information. Users and developers should care about privacy.

As open source operating systems are gaining more popularity, they are adapting in accommodating less tech savvy users. Users are now expecting better control of their computers without all the hassle of hard learning curves. As KDE can be considered a major and one of the leading desktop environment (getting first place is some reddit user survey and opensourcesurvey), it has a broader reach and probably a larger spectrum of technically enthusiast users. As such, KDE is in a unique position to offer users a complete software environment that helps them to protect their privacy. KDE, being community-driven and user-focused, has the opportunity to put privacy on top of the agenda, arguably, being in this position, KDE has the obligation to do this, in the interest of the users.

There are many ways user may have their privacy violated, most notable are :

  • Passively collected data (ie: when accessing a service)
    • Insecure communication (unencrypted packets ie: http and public wifi)
    • Global surveillance and mega corporations
    • Targeted Surveillance (politically motivated or industrial espionage)
  • Actively collected data (by a running application or being monitored from a backdoor)
  • Security breach of your system or of a company that has your information
    • A virus, a worm, a trojan or malware
    • A software bug/vulnerability that leads to an exploit
    • Rogue local software
    • Stolen device
    • Physical intrusion

Aggregating those information may lead to :

  • Possible to identify you personally and where you live (AOL user No. 4417749)
  • Know sensible information as health, political opinions, religion beliefs, sentimental life ...
  • Targeted publicity and/or attempts to influence your opinions (the dark art of political advertising online)
  • Be discriminating or prejudicial; (unintentional or not; affect job hunting)
  • Building a psychological profile of you and know your habits
  • Used for profiling, blackmailing and extortion
  • Exposing strategic commercial information or strategic gouvernemental information
  • Being stolen by criminals, used by trolls or online abusers
  • Identity theft
  • Certainty of your information being used somehow by someone without you knowing it

KDE is expected to:

  1. Offer users the tools to protect privacy and to lead a private and safe digital life without compromising their identity, exposing their habits and communications.
  2. Setting a high standard and example for others to follow, define the state of the art of privacy protection in the age of big data and force others to follow suit, thereby increasing pressure on the whole industry and eco-system to protect users privacy better.

Current ways to protect privacy and security

What it will take

Secure by design

Adopt strict guidelines for KDE framework and application considering that "malicious practices are taken for granted and care is taken to minimize impact in anticipation of security vulnerabilities" (Wikipedia). This includes, but not limited to :

  • Have a way to limit and control access to sensible information like identity and credentials.
  • Have a way for applications to integrate a system tray icon without it knowing anything else about your system.
  • Have a way to limit applications access to memory or functions not deemed needed (ie: reading clipboard/inputs without user consent)
  • Have a way to check checksum/signatures of binary files before execution to prevent malicious code injection.
  • Make sure all KDE applications are maintained and that code is often reviewed.

Strong privacy respecting defaults

  • Only collect and send data when necessary and clear and sensible from within the context and using a vetted privacy-preserving methods (e.g. rappor which is used by Chrome and Firefox). No hidden telemetry sending user stats, not HTTP connections downloading content, no search queries to online services without the users explicit consent (or where it's entirely clear from the context, e.g. web browsers, software updater, etc.).
  • Use anonymity where it is possible, for example by using Tor connections for things like telemetry and weather updates which don't require third party user identification (because we cannot control third party services and if they will behave)
  • No collection of privacy-relevant data without clear purpose and without doing the best we can to preserve your privacy (for example by using differential privacy)
  • Privacy-preserving defaults: a user should not have to make changes to the software configuration to avoid leaking data. Secure and private by default. (Software may be configured to be more leaky if that benefits the user, but the risk to that should be clear, either from context or explicitly stated.)
  • Use clear and consistent UI and design language around network-related options

Offering the Right Tools

KDE needs to make an effort to provide a comprehensive set of tools for most users' needs, for example:

  • An email client allowing encrypted communication
  • Chat and instant messaging with state-of-the art protocol security (Signal Protocol and derivatives like Briar and Matrix)
  • A web-browser that has private default settings
  • Allow users to easily scrub metadata from files (e.g. dolphin integration of MAT)
  • Other tools that allow offline operation and independence from popular cloud services (e.g. File storage and groupware solutions)
  • Support for online services that can be operated as private instances, not depending on a 3rd party providers
  • State-of-the-art support and integration for projects like Tor, MAT, secure-delete tools, etc.
  • Password creation and sync across devices (Like Keepassx and Firefox sync together)
  • Provide GUI applications for command line driven or config file driven security tools.

Virtualization and containers are the way to the future

Virtualization and containers are gaining popularity while not really integrated in the graphical user interface as they are relatively new and more used in the cloud space. They also have their own challenges while addressing most preoccupations related to security and privacy.
They do offer an easy approach to isolate and secure :

  • closed source software
  • poorly written software
  • software that provides large window of attack (email, web browser, etc.; expected to open and execute code that may be malicious)

Using containers to sandbox an application can drastically improve security. The application may be imposed restrictions and be isolated from the rest of the computer, but it share the same kernel as your other applications. An other advantage is that it can be "reset" and it will always return to a clean state every time the application is restarted.
The current challenge is that there is no universal GUI or interface to those containers and all configuration is done by scripts. With the augmentation of AppImage, Flatpak and Snaps distributed application and games, plus the proliferation of containers, we can be sure that they are here to stay and KDE must take consideration on how it can be integrated and managed.

Virtualization is running a full blown separate operating system leveraging special instructions (Intel-VT or AMD-V) to have a host run an hypervisor.
One such brilliant example is how QubesOS integrated the management and visual representations of XEN VMs in their custom XFCE GUI. By the way, QubesOS was implemented in KDE up to version R3.2. Their work should be used as a reference on how KDE could evolve to present containerized applications in a meaningful way.

Virtualization tools like VMware and Virtualbox provide ways to disable clipboard sharing easily while containers still require manual command lines arguments to enable/disable them. KDE should provide an universal way of setting those features for GUI applications from the taskbar and in System Settings panel.

Proposed KDE security and privacy roadmap:

For short term, KDE should focus on endorsing and promoting security and privacy :

  • Adopt a privacy, security and transparency pledge. See this example.
  • Ask that official KDE applications and contributors adopt and conform to the privacy, security and transparency pledge.
  • Have a general security audit of KDE applications (are them maintained and using up to date libraries?; see @dvratil's comment on legacy code in T11069).
  • Promote security and privacy as an integral part of KDE ecosystem.

For medium term, KDE should focus on providing general security and privacy :

  • Integrate command line security tools in KDE
  • Ksysguard should expose more about applications and provide some profiling and logging mechanism.
  • Better identity and credential management with possibility to restrict and monitor application usage (see discussion in T11069).
  • Review how KDE share information with applications; what are the implications of running malicious code and how could KDE help minimize damage by integrating restrictions.
  • Guaranty quick turn-around times for software updates, especially security fixes.
  • Put in place strong privacy respecting defaults.
  • Developing a full featured section called Security in KDE's System Settings.
  • Add a "Audit my system" under "Security" in System Settings that make it possible for users to audit the security of their system in a simple and convenient way.

For long term, KDE should focus on conceptualizing how they want to deeply ingrain security and privacy :

  • Put in place a functioning code-review and regular security audits for KDE framework and KDE applications.
  • Start to plan and consult users on how to integrate the next generation of security and privacy options in KDE ecosystem for containerized and isolated (sandboxing) applications.
  • Moving away from inherently insecure technologies and using more secure technologies.
  • How to develop set of tools to be bundled in KDE for inspecting an application in a convenient and easy way (GUI).

Ways to go

Audit my system

Providing users with a simple way to audit their system and provide a security score after checking presence or absence of features. This will allow users to compare their system to relevant security profile and know how secure they could consider their system.

  • Ex: Disk encryption, Firewall, VPN/Wireguard/Proxy, opened ports, locked screen saver (laptop vs workstation), lunch applications in containers, most used applications adhere to KDE privacy statement or have a similar statement ...

The score should be valid for the current year as the scoring values should be updated yearly (elements and values) and be inspired by security audit tools already available.

KDE Container and sandbox center

Provide a intuitive way to integrate containers, distinguish applications running in them and configure their privileges.
Includes but not limited to :

  • Provide a way of knowing where an application is residing (native, container, flatpak, snap, appimage, remote).
  • Provide a way to modify on the fly an application rights/privilege
    • File access
    • Hardware access (keyboard, mouse, disk, network, gpu, usb, etc.).
    • Network access
    • Clipboard access
  • Provide a way to manage all containers that have access to the GUI and what is currently accessing/using it.

In KDE

Static and run-time analysis tools integrated into KDE, such as:

  • KDE Inspector : an application that can provide information on a running task, the process list it is associated with and a log of privilege usage. Initially it would be about open/change of files/devices and internet connectivity monitoring. Things like reading keyboard input while not in focus should also be noted.
  • Wireshark
  • gdb
  • [...]

Use already available libraries :

  • lsof
  • sockets
  • [...]
Containers :
VM :

KDE software can be audited for security vulnerabilities by security experts, organizations, and firms, such as:

KDE software can be audited for compliance with common, security related standards, such as:

  • NIST Cybersecurity Framework (NIST CSF)
  • ISO 15408
  • RFC2196
  • Cyber Essentials (UK Government Standard)

How we know we succeeded

  • KDE adopt a privacy, security and transparency pledge.
  • KDE Framework audited by at least one organization or authority.
  • All applications and KDE framework adopt Secure by design guidelines.
  • KDE is known as a secure and privacy oriented desktop environment.
  • KDE has put in place many security functions for developers and users and they are being used.
  • When users work on improving their system security score and asking more questions about security and privacy.

"Soft" criteria include:

  • Press and 3rd party refer to KDE as carrying the gold-standard for such software
  • Journalists prefer KDE software for their work
  • The NSA hates KDE
  • The CCC loves KDE ♥

Relevant links

Further reading

I am willing to put work into this

I am interested

jrioux created this task.Jun 11 2019, 1:56 PM
jrioux updated the task description. (Show Details)Jun 14 2019, 1:00 AM
lydia moved this task from Backlog to drafting on the Goal Setting 2019 board.Jun 14 2019, 10:38 AM
jrioux updated the task description. (Show Details)Jun 14 2019, 1:45 PM
lydia updated the task description. (Show Details)Jun 15 2019, 7:13 AM
lydia removed a project: Goal settings 2017.
ervin added a subscriber: ervin.Jun 23 2019, 12:40 PM

That would be a nice follow-up to the privacy goal. The wording still is a bit weak though. I might be slightly confused but I read it a bit like "be more like Qubes" which won't be enough to attract votes to that goal. I'd advise giving more details on how our world would look if the goal was reached. Also I suspect it would work only by further integration with the underlying platform: how would that be achieved? what would be needed or missing? The list of existing libraries fall a bit short there.

That would be a nice follow-up to the privacy goal.

The privacy goal was never completed though, we have only scratched the surface.

In progress of merging with T7050

jrioux updated the task description. (Show Details)Jun 28 2019, 12:27 PM
jrioux added a subscriber: dvratil.
jrioux renamed this task from Enhancing user awareness to privacy and security. to KDE prioritizing privacy and security as an integral part of KDE ecosystem.Jun 28 2019, 12:32 PM

This is essentially a rewrite and merge with T7050. I didn't put the same list of "willing" and "interested" people as I can't assume responsibility for them; they will have to make a stand if they wish to support this goal as they did with T7050.

jrioux updated the task description. (Show Details)Jun 28 2019, 2:06 PM

I would like to receive feedback and suggestion to complement and finalize this draft. Some parts still feels sketchy and may need more work. Feel free to correct spelling also, as English is not my native language.

jrioux updated the task description. (Show Details)Jul 1 2019, 11:25 PM
jrioux updated the task description. (Show Details)Jul 1 2019, 11:35 PM
jrioux moved this task from drafting to ready for discussion on the Goal Setting 2019 board.

Moved to discussion workboard to have further input !

lavender added a comment.EditedFri, Jul 19, 2:59 PM

The KDE sysadmins recently closed the onion service task no after it stood open for 1 year with no comments. Does KDE not care about users in places such as Kazakhstan? https://bugzilla.mozilla.org/show_bug.cgi?id=1567114
I thought privacy was a goal so I put time in turning the vague privacy goal into something actionable only to see nothing happen and worse yet active pushback against improving privacy.

I want to believe it will be different this time around I don't think so, the privacy goal seems to be primarily for marketing I feel. To tell people that KDE is thinking about privacy and you can contribute too. But the truth is there are social hierarchies and decisions will be made top down with no community discussion with no regard for how aligned they are with the community goals. I honestly don't think another rewrite of the text will change the structural obstacles to actually help with privacy instead of just using it for marketing. The undertone seems to be a drift away from community focus to Enterprise™ focus.

bshah added a comment.Fri, Jul 19, 5:20 PM

Can you please stop with passive atttacks on sysadmin team? In https://phabricator.kde.org/T8809#190440 it is clearly mentioned that sysadmin team right now doesn't have a time/bandwidth to support this. And it is fair as right now we just have barely 5 people as sysadmin for maintaining whole infrastructure.

And all of them are working as volunteer and none of them is a hired by either KDE e.V. or any other company to work as sysadmin.

So please I request you to stop mentioning this decision as "top-down".

lavender added a comment.EditedFri, Jul 19, 5:36 PM

There was no discussion, it was made without even understanding the possibilities or how much bandwidth it would take. One of reasons given was that subdomains wouldn't work which just isn't true. It was a top down decision. I'm not too concerned with being called passive aggressive by someone I'm criticising. I'm not talking to you but to the wider KDE community. You passive aggressively removed the sysadmin task to block any further discussion and you're trying to stifle discussion again.

bshah added a comment.Fri, Jul 19, 5:37 PM

Huh? Task is still open? Just sysadmin un-assigned themselves?

This is exactly kind of bad faith structural obstacles I'm talking about. Yes you removed both sysadmins and websites so it just sits there ignored. It's not even on the wishlist as is customary. But why play word games?

lydia added a comment.Fri, Jul 19, 7:30 PM

We're getting away from improving this goal proposal.

At this point I think I wrote most of the actual proposal (the original one) besides the fluff, if we are talking about actionable items instead of marketing speak. When I started working on it it was just marketing speak with no way to do anything with it.

Now we're a year later and really nothing happened.

We are indeed moving away from improving the goal, there are people who make that go against improving the goal. And they do it without discussion or accountability.

That's why I didn't edit this version of the goal even though I think there are unfortunate word choices that might be misleading but it's a waste of resources because nothing is going to happen. There are very few people that care about security, and even less that care about privacy. Teams can pick and choose how serious they take it. If a chain is only as strong as its weakest link, well our links are saying we don't have time to worry about how strong they are because they are metaphorically too busy picking the paint color to even consider it.

Let's keep the focus of discussion on this task. Discussion of T8809 should take place there. I will echo one thing I wrote there though:

This is also exactly what I mean when I say that each goal really needs a person or small group of people who can be seen as the leaders, pushing it forward and visibly doing the work to make it happen. The privacy goal never really had this the way @neofytosk led the onboarding goal and I led the U&P goal. As a result, the privacy goal was never fully fleshed out and didn't yield as much fruit as the other two goals. If the privacy goal is re-selected this year, I sincerely hope that someone steps up to be its leader. Maybe you?

@ngraham I see what you are saying but de facto I've been doing all the things you can expect someone coordinating a goal to do - make a coherent proposal, make the issues, track the progress, keep my eye on other projects and chime in when there are issues that intersect with the goal. The difference is I don't have the social capital of some of the 'big names' who make the decisions, so even though I might know more about a subject it might still get ignored.

I can try to coordinate, but there's only so much I can do, I just want KDE to be better I have no interest in climbing the social ladder. I'm not going to list off my CV and what projects I did at school to try to impress anyone into considering my opinion.

@ngraham I see what you are saying but de facto I've been doing all the things you can expect someone coordinating a goal to do - make a coherent proposal, make the issues, track the progress, keep my eye on other projects and chime in when there are issues that intersect with the goal. The difference is I don't have the social capital of some of the 'big names' who make the decisions, so even though I might know more about a subject it might still get ignored.

I can try to coordinate, but there's only so much I can do, I just want KDE to be better I have no interest in climbing the social ladder. I'm not going to list off my CV and what projects I did at school to try to impress anyone into considering my opinion.

No need to climb a social ladder or show off your credentials; that's not how it works in the FOSS world. Rather, influence is garnered by basically only one thing: doing work and giving it away for free. Discussing and coordinaring are good, and important--critically so--but in the end, they're just support tasks whose aim is to make the work itself easier to do, whether that work is editing code, improving documentation, making mockups, designing a website, doing promo and user outreach, or whatever. If after all the discussion nobody else has stepped up to do that work, if you want to be the leader, then it's your job to start on the work or else it doesn't get done. Your Phab page doesn't list any commits or patches submitted to KDE; doing more of that might be a good way to move some of this privacy stuff off the drawing board and into the real world.

Basically, find something that needs doing and start hacking.

The example of school project happened in the other task that's why I mention it. I addressed all the claims made but someone else said they made a school project about tor and the sysadmin immediately disregarded what I had to say and the ticket was removed from sysadmin grouo, that is to say it's not in the wishlist even. It means that they are done talking about it (there was no discussion at all). I don't think this represents the KDE community but what is the next step at that point?

I'm not going to do it myself if no one cares, that's the problem. It's not even a matter of willingness, if the people responsible for the component don't even consider what you have to say then no matter how many mockups you make it doesn't change that. And doing it personally would defeat the purpose of it being a goal for the community. It's unfortunate you see thinking about the architecture not real work compared to coding, I disagree and think it's the most important part especially when dealing with a subject such as privacy where messing up can be very costly. We can waste a lot of time on an implementation that is broken by design or that did not account for something fundamental because there was no discussion where it could have maybe been found.

If as a community KDE cannot come together for privacy then maybe it should not be a goal. Taking privacy seriously requires commitment and it also means being brutally honest with how private or unprivate KDE is.

It sounds like you don't want to lead this goal, then. That's fine. Let's leave it at that so this part of the discussion doesn't suck all of the oxygen out of the room so nobody else wants to participate.

Yeah I think you are right, I've thought about it and I don't want to lead this goal. Only someone with the social capital of the big names can lead goals, everyone else can be effectively ignored with zero accountability.

Good luck in finding someone who will do it because there are about 5 people in total who even talk about privacy in the whole of our phabricator. No one seems to want to discuss what it will take even. So, good luck.

lydia added a comment.Sun, Jul 28, 2:08 PM

Only someone with the social capital of the big names can lead goals.

I don't think that's fair. 2 of the 3 initial goals were lead by new people who you can't really claim had that load of social capital you say is needed. It is a lot of work and working with people, yes. But the process is specifically set up to enable anyone to start gathering the necessary backing.

And with that we're returning this ticket to it's original purpose: defining the privacy and security goal :)

ognarb updated the task description. (Show Details)Sun, Jul 28, 6:19 PM
ognarb added a subscriber: ognarb.
lydia added a comment.Sat, Aug 3, 3:48 PM

Is there someone who would be willing to take on leadership of this goal? If so please move it to the next column so we can consider it for voting.

lydia updated the task description. (Show Details)Sat, Aug 3, 4:14 PM
jrioux added a comment.Sat, Aug 3, 6:43 PM

I updated the goal and developed the ideas a bit more extensively. I am unable to take leadership and push forward the acceptance of this goal in the KDE ecosystem (not programmer/developer; just humble user).

I do believe that privacy is a major concern and that KDE should incorporate efficient planning of it in the code base as well as it's philosophy in KDE development. The more we wait, the harder it becomes.

I do hope someone will be able to take on the leadership and bring forward KDE as a privacy minded desktop environment.
Thanks

lydia added a comment.Sat, Aug 3, 6:47 PM

@jrioux Thank you for the work you've already put into it. And I believe what this goal needs most is not someone who can program but someone who can coordinate and rally people. That's what we've seen with the current privacy goal. There are comparatively many people who help with the code side of things but what's lacking is someone keeping it all together. I'm highlighting this in case it changes things for you or someone else.

lavender added a comment.EditedSun, Aug 4, 11:53 AM

@lydia I was doing all those things and as @ngraham said it's not enough.

No need to climb a social ladder or show off your credentials; that's not how it works in the FOSS world. Rather, influence is garnered by basically only one thing: doing work and giving it away for free. Discussing and coordinaring are good, and important--critically so--but in the end, they're just support tasks whose aim is to make the work itself easier to do, whether that work is editing code, improving documentation, making mockups, designing a website, doing promo and user outreach, or whatever. If after all the discussion nobody else has stepped up to do that work, if you want to be the leader, then it's your job to start on the work or else it doesn't get done. Your Phab page doesn't list any commits or patches submitted to KDE; doing more of that might be a good way to move some of this privacy stuff off the drawing board and into the real world.

Basically, find something that needs doing and start hacking.

Come on now. This is getting ridiculous.

Here is a preview of what awaits anyone wanting to coordinate this task: T8809

Let's not derail the conversation for this goal anymore. It's clear that you don't wait to lead this task. That's fine. Let's let others step up if they'd like to.

This is ridiculous, you say coordination is not enough but lydia says that's what's needed and we have enough people coding? which way is it? Own up to your mistakes instead of acting like nothing happened.

lydia added a comment.Tue, Aug 13, 8:50 PM

Quick reminder that there are two days left before the voting starts. Please make any changes you still want to make soon and let's move it to the ready for voting column.