Privacy Software
Open, HighPublic

Description

Description

"In 5 years, KDE software enables and promotes privacy"

Privacy is the new challenge for Free Software. KDE is in a unique position to offer users a complete software environment that helps them to protect their privacy. KDE, being community-driven and user-focused, has the opportunity to put privacy on top of the agenda, arguably, being in this position, KDE has the obligation to do this, in the interest of the users.

The effect is expected to be two-fold:

  • Offer users the tools to protect privacy and to lead a private and safe digital life without compromising their identity, exposing their habits and communications
  • Setting a high standard and example for others to follow, define the state of the art of privacy protection in the age of big data and force others to follow suit, thereby increasing pressure on the whole industry and eco-system to protect users privacy better

Leaking user data, allowing users to be tracked, collecting their most private information in databases across the world means that users lose control of their identity and what parts they want others to know, and what they want to keep for themselves. Worse, collecting data in so many places, often commercially, but also by governments means that the user has little way of knowing what is known about him or her, let alone being able to determine who should be able to control what. Data being persistently collected means that not only today's security measures and policies are relevant, but also the future's. This poses a great multiple great risks.

KDE adds a 5th Freedom to the 5 principal software Freedoms:

The freedom to decide which data is sent to which service”.

Personal Risks for Users

Risks that individual users run are, among others:

  • The more data that is collected, the bigger the risk of Identity Theft becomes
  • Profiling
  • Blackmail
  • Users' private data may end up in the wrong hands
  • Targeting of users (e.g. marginalized users are more at risk)

Threat Models

Public Wifi

Assume anyone can see your Wifi network traffic (e.g. you are connected to the same WPA2 network). Using your device in such an environment should be safe and not compromise your privacy any more compared to using a wired network at home.

Possible counter-measures: Only connect to encrypted services, Connect through an encrypted tunnel to a computer on your home network (e.g. wireguard on a raspberry pi for example)

Stolen Device

Assume your device gets stolen in a switched off or locked screen state. This should not result in a disclosure of personal data.

Possible counter-measures: Full Disk Encryption (e.g. LUKS, ZFS)

Mega Corporations ("Google")

It should be possible to enjoy the benefits of state-of-the-art consumer electronics, communication and content without individual companies creating detailed user profiles.

Possible counter-measures: Free, accessible, end-to-end encrypted alternatives to proprietary services. (e.g. Signal, Briar)

Global Surveillance ("NSA")

A global passive adversary is the most commonly assumed threat when analyzing theoretical anonymity designs. But all practical low-latency systems, like Tor, do not protect against such a strong adversary. Instead, they assume an adversary who can observe some fraction of network traffic; who can generate, modify, delete, or delay traffic; who can operate onion routers; and who can compromise some fraction of the onion routers. More detail in the Tor design document.

Possible counter-measures: Only use end-to-end encrypted services (Tor onion services, Signal, Briar), use the Tor network when possible, Minimize network traffic

Targeted Surveillance ("Snowden")

Could be politically motivated or industrial espionage, by an actor with significant skill and resources.

Possible counter-measures: Reproducible builds, Clear separation of trust boundaries and documentation thereof (e.g. 'can installing a theme make my system more insecure?', 'what does this plasmoid have access to?), Apply the principle of least authority (it should be clear what a particular component has access to and able to revoke it, for example a plasmoid needs to request access to the network or the home directory), Regular security audits (not just of KDE software but also of popular third party plasmoids for example)

Rogue local software

Assume you run any kind of software not coming from a trusted source or trusted software parses data that is not trusted. E.g. you install a plasmoid from the KDE store. It should be easy to protect your personal data, kwallets, browser history, etc. and local network from that code.

Possible counter-measures: Easy and configurable sandboxing of untrusted binaries (including plasmoids and themes) and binaries that parse untrusted data (such as video/media players), Application firewall to catch and stop network egress (e.g. Subgraph Firewall, Easy rollback of destructive changes using atomic changes/snapshotting (e.g. btrfs, ZFS, ostree)

What it will take?

TLDR;:

  • Security
  • Privacy-respecting defaults
  • Offering the right tools in the first place

Security

We can only guarantee privacy if we also value security.
Possible approaches:

  • Functioning code-review
  • Regular security audits
  • Quick turn-around times for software updates, especially security fixes
  • Prefer to use encrypted communication where possible, offer Tor onion services for KDE services, prefer HTTPS over HTTP where possible, avoid unencrypted connections
  • Encryption at rest of sensitive information
  • Moving away from inherently insecure technologies and using more secure technologies, i.e. default to Wayland instead of X11, Keep supporting privileged user namespaces for sandboxing, Strong defaults for seccomp filtering, AppArmor and cgroups
  • Avoiding single points of failure and centralized control

Privacy-Respecting Defaults

KDE software supporting this goal should:

  • Only collect and send data when necessary and clear and sensible from within the context and using a vetted privacy-preserving methods (e.g. rappor which is used by Chrome and Firefox). No hidden telemetry sending user stats, not HTTP connections downloading content, no search queries to online services without the users explicit consent (or where it's entirely clear from the context, e.g. web browsers, software updater, etc.).
  • Use anonymity where it is possible, for example by using Tor connections for things like telemetry and weather updates which don't require third party user identification (because we cannot control third party services and if they will behave)
  • No collection of privacy-relevant data without clear purpose and without doing the best we can to preserve your privacy (for example by using differential privacy)
  • Privacy-preserving defaults: a user should not have to make changes to the software configuration to avoid leaking data. Secure and private by default. (Software may be configured to be more leaky if that benefits the user, but the risk to that should be clear, either from context or explicitely stated.)
  • Use clear and consistent UI and design language around network-related options

Offering the Right Tools

KDE needs to make an effort to provide a comprehensive set of tools for most users' needs, for example:

  • An email client allowing encrypted communication
  • Chat and instant messenging with state-of-the art protocol security (Signal Protocol and derivatives like Briar and Matrix)
  • A webbrowser that has private default settings
  • Allow users to easily scrub metadata from files (e.g. dolphin integration of MAT)
  • Other tools that allow offline operation and independence from popular cloud services (e.g. File storage and groupware solutions)
  • Support for online services that can be operated as private instances, not depending on a 3rd party providers
  • State-of-the-art support and integration for projects like Tor, MAT, etc.

How we know we succeeded

Static and runtime analysis tools, such as:

  • Wireshark
  • gdb
  • [...]

KDE software can be audited for security vulnerabilities by security experts, organizations, and firms, such as:

KDE software can be audited for compliance with common, security related standards, such as:

  • NIST Cybersecurity Framework (NIST CSF)
  • ISO 15408
  • RFC2196
  • Cyber Essentials (UK Government Standard)

"Soft" criteria include:

  • Press and 3rd party refer to KDE as carrying the gold-standard for such software
  • Journalists prefer KDE software for their work
  • The NSA hates KDE
  • The CCC loves KDE ♥

Relevant links

I am willing to put work into this

I am interested

There are a very large number of changes, so older changes are hidden. Show Older Changes
sebas updated the task description. (Show Details)Sep 22 2017, 10:52 AM
sebas updated the task description. (Show Details)Sep 22 2017, 11:37 AM
sebas updated the task description. (Show Details)Sep 22 2017, 11:46 AM
sebas updated the task description. (Show Details)Sep 22 2017, 11:59 AM
sebas updated the task description. (Show Details)Sep 22 2017, 12:03 PM
sebas updated the task description. (Show Details)Sep 22 2017, 12:19 PM
bshah updated the task description. (Show Details)Sep 22 2017, 12:59 PM
bshah added a subscriber: bshah.
schwarzer updated the task description. (Show Details)Sep 22 2017, 1:22 PM
ngraham updated the task description. (Show Details)Sep 22 2017, 1:58 PM
ngraham added a subscriber: ngraham.
valorie updated the task description. (Show Details)Sep 23 2017, 6:28 AM
graesslin updated the task description. (Show Details)Sep 23 2017, 6:42 AM
ivan updated the task description. (Show Details)Sep 23 2017, 7:50 AM
ivan added a subscriber: ivan.
ojschmidt updated the task description. (Show Details)Sep 23 2017, 12:51 PM
ojschmidt added a subscriber: ojschmidt.
graesslin updated the task description. (Show Details)Sep 24 2017, 6:10 AM
graesslin added a subscriber: graesslin.
jensreuterberg added a subscriber: jensreuterberg.

This is a goal which (hopefully) pretty much everyone in KDE can rally behind (otherwise our Vision, Mission and Strategy would not reflect the community's).

That said, I feel that this goal mixes element of an attainable mid-term goal with things which should guide our work in general, forever (or at least until technological advances might make some of them obsolete).

I see the section "Offering the right tools" as the actual goals part of this: These are very specific things where we can eventually say "Yup,
we now have this.". The "Others" section could also work as additional goals.

For the things in "Privacy-respecting defaults", I'd suggest to remove them from the goal and add those which are not in the Mission/Strategy wiki page ( https://community.kde.org/KDE/Mission ) yet (several of them already are) to that one instead. The reasoning for that is that those are things we don't just want to do in the next five years, but probably forever, since they define how we should make all our software.
Then we could reference back from this goal to the Mission, but those points would affect all other goals as well.

colomar updated the task description. (Show Details)Sep 25 2017, 7:45 AM
sebas updated the task description. (Show Details)Sep 25 2017, 1:06 PM
sebas updated the task description. (Show Details)Sep 25 2017, 1:09 PM
knauss updated the task description. (Show Details)Sep 27 2017, 11:11 AM
knauss added a subscriber: knauss.
sebas updated the task description. (Show Details)Sep 29 2017, 12:38 PM
lydia added a subscriber: lydia.Oct 2 2017, 6:18 PM

To make all goals uniform I suggest a title like "Improve and extend privacy of all KDE Software". (Yeah still a bit boring.)

lydia raised the priority of this task from Normal to Needs Triage.Oct 2 2017, 6:24 PM

I am unsetting the priority to give all goal setting tickets the same priority.

cfeck added a subscriber: cfeck.Oct 2 2017, 7:49 PM
gregormi updated the task description. (Show Details)Oct 3 2017, 8:32 AM
gregormi added a subscriber: gregormi.
neofytosk updated the task description. (Show Details)Oct 3 2017, 7:39 PM
neofytosk added a subscriber: neofytosk.
apol updated the task description. (Show Details)Oct 14 2017, 1:33 PM
laysrodrigues added a subscriber: laysrodrigues.
rishabhg updated the task description. (Show Details)Nov 6 2017, 4:17 PM
sagarhani updated the task description. (Show Details)Nov 7 2017, 7:39 AM
sagarhani added a subscriber: sagarhani.

Thanks everyone for helping draft this proposal. The voting has started. If you are an active KDE contributor and have not received an invitation to the vote please send me an email to lydia@kde.org.

mart updated the task description. (Show Details)Nov 10 2017, 10:48 AM
mart added a subscriber: mart.
lydia added a comment.Nov 27 2017, 7:56 PM

Congratulations! This task is among the 3 selected ones to focus on for the next 3 to 4 years. It will need all hands on deck to make it reality. If you can help please add yourself to the list in the goal description.

Zren added a subscriber: Zren.Nov 27 2017, 11:13 PM

Do we have a tag to combine all task that are connected to this? Or how we have an overview what to do?
F.ex. T7430 is one, where we need to have to look at. Because we need to think about how to implement a good proxy support for application and an override structure...

Do we have a tag to combine all task that are connected to this? Or how we have an overview what to do?
F.ex. T7430 is one […]

I don´t know whether it is the right way to go about it, but you can set T7050 as its parent task from the "Edit Related Tasks" menu at the upper right.

Here are some thoughts on threat models for this, not sure if we have a better place yet to discuss this, so I'll just put it here :)

(1) Public Wifi

Assume anyone can see your Wifi network traffic (e.g. via recent vulnerabilities in WPA2). Using your device in such an environment should be safe and not compromise your privacy any more compared to using a wired network at home.
Possible counter-measures: Encrypted communication, VPN.

(2) Stolen Device

Assume your device gets stolen in a switched off or locked screen state. This should not result in a disclosure of personal data.
Possible counter-measures: Local encryption.

(3) Mega Corporations ("Google")

It should be possible to enjoy the benefits of state-of-the-art consumer electronics, communication and content without individual companies creating detailed user profiles.
Possible counter-measures: Free alternatives for proprietary services.

(4) Global Surveillance ("NSA")

Assume the entire Internet traffic being recorded, as well as deliberate attempts to break or weaken encryption.
Possible counter-measures: State of the art encryption, minimize network communication, Tor.

(5) Targeted Surveillance ("Snowden")

Could be politically motivated or industrial espionage, by an actor with significant skill and resources.
Possible counter-measures: ???

What else? Which of those do we want to address? Do you think that's a useful approach to guide/validate our work?

vkrause updated the task description. (Show Details)Jan 5 2018, 4:23 PM
sebas updated the task description. (Show Details)Jan 22 2018, 12:21 PM
sebas updated the task description. (Show Details)
rkflx added a subscriber: rkflx.Mar 13 2018, 8:33 PM
jackyalcine updated the task description. (Show Details)Mar 27 2018, 10:18 PM
sharvey updated the task description. (Show Details)Apr 2 2018, 10:24 PM
sharvey added a subscriber: sharvey.
aheinecke updated the task description. (Show Details)Apr 3 2018, 12:26 PM
aheinecke added a subscriber: aheinecke.
nicolasfella updated the task description. (Show Details)May 1 2018, 8:36 PM
nicolasfella added a subscriber: nicolasfella.
lavender updated the task description. (Show Details)May 23 2018, 2:31 PM
lavender updated the task description. (Show Details)May 23 2018, 2:58 PM
valorie updated the task description. (Show Details)May 24 2018, 1:35 AM
valorie added a subscriber: valorie.
ivan claimed this task.Fri, Oct 26, 4:31 PM
ivan triaged this task as High priority.
ivan updated the task description. (Show Details)
ivan added a comment.Fri, Oct 26, 4:36 PM

I'll be serving as the goal keeper for the next period.

alexde added a subscriber: alexde.Sat, Oct 27, 12:03 PM