Privacy Software
Open, HighPublic

Description

Description

"In 5 years, KDE software enables and promotes privacy"

Privacy is the new challenge for Free Software. KDE is in a unique position to offer users a complete software environment that helps them to protect their privacy. KDE, being community-driven and user-focused, has the opportunity to put privacy on top of the agenda, arguably, being in this position, KDE has the obligation to do this, in the interest of the users.

The effect is expected to be two-fold:

  • Offer users the tools to protect privacy and to lead a private and safe digital life without compromising their identity, exposing their habits and communications
  • Setting a high standard and example for others to follow, define the state of the art of privacy protection in the age of big data and force others to follow suit, thereby increasing pressure on the whole industry and eco-system to protect users privacy better

Leaking user data, allowing users to be tracked, collecting their most private information in databases across the world means that users lose control of their identity and what parts they want others to know, and what they want to keep for themselves. Worse, collecting data in so many places, often commercially, but also by governments means that the user has little way of knowing what is known about him or her, let alone being able to determine who should be able to control what. Data being persistently collected means that not only today's security measures and policies are relevant, but also the future's. This poses a great multiple great risks.

KDE adds a 5th Freedom to the 5 principal software Freedoms:

The freedom to decide which data is sent to which service”.

Personal Risks for Users

Risks that individual users run are, among others:

  • The more data that is collected, the bigger the risk of Identity Theft becomes
  • Profiling
  • Blackmail
  • Users' private data may end up in the wrong hands
  • Targeting of users (e.g. marginalized users are more at risk)

Threat Models

Public Wifi

Assume anyone can see your Wifi network traffic (e.g. you are connected to the same WPA2 network). Using your device in such an environment should be safe and not compromise your privacy any more compared to using a wired network at home.

Possible counter-measures: Only connect to encrypted services, Connect through an encrypted tunnel to a computer on your home network (e.g. wireguard on a raspberry pi for example)

Stolen Device

Assume your device gets stolen in a switched off or locked screen state. This should not result in a disclosure of personal data.

Possible counter-measures: Full Disk Encryption (e.g. LUKS, ZFS), secure-delete tools (sswap, sdmem)

Mega Corporations ("Google")

It should be possible to enjoy the benefits of state-of-the-art consumer electronics, communication and content without individual companies creating detailed user profiles.

Possible counter-measures: Free, accessible, end-to-end encrypted alternatives to proprietary services. (e.g. Signal, Briar)

Global Surveillance ("NSA")

A global passive adversary is the most commonly assumed threat when analyzing theoretical anonymity designs. But all practical low-latency systems, like Tor, do not protect against such a strong adversary. Instead, they assume an adversary who can observe some fraction of network traffic; who can generate, modify, delete, or delay traffic; who can operate onion routers; and who can compromise some fraction of the onion routers. More detail in the Tor design document.

Possible counter-measures: Only use end-to-end encrypted services (Tor onion services, Signal, Briar), use the Tor network when possible, Minimize network traffic

Targeted Surveillance ("Snowden")

Could be politically motivated or industrial espionage, by an actor with significant skill and resources.

Possible counter-measures: Reproducible builds, Clear separation of trust boundaries and documentation thereof (e.g. 'can installing a theme make my system more insecure?', 'what does this plasmoid have access to?), Apply the principle of least authority (it should be clear what a particular component has access to and able to revoke it, for example a plasmoid needs to request access to the network or the home directory), Regular security audits (not just of KDE software but also of popular third party plasmoids for example)

Rogue local software

Assume you run any kind of software not coming from a trusted source or trusted software parses data that is not trusted. E.g. you install a plasmoid from the KDE store. It should be easy to protect your personal data, kwallets, browser history, etc. and local network from that code.

Possible counter-measures: Easy and configurable sandboxing of untrusted binaries (including plasmoids and themes) and binaries that parse untrusted data (such as video/media players), Application firewall to catch and stop network egress (e.g. Subgraph Firewall, Easy rollback of destructive changes using atomic changes/snapshotting (e.g. btrfs, ZFS, ostree)

The adversary enter at your place

You have few seconds to try to secure your data by pressing a "panic button" (locally or remotely, by e.g. kdeconnect).

Possible counter-measures: pushing the "panic button" locks the screen, unmounts all Vaults/Veracrypt disks and clear the password/keyfile cache, writes zeros to RAM and swap using sdmem and sswap, securely removes (srm) critical files, call sweeper, run sfill, propagates the panic signal to all other nodes in the network, forces an ACPI shutdown, etc. Inspired by https://github.com/0xPoly/Centry

What it will take?

TLDR;:

  • Security
  • Privacy-respecting defaults
  • Offering the right tools in the first place

Security

We can only guarantee privacy if we also value security.
Possible approaches:

  • Functioning code-review
  • Regular security audits
  • Quick turn-around times for software updates, especially security fixes
  • Prefer to use encrypted communication where possible, offer Tor onion services for KDE services, prefer HTTPS over HTTP where possible, avoid unencrypted connections
  • Encryption at rest of sensitive information
  • Moving away from inherently insecure technologies and using more secure technologies, i.e. default to Wayland instead of X11, Keep supporting privileged user namespaces for sandboxing, Strong defaults for seccomp filtering, AppArmor and cgroups
  • Avoiding single points of failure and centralized control

Privacy-Respecting Defaults

KDE software supporting this goal should:

  • Only collect and send data when necessary and clear and sensible from within the context and using a vetted privacy-preserving methods (e.g. rappor which is used by Chrome and Firefox). No hidden telemetry sending user stats, not HTTP connections downloading content, no search queries to online services without the users explicit consent (or where it's entirely clear from the context, e.g. web browsers, software updater, etc.).
  • Use anonymity where it is possible, for example by using Tor connections for things like telemetry and weather updates which don't require third party user identification (because we cannot control third party services and if they will behave)
  • No collection of privacy-relevant data without clear purpose and without doing the best we can to preserve your privacy (for example by using differential privacy)
  • Privacy-preserving defaults: a user should not have to make changes to the software configuration to avoid leaking data. Secure and private by default. (Software may be configured to be more leaky if that benefits the user, but the risk to that should be clear, either from context or explicitely stated.)
  • Use clear and consistent UI and design language around network-related options

Offering the Right Tools

KDE needs to make an effort to provide a comprehensive set of tools for most users' needs, for example:

  • An email client allowing encrypted communication
  • Chat and instant messenging with state-of-the art protocol security (Signal Protocol and derivatives like Briar and Matrix)
  • A webbrowser that has private default settings
  • Allow users to easily scrub metadata from files (e.g. dolphin integration of MAT)
  • Other tools that allow offline operation and independence from popular cloud services (e.g. File storage and groupware solutions)
  • Support for online services that can be operated as private instances, not depending on a 3rd party providers
  • State-of-the-art support and integration for projects like Tor, MAT, secure-delete tools, etc.
  • Password creation and sync across devices (Like Keepassx and Firefox sync together)

How we know we succeeded

Static and runtime analysis tools, such as:

  • Wireshark
  • gdb
  • [...]

KDE software can be audited for security vulnerabilities by security experts, organizations, and firms, such as:

KDE software can be audited for compliance with common, security related standards, such as:

  • NIST Cybersecurity Framework (NIST CSF)
  • ISO 15408
  • RFC2196
  • Cyber Essentials (UK Government Standard)

"Soft" criteria include:

  • Press and 3rd party refer to KDE as carrying the gold-standard for such software
  • Journalists prefer KDE software for their work
  • The NSA hates KDE
  • The CCC loves KDE ♥

Relevant links

I am willing to put work into this

I am interested

There are a very large number of changes, so older changes are hidden. Show Older Changes

Thanks everyone for helping draft this proposal. The voting has started. If you are an active KDE contributor and have not received an invitation to the vote please send me an email to lydia@kde.org.

mart updated the task description. (Show Details)Nov 10 2017, 10:48 AM
mart added a subscriber: mart.
lydia added a comment.Nov 27 2017, 7:56 PM

Congratulations! This task is among the 3 selected ones to focus on for the next 3 to 4 years. It will need all hands on deck to make it reality. If you can help please add yourself to the list in the goal description.

Zren added a subscriber: Zren.Nov 27 2017, 11:13 PM

Do we have a tag to combine all task that are connected to this? Or how we have an overview what to do?
F.ex. T7430 is one, where we need to have to look at. Because we need to think about how to implement a good proxy support for application and an override structure...

Do we have a tag to combine all task that are connected to this? Or how we have an overview what to do?
F.ex. T7430 is one […]

I don´t know whether it is the right way to go about it, but you can set T7050 as its parent task from the "Edit Related Tasks" menu at the upper right.

Here are some thoughts on threat models for this, not sure if we have a better place yet to discuss this, so I'll just put it here :)

(1) Public Wifi

Assume anyone can see your Wifi network traffic (e.g. via recent vulnerabilities in WPA2). Using your device in such an environment should be safe and not compromise your privacy any more compared to using a wired network at home.
Possible counter-measures: Encrypted communication, VPN.

(2) Stolen Device

Assume your device gets stolen in a switched off or locked screen state. This should not result in a disclosure of personal data.
Possible counter-measures: Local encryption.

(3) Mega Corporations ("Google")

It should be possible to enjoy the benefits of state-of-the-art consumer electronics, communication and content without individual companies creating detailed user profiles.
Possible counter-measures: Free alternatives for proprietary services.

(4) Global Surveillance ("NSA")

Assume the entire Internet traffic being recorded, as well as deliberate attempts to break or weaken encryption.
Possible counter-measures: State of the art encryption, minimize network communication, Tor.

(5) Targeted Surveillance ("Snowden")

Could be politically motivated or industrial espionage, by an actor with significant skill and resources.
Possible counter-measures: ???

What else? Which of those do we want to address? Do you think that's a useful approach to guide/validate our work?

vkrause updated the task description. (Show Details)Jan 5 2018, 4:23 PM
sebas updated the task description. (Show Details)Jan 22 2018, 12:21 PM
sebas updated the task description. (Show Details)
rkflx added a subscriber: rkflx.Mar 13 2018, 8:33 PM
jackyalcine updated the task description. (Show Details)Mar 27 2018, 10:18 PM
sharvey updated the task description. (Show Details)Apr 2 2018, 10:24 PM
sharvey added a subscriber: sharvey.
aheinecke updated the task description. (Show Details)Apr 3 2018, 12:26 PM
aheinecke added a subscriber: aheinecke.
nicolasfella updated the task description. (Show Details)May 1 2018, 8:36 PM
nicolasfella added a subscriber: nicolasfella.
lavender updated the task description. (Show Details)May 23 2018, 2:31 PM
lavender updated the task description. (Show Details)May 23 2018, 2:58 PM
lavender added a subtask: Restricted Maniphest Task.May 23 2018, 3:35 PM
valorie updated the task description. (Show Details)May 24 2018, 1:35 AM
valorie added a subscriber: valorie.
ivan claimed this task.Oct 26 2018, 4:31 PM
ivan triaged this task as High priority.
ivan updated the task description. (Show Details)
ivan added a comment.Oct 26 2018, 4:36 PM

I'll be serving as the goal keeper for the next period.

alexde added a subscriber: alexde.Oct 27 2018, 12:03 PM
maspons updated the task description. (Show Details)Dec 9 2018, 12:01 PM
maspons updated the task description. (Show Details)Dec 9 2018, 12:40 PM
maspons updated the task description. (Show Details)Dec 9 2018, 12:53 PM

please add updates to: KDE Privacy Goal

knauss closed this task as Resolved.Mar 24 2019, 1:02 PM

Let's close this one as we have a sprint happing and a workboard

lydia reopened this task as Open.May 19 2019, 11:14 AM

Reopening this so it shows up on the 2017 goal setting board until we properly close them all later this year.

masonbee updated the task description. (Show Details)Jun 12 2019, 5:50 PM

@neofytosk Can you give some explanation?

@neofytosk Can you give some explanation?

I made a mistake as I didn't realize that you intended for this to be considered again for the new round of goals. I apologize for the trouble. Definitely a goal worth doubling down on.

No worries.

Does anyone have any suggestions of what is missing in this proposal?

jrioux updated the task description. (Show Details)Jun 25 2019, 2:37 PM
jrioux added a subscriber: dvratil.
jrioux added a subscriber: jrioux.

I did a big overhaul of the description and added my ideas. Any suggestions/changes ? Waiting for feedback.

jrioux updated the task description. (Show Details)Jun 25 2019, 3:02 PM
jrioux updated the task description. (Show Details)Jun 25 2019, 3:07 PM
jrioux updated the task description. (Show Details)Jun 25 2019, 4:10 PM
jrioux updated the task description. (Show Details)Jun 25 2019, 4:13 PM
jrioux updated the task description. (Show Details)Jun 25 2019, 4:23 PM
lydia added a comment.Jun 28 2019, 9:43 AM

I really think last year's goal should not be changed this significantly. I would urge you to revert to the previous state, remove this one from the 2019 board and open a new one for 2019.

jrioux updated the task description. (Show Details)Jun 28 2019, 12:28 PM

Reverted to old. Changes where put in T11075

Awesome. Thank you! :)

[spam comment removed by sysadmin]