KDE Privacy GoalPolicy
ActivePublic

Details

Description

Description

"In 5 years, KDE software enables and promotes privacy"

Privacy is the new challenge for Free Software. KDE is in a unique position to offer users a complete software environment that helps them to protect their privacy. KDE, being community-driven and user-focused, has the opportunity to put privacy on top of the agenda, arguably, being in this position, KDE has the obligation to do this, in the interest of the users.

The effect is expected to be two-fold:

  • Offer users the tools to protect privacy and to lead a private and safe digital life without compromising their identity, exposing their habits and communications
  • Setting a high standard and example for others to follow, define the state of the art of privacy protection in the age of big data and force others to follow suit, thereby increasing pressure on the whole industry and eco-system to protect users privacy better

Leaking user data, allowing users to be tracked, collecting their most private information in databases across the world means that users lose control of their identity and what parts they want others to know, and what they want to keep for themselves. Worse, collecting data in so many places, often commercially, but also by governments means that the user has little way of knowing what is known about him or her, let alone being able to determine who should be able to control what. Data being persistently collected means that not only today's security measures and policies are relevant, but also the future's. This poses a great multiple great risks.

KDE adds a 5th Freedom to the 5 principal software Freedoms:

The freedom to decide which data is sent to which service”.

Personal Risks for Users

Risks that individual users run are, among others:

  • The more data that is collected, the bigger the risk of Identity Theft becomes
  • Profiling
  • Blackmail
  • Users' private data may end up in the wrong hands
  • Targeting of users (e.g. marginalized users are more at risk)

Threat Models

Public Wifi

Assume anyone can see your Wifi network traffic (e.g. you are connected to the same WPA2 network). Using your device in such an environment should be safe and not compromise your privacy any more compared to using a wired network at home.

Possible counter-measures: Only connect to encrypted services, Connect through an encrypted tunnel to a computer on your home network (e.g. wireguard on a raspberry pi for example)

Stolen Device

Assume your device gets stolen in a switched off or locked screen state. This should not result in a disclosure of personal data.

Possible counter-measures: Full Disk Encryption (e.g. LUKS, ZFS), secure-delete tools (sswap, sdmem)

Mega Corporations ("Google")

It should be possible to enjoy the benefits of state-of-the-art consumer electronics, communication and content without individual companies creating detailed user profiles.

Possible counter-measures: Free, accessible, end-to-end encrypted alternatives to proprietary services. (e.g. Signal, Briar)

Global Surveillance ("NSA")

A global passive adversary is the most commonly assumed threat when analyzing theoretical anonymity designs. But all practical low-latency systems, like Tor, do not protect against such a strong adversary. Instead, they assume an adversary who can observe some fraction of network traffic; who can generate, modify, delete, or delay traffic; who can operate onion routers; and who can compromise some fraction of the onion routers. More detail in the Tor design document.

Possible counter-measures: Only use end-to-end encrypted services (Tor onion services, Signal, Briar), use the Tor network when possible, Minimize network traffic

Targeted Surveillance ("Snowden")

Could be politically motivated or industrial espionage, by an actor with significant skill and resources.

Possible counter-measures: Reproducible builds, Clear separation of trust boundaries and documentation thereof (e.g. 'can installing a theme make my system more insecure?', 'what does this plasmoid have access to?), Apply the principle of least authority (it should be clear what a particular component has access to and able to revoke it, for example a plasmoid needs to request access to the network or the home directory), Regular security audits (not just of KDE software but also of popular third party plasmoids for example)

Rogue local software

Assume you run any kind of software not coming from a trusted source or trusted software parses data that is not trusted. E.g. you install a plasmoid from the KDE store. It should be easy to protect your personal data, kwallets, browser history, etc. and local network from that code.

Possible counter-measures: Easy and configurable sandboxing of untrusted binaries (including plasmoids and themes) and binaries that parse untrusted data (such as video/media players), Application firewall to catch and stop network egress (e.g. Subgraph Firewall, Easy rollback of destructive changes using atomic changes/snapshotting (e.g. btrfs, ZFS, ostree)

The adversary enter at your place

You have few seconds to try to secure your data by pressing a "panic button" (locally or remotely, by e.g. kdeconnect).

Possible counter-measures: pushing the "panic button" locks the screen, unmounts all Vaults/Veracrypt disks and clear the password/keyfile cache, writes zeros to RAM and swap using sdmem and sswap, securely removes (srm) critical files, call sweeper, run sfill, propagates the panic signal to all other nodes in the network, forces an ACPI shutdown, etc. Inspired by https://github.com/0xPoly/Centry

What it will take?

TLDR;:

  • Security
  • Privacy-respecting defaults
  • Offering the right tools in the first place

Security

We can only guarantee privacy if we also value security.
Possible approaches:

  • Functioning code-review
  • Regular security audits
  • Quick turn-around times for software updates, especially security fixes
  • Prefer to use encrypted communication where possible, offer Tor onion services for KDE services, prefer HTTPS over HTTP where possible, avoid unencrypted connections
  • Encryption at rest of sensitive information
  • Moving away from inherently insecure technologies and using more secure technologies, i.e. default to Wayland instead of X11, Keep supporting privileged user namespaces for sandboxing, Strong defaults for seccomp filtering, AppArmor and cgroups
  • Avoiding single points of failure and centralized control

Privacy-Respecting Defaults

KDE software supporting this goal should:

  • Only collect and send data when necessary and clear and sensible from within the context and using a vetted privacy-preserving methods (e.g. rappor which is used by Chrome and Firefox). No hidden telemetry sending user stats, not HTTP connections downloading content, no search queries to online services without the users explicit consent (or where it's entirely clear from the context, e.g. web browsers, software updater, etc.).
  • Use anonymity where it is possible, for example by using Tor connections for things like telemetry and weather updates which don't require third party user identification (because we cannot control third party services and if they will behave)
  • No collection of privacy-relevant data without clear purpose and without doing the best we can to preserve your privacy (for example by using differential privacy)
  • Privacy-preserving defaults: a user should not have to make changes to the software configuration to avoid leaking data. Secure and private by default. (Software may be configured to be more leaky if that benefits the user, but the risk to that should be clear, either from context or explicitely stated.)
  • Use clear and consistent UI and design language around network-related options

Offering the Right Tools

KDE needs to make an effort to provide a comprehensive set of tools for most users' needs, for example:

  • An email client allowing encrypted communication
  • Chat and instant messenging with state-of-the art protocol security (Signal Protocol and derivatives like Briar and Matrix)
  • A webbrowser that has private default settings
  • Allow users to easily scrub metadata from files (e.g. dolphin integration of MAT)
  • Other tools that allow offline operation and independence from popular cloud services (e.g. File storage and groupware solutions)
  • Support for online services that can be operated as private instances, not depending on a 3rd party providers
  • State-of-the-art support and integration for projects like Tor, MAT, secure-delete tools, etc.

How we know we succeeded

Static and runtime analysis tools, such as:

  • Wireshark
  • gdb
  • [...]

KDE software can be audited for security vulnerabilities by security experts, organizations, and firms, such as:

KDE software can be audited for compliance with common, security related standards, such as:

  • NIST Cybersecurity Framework (NIST CSF)
  • ISO 15408
  • RFC2196
  • Cyber Essentials (UK Government Standard)

"Soft" criteria include:

  • Press and 3rd party refer to KDE as carrying the gold-standard for such software
  • Journalists prefer KDE software for their work
  • The NSA hates KDE
  • The CCC loves KDE ♥

Relevant links

I am willing to put work into this

I am interested

see also T7050 for discussion about the sprint goal

Recent Activity

Sep 29 2019

toma closed T10731: files.kde.org redirects to mirrors with http only as Wontfix.
Sep 29 2019, 2:36 PM · Sysadmin, KDE Privacy Goal
bcooksley added a comment to T10731: files.kde.org redirects to mirrors with http only.

I concur with Tom on this one. We currently have a number of projects underway (most importantly, the Gitlab migration) which our resources are probably better directed towards.

Sep 29 2019, 12:17 AM · Sysadmin, KDE Privacy Goal

Sep 24 2019

jbbgameich added a comment to T11763: Integrate applications sandboxing into Plasma .

Firejail would only work for applications that are not already sandboxed. We'd need a separate settings backend for flatpak and probably also snap.

Sep 24 2019, 10:06 AM · KDE Privacy Goal

Sep 23 2019

ognarb added a project to T11763: Integrate applications sandboxing into Plasma : KDE Privacy Goal.
Sep 23 2019, 7:36 PM · KDE Privacy Goal
toma added a comment to T10731: files.kde.org redirects to mirrors with http only.

I think we lack resources to work on this, especially also since there is no real alternative that brings substantial improvements.
I suggest we close this for now with wontfix status.

Sep 23 2019, 7:34 PM · Sysadmin, KDE Privacy Goal

Sep 22 2019

jamesth added a watcher for KDE Privacy Goal: jamesth.
Sep 22 2019, 4:21 PM

Sep 17 2019

brenthuisman added a comment to T8408: Autocrypt support for kmail.

Separate keyrings is indeed what I meant, it's what at least some clients do. I don't think gpg supports multiple keyrings though, so you'd need to include a lib.

Sep 17 2019, 3:04 PM · KDE Privacy Goal, KDE PIM: Junior Jobs, KDE PIM
knauss added a comment to T8408: Autocrypt support for kmail.

Regarding the externality of the PGP client: a few tools I know use an internal (OpenPGP.js I am sure) library when set to Autocrypt mode. Enigmail as of version 2, when in the default easy mode, did not appear to store keys in the external client (when autocrypt is enabled) but somewhere internal (you can find openpgp.js in the Enigmail sources). The pEp mail client's the same, and a new Thunderbird client 'AutoCrypt' that does not offer a regular PGP mode also won't use any client you may have installed.

Sep 17 2019, 2:43 PM · KDE Privacy Goal, KDE PIM: Junior Jobs, KDE PIM

Sep 11 2019

knauss moved T742: Add Memory Hole support from Technical to In Progress on the KDE Privacy Goal board.
Sep 11 2019, 9:31 AM · KDE Privacy Goal, KDE PIM
knauss moved T11621: Send encrypted Mail headers from incoming to Technical on the KDE Privacy Goal board.
Sep 11 2019, 9:31 AM · KDE PIM
knauss triaged T11621: Send encrypted Mail headers as Normal priority.
Sep 11 2019, 9:21 AM · KDE PIM
knauss added a comment to T742: Add Memory Hole support.

Next step sending MemoryHole headers.

Sep 11 2019, 9:18 AM · KDE Privacy Goal, KDE PIM
knauss added a comment to T742: Add Memory Hole support.

Okay with D23807 in repository, we now can display MemoryHole headers correctly.

Sep 11 2019, 9:16 AM · KDE Privacy Goal, KDE PIM

Sep 9 2019

knauss added a revision to T742: Add Memory Hole support: D23807: feat(mimetreeparser): to get rid of rendering in parsing library completly..
Sep 9 2019, 8:33 PM · KDE Privacy Goal, KDE PIM

Sep 4 2019

brenthuisman added a comment to T8408: Autocrypt support for kmail.

@knauss Thanks for your elaboration.

Sep 4 2019, 1:04 PM · KDE Privacy Goal, KDE PIM: Junior Jobs, KDE PIM

Sep 1 2019

knauss added a comment to T742: Add Memory Hole support.

The last bit missing is to change the order of execution, when we display a mail. The order we need is:

Sep 1 2019, 3:56 PM · KDE Privacy Goal, KDE PIM
knauss edited projects for T8568: Create Interface to MimeTreeParser for Headers, added: KDE PIM (Applications 19.12 (master)); removed KDE PIM.
Sep 1 2019, 3:50 PM · KDE PIM (Applications 19.12 (master))
knauss added a revision to T742: Add Memory Hole support: D23649: feat(mimetreeparser): Support MemoryHole in MimeTreeParser..
Sep 1 2019, 3:35 PM · KDE Privacy Goal, KDE PIM
knauss moved T742: Add Memory Hole support from Backlog to In Progress on the KDE PIM board.

The basic support for the MessageViewer will end in a few days.

Sep 1 2019, 3:33 PM · KDE Privacy Goal, KDE PIM

Aug 29 2019

fsitter added a comment to T10716: Add check for accidental http: usage.

[spam comment removed by sysadmin]

Aug 29 2019, 3:44 PM · KDE Privacy Goal
fsitter added a comment to T10724: List of applications respecting tor proxy settings.

[spam comment removed by sysadmin]

Aug 29 2019, 3:44 PM · KDE Privacy Goal
fsitter added a comment to T10717: State of using Tor Browser as default browser.

[spam comment removed by sysadmin]

Aug 29 2019, 3:44 PM · KDE Privacy Goal
fsitter added a comment to T10728: Use HSTS for QNetworkAccessManager.

[spam comment removed by sysadmin]

Aug 29 2019, 3:44 PM · KDE Privacy Goal
fsitter added a comment to T742: Add Memory Hole support.

[spam comment removed by sysadmin]

Aug 29 2019, 3:44 PM · KDE Privacy Goal, KDE PIM
fsitter added a comment to T8447: Indexing encrypted mails.

[spam comment removed by sysadmin]

Aug 29 2019, 3:44 PM · KDE Privacy Goal, KDE PIM
fsitter added a comment to T8403: Visualisation of secured headers in kmail.

[spam comment removed by sysadmin]

Aug 29 2019, 3:44 PM · KDE Privacy Goal, VDG, KDE PIM
fsitter added a comment to T8567: Add DKIM Status.

[spam comment removed by sysadmin]

Aug 29 2019, 3:44 PM · KDE Privacy Goal, KDE PIM
fsitter added a comment to T8408: Autocrypt support for kmail.

[spam comment removed by sysadmin]

Aug 29 2019, 3:44 PM · KDE Privacy Goal, KDE PIM: Junior Jobs, KDE PIM
fsitter added a comment to T10721: Leak information via DHCP.

[spam comment removed by sysadmin]

Aug 29 2019, 3:44 PM · Plasma, KDE Privacy Goal
fsitter added a comment to T10725: Evaluate different internet stacks for modern recommendations.

[spam comment removed by sysadmin]

Aug 29 2019, 3:44 PM · Frameworks, KDE Privacy Goal
fsitter added a comment to T7528: Make Akregator respect privacy by default.

[spam comment removed by sysadmin]

Aug 29 2019, 3:43 PM · KDE Privacy Goal, KDE PIM
fsitter added a comment to T8811: Implement Differential Privacy telemetry.

[spam comment removed by sysadmin]

Aug 29 2019, 3:43 PM · KDE Privacy Goal, KUserFeedback
fsitter added a comment to T8807: Metadata Anonymisation Toolkit integration in Dolphin.

[spam comment removed by sysadmin]

Aug 29 2019, 3:43 PM · KDE Privacy Goal, Dolphin
fsitter added a comment to T10719: Rescue KDing (or similar) as offline dictionary.

[spam comment removed by sysadmin]

Aug 29 2019, 3:43 PM · Plasma, KDE Privacy Goal
fsitter added a comment to T9913: Automated Malware Scans for KDE Store Uploads.

[spam comment removed by sysadmin]

Aug 29 2019, 3:43 PM · KDE Privacy Goal, KDE Store
fsitter added a comment to T10732: apptication to monitor all ongoing traffic.

[spam comment removed by sysadmin]

Aug 29 2019, 3:43 PM · VDG, KDE Privacy Goal
fsitter added a comment to T10733: Application to change routing to the internet.

[spam comment removed by sysadmin]

Aug 29 2019, 3:43 PM · KDE Privacy Goal
fsitter added a comment to T10731: files.kde.org redirects to mirrors with http only.

[spam comment removed by sysadmin]

Aug 29 2019, 3:41 PM · Sysadmin, KDE Privacy Goal

Aug 23 2019

knauss added a comment to T8408: Autocrypt support for kmail.

Encouraged by the Junior label and heliosmartins reference, I'm looking into the Autocrypt spec to see if this is something I could do (I do not know what the Junior label specifically means or how it was determined). Adding a header to all outgoing emails seems fairly straightforward.

Aug 23 2019, 10:38 PM · KDE Privacy Goal, KDE PIM: Junior Jobs, KDE PIM

Aug 2 2019

bcooksley added a comment to T10731: files.kde.org redirects to mirrors with http only.

Cool, nice to know we have some options. Mirrorbits looks pretty good, let's see what other projects say before we start an evaluation (it looks pretty good and would definitely be a decent replacement of Mirrorbrain)

Aug 2 2019, 7:15 PM · Sysadmin, KDE Privacy Goal
toma added a comment to T10731: files.kde.org redirects to mirrors with http only.

Thanks for taking the time to respond. I've done some digging. Debian has been using different systems in the past: https://wiki.debian.org/DebianGeoMirror

Aug 2 2019, 6:01 PM · Sysadmin, KDE Privacy Goal

Aug 1 2019

bcooksley added a comment to T10731: files.kde.org redirects to mirrors with http only.

That explains why Mirrorbrain hasn't moved much in recent times...

Aug 1 2019, 11:11 AM · Sysadmin, KDE Privacy Goal

Jul 31 2019

tomal added a comment to T10731: files.kde.org redirects to mirrors with http only.

For your information: I've contacted Peter (MirrorBrain). He has shifted his attention to his private life and probably won't work on MirrorBrain anymore. So new features like https should not be expected from him. Though I saw some bits on their mailinglist about https too.

Jul 31 2019, 4:44 PM · Sysadmin, KDE Privacy Goal

Jul 22 2019

lavender added a comment to T9913: Automated Malware Scans for KDE Store Uploads.

It seems like these kind of malware are already being seen in the wild on linux desktops: EvilGnome

Jul 22 2019, 9:11 AM · KDE Privacy Goal, KDE Store

Jul 9 2019

brenthuisman added a comment to T8408: Autocrypt support for kmail.

Encouraged by the Junior label and heliosmartins reference, I'm looking into the Autocrypt spec to see if this is something I could do (I do not know what the Junior label specifically means or how it was determined). Adding a header to all outgoing emails seems fairly straightforward. For retrieving mails, which was classified as 'advanced' in the task, I'm trying to flesh out the work needed a bit more. I have zero Kmail or KDE coding experience (a bit of C++ I do). The Autocrypt spec does seem quite well worked out such that I only have to think about the best integration into Kmail.

Jul 9 2019, 4:04 PM · KDE Privacy Goal, KDE PIM: Junior Jobs, KDE PIM

Jul 4 2019

heliosmartin added a comment to T8408: Autocrypt support for kmail.

Whishlist bug report about autocrypt support:

Jul 4 2019, 8:05 PM · KDE Privacy Goal, KDE PIM: Junior Jobs, KDE PIM

Jun 18 2019

nicklaw added a comment to T8408: Autocrypt support for kmail.

As Thunderbird and k9-mail (Android) support autocrypt it would certainly make things a little easier when using email encryption and making it a little easier isn't a bad thing.

Jun 18 2019, 4:46 PM · KDE Privacy Goal, KDE PIM: Junior Jobs, KDE PIM

Jun 15 2019

fbampaloukas added a member for KDE Privacy Goal: fbampaloukas.
Jun 15 2019, 8:29 PM
fbampaloukas added a watcher for KDE Privacy Goal: fbampaloukas.
Jun 15 2019, 8:29 PM

Jun 10 2019

lavender added a comment to T10732: apptication to monitor all ongoing traffic.

Adding VDG because we will need a design for this

Jun 10 2019, 8:50 PM · VDG, KDE Privacy Goal