> "**In 5 years, KDE software enables and promotes privacy**"
Privacy is the new challenge for Free Software. KDE is in a unique position to offer users a complete software environment that helps them to protect their privacy. KDE, being community-driven and user-focused, has the opportunity to put privacy on top of the agenda, arguably, being in this position, KDE has the obligation to do this, in the interest of the users.
The effect is expected to be two-fold:
* Offer users the tools to protect privacy and to lead a private and safe digital life without compromising their identity, exposing their habits and communications
* Setting a high standard and example for others to follow, define the state of the art of privacy protection in the age of big data and force others to follow suit, thereby increasing pressure on the whole industry and eco-system to protect users privacy better
Leaking user data, allowing users to be tracked, collecting their most private information in databases across the world means that users lose control of their identity and what parts they want others to know, and what they want to keep for themselves. Worse, collecting data in so many places, often commercially, but also by governments means that the user has little way of knowing what is known about him or her, let alone being able to determine who should be able to control what. Data being persistently collected means that not only today's security measures and policies are relevant, but also the future's. This poses a great multiple great risks.
KDE adds a 5th Freedom to the 5 principal software Freedoms:
> “**The freedom to decide which data is sent to which service**”.
==Personal Risks for Users==
Risks that individual users run are, among others:
* The more data that is collected, the bigger the risk of Identity Theft becomes
* More collected data means that decisions will be made for the user based on skewed or incomplete information (imagine insurance policies)
* Collected data may end up in the hands of oppressive regimes, posing risks to the user when travelling, or even at home
* User's most private secrets may end up in the wrong hands
Socio-economic effects that effect how society, national and international communities work, are:
* Free speach is compromised
* Journalists need tools to communicate secretly, lacking that, freedom and independence of press cannot be guaranteed
* Trade-secrets cannot be kept, free markets cannot function without tools protecting privacy
* Sovereignty of nations cannot be guaranteed
* Cyber-attacks may lead to shift in power
Assume anyone can see your Wifi network traffic (e.g. via recent vulnerabilities in WPA2). Using your device in such an environment should be safe and not compromise your privacy any more compared to using a wired network at home.
Possible counter-measures: Encrypted communication, VPN.
Assume your device gets stolen in a switched off or locked screen state. This should not result in a disclosure of personal data.
Possible counter-measures: Local encryption.
==Mega Corporations ("Google")==
It should be possible to enjoy the benefits of state-of-the-art consumer electronics, communication and content without individual companies creating detailed user profiles.
Possible counter-measures: Free alternatives for proprietary services.
==Global Surveillance ("NSA")==
Assume the entire Internet traffic being recorded, as well as deliberate attempts to break or weaken encryption.
Possible counter-measures: State of the art encryption, minimize network communication, Tor.
==Targeted Surveillance ("Snowden")==
Could be politically motivated or industrial espionage, by an actor with significant skill and resources.
Possible counter-measures: ???
==Rogue local software==
Assume you run any kind of software not coming from a trusted source (your distribution). E.g. you clone a github repo and run the code. That code may pull in further untrusted dependencies (maven, node, ...). It should be easy to protect your personal data, kwallets, browser history, etc. and local network from that code.
Possible counter-measures: easy and configurable sandboxing
=What it will take?=
* Privacy-respecting defaults
* Offering the right tools in the first place
We can only guarantee privacy if we also value security.
* Functioning code-review
* Quick turn-around times for software updates, especially security fixes
* Prefer to use encrypted communication where possible, prefer HTTPS over HTTP where possible, avoid unencrypted connections
* Storing sensitive information only in an encrypted way
* Moving away from inherently insecure technologies, i.e. default to Wayland instead of X11
* Avoiding single points of failure and centralized control
KDE software supporting this goal should:
* Only collect and send data when necessary and clear and sensible from within the context. No hidden telemetry sending user stats, not HTTP connections downloading content, no search queries to online services without the users explicit consent (or where it's entirely clear from the context, e.g. web browsers, software updater, etc.).
* Use anonymity where it is possible, for example by using Tor connections for things like weather updates that don't require user identification
* No collection of privacy-relevant data without clear purpose.
* Conservative defaults: a user should not have to make changes to the software configuration to avoid leaking data. Secure and private by default. (Software may be configured to be more leaky if that benefits the user, but the risk to that should be clear, either from context or explicitely stated.)
* Use clear and consistent UI and design language around network-related options
==Offering the Right Tools==
KDE needs to make an effort to provide a comprehensive set of tools for most users' needs, for example:
* An email client allowing encrypted communication
* Chat and instant messenging with state-of-the art protocol security
* A webbrowser (self-provided) that has private default settings
* File storage and groupware solutions
* Other tools that allow offline operation and independence from popular cloud services
* Support for online services that can be operated as private instance, not depending on a 3rd party provider
* State-of-the-art support and integration for services like Tor, Matrix, Zeronet, etc.
* KDE e.V. allows anonymous donations via bitcoin (or other crypto currencies)
* Adaption of blockchain where useful
=How we know we succeeded=
Static and runtime analysis tools:
KDE software can be audited for compliance with common, security related standards, such as:
* NIST Cybersecurity Framework (NIST CSF)
* ISO 15408
* Cyber Essentials (UK Government Standard)
* ... etc.
"Soft" criteria include:
* Press and 3rd party refer to KDE as carrying the //gold-standard// for such software
* Journalists prefer KDE software for their work
* The NSA hates KDE
* The CCC loves KDE ♥
* General reading about cyber security standards: https://en.wikipedia.org/wiki/Cyber_security_standards
* NIST CSF: https://en.wikipedia.org/wiki/NIST_Cybersecurity_Framework
* RFC2196: https://tools.ietf.org/html/rfc2196
* Tor Project: https://www.torproject.org
* Zeronet: https://zeronet.io/
* Blockchain: https://en.wikipedia.org/wiki/Blockchain
* Bitcoin: https://en.wikipedia.org/wiki/Bitcoin
* Schneier On Security; advocate, security professional: https://www.schneier.com/
=I am willing to put work into this=
* Sebastian Kügler (@sebas)
* Bhushan Shah (@bshah)
* Valorie Zimmerman (writing, promo)
* Martin Flöser (@graesslin)
* Ivan Čukić (@ivan)
* Jens Reuterberg (@jensreuterberg )
* Sandro Knauß (@knauss)
* Volker Krause (@vkrause)
* Andre Heinecke (@aheinecke)
=I am interested=
* Frederik Schwarzer
* Nathaniel Graham
* Olaf Schmidt-Wischhöfer
* Adrián Chaves (@adrianchavesfernandez)
* Thomas Pfeiffer
* Gregor Mi (@gregormi)
* Neofytos Kolokotronis @neofytosk
* Aleix Pol
* Lays Rodrigues (@laysrodrigues)
* Rishabh Gupta
* Sagar Hani (@sagarhani)
* Marco Martin (@mart)
* Jacky Alcine (@jackyalcine)
* Scott Harvey (@sharvey )