Blackphone2 review (2)

So either you trust Apple not to sell your information and keep it secret, or you don't have a phone?
I can't really understand this. Android and Dalvik/ART are all open source, and I have been blown away by a lot of people who claims it to be so safe and free, because of that. Clearly that is not the case and all Google does it to fake you to believe it and use their services, gaming on the fact that very few people actually have the knowledge and time to check the software out?
I would have thought Blackphone had used this opportunity to change the software to be private? Or is that just too daunting a task for a small company?
Seen from a business perspective I trust Apple the most. The make so many money on very expensive hardware, that the have no interest in using your data, on the contrary, they now use that as a marketing tool. I mean that is a clear cut deal. We take your money, you can only use app's from our App Store, etc. In return your data are private (unless you use FB, or Google Apps and don't turn off the snooping)

I run around with a general purpose computer in my pocket, but I don't use it for any information which isn't 100% public.

Let me get this rigth: You use a vintage Nokia (or similar) featurephone as a modem for a pocket-PC probably running *BSD. That should enable running a SSH tunnel home to your 24/7 home server. Right? Just leaves one question: Which pocket-PC?

So either you trust Apple not to sell your information and keep it secret, or you don't have a phone?

Well, that's apparently the scary fact of life now; either you share your information with $BigSnoopingCompany, or you don't have a smartphone at all.

And I really would dislike it if PHK's tremendous work here is simply used for parading personal ideas about "iPhone is more private than Android", or the like. This is not the lesson here, at least not if you're serious about privacy.

What I take away from this review (and I seriously was considering buying a Blackphone), is that privacy isn't an option on today's smartphone market. Period. Even phones bragging about being "private by design" are configured in a way, that will have you struggling for obtaining the promised privacy - if it's obtainable at all!

The push for Google/Apple/MS/whoever to trap the users in an application silo with "seamless integration", and strip them for valuable private data to "optimize the user experience" is massive, and neither is an option if you wan't to keep things private. But the vast majority of users ignore this fact, or just don't care.

A thin layer of privacy gloss over the offered smartphone operating system (Android, iOS, etc) isn't going to cut it for the privacy aware user. And that's basically it - take it or leave it.

A thin layer of privacy gloss over the offered smartphone operating system (Android, iOS, etc) isn't going to cut it for the privacy aware user. And that's basically it - take it or leave it.

I see what you mean. I still think there is a difference though. Google is making a living from your data, Apple and Microsoft (I suppose) are not! So even though Apple probably could access your data, they don't (they claim they can't for personal data). Google do! Further, Apple and to some extend Microsoft have done a much better job of keeping your device up2date security wise. 90% of android devices are running with know exploits open, as Samsung, HTC, Sony, etc don't give a damm about upgrading old versions. 2 put in short, I am more comfortable using mobile banking from an iOS device than from any android device! Of 3 evils, I choose the lesser evil :-)

What makes you suppose that ?

You r right, I have only their word for it! So you can boil it down to a matter of trust.But I don't see anybody claiming apple to be in the data brokering business. And again, why should they, it is not their business model, on the contrary. It is the business model of Google (and Facebook and a lot of others).

Google is making a living from your data, Apple and Microsoft (I suppose) are not!

You haven't paid any attention to Windows 10 lately (both Phone and Desktop) have you?

http://www.extremetech.com/computing/220588-new-windows-10-stats-show-mi...

But the fact that I cannot trust the device to begin with, makes this less important.

The real underlying problem is that governments, instead og using their power to protect us and make some good legislation in this area, have done the exact opposite. I think this can only be solved politically by laws that protect us from the likes of Google, Microsoft, Apple, etc. I is NOT ok, that I as a normal consumer, should worry if my privacy is exploited or not, by using a computer, smartphone, or what ever!

Google wasn't in the panopticon business when they started.

Are you sure

You haven't paid any attention to Windows 10 lately (both Phone and Desktop) have you?

Not really, obviously :-). The worst I have heard, is that the keys used for encryption of the hard-drive is send to Microsoft and kept there!

Google is making a living from your data, Apple and Microsoft (I suppose) are not!

Remember it isn't just about what MS and Apple do.
- Being US based companies, they must follow US law, and can be forced to hand over any data to the US government.
- Also remember, MS is trying hard to get into the advertising market through their search engine - they strive to take away precious market share from Google, so right now they might make a big point out of saying "we don't sell your data", but that's easy as long as their puny market share keeps the value of their collected data low - if the size of their collected data increases, so does the value, and a push from share holders could force MS to cash in on that value, if it gets high enough.
- Apple and MS can be taken over by or sold to other companies, who might have a different approach, or they might sell some divisions of their operation, causing user data to float into another company.
- Then there's apps - apps can harvest behavioral data, and these apps are not necessarily controlled by Apple or MS, making Apples and MS's behavior irrelevant in this discussion. One of the key selling points of the Blackphone is that you can cut apps access to your phone pretty tight.

Yes.

Hmm, so you did not read the link?
<snippet>
In 1994 — the same year the Highlands Forum was founded under the stewardship of the Office of the Secretary of Defense, the ONA, and DARPA — two young PhD students at Stanford University, Sergey Brin and Larry Page, made their breakthrough on the first automated web crawling and page ranking application. That application remains the core component of what eventually became Google’s search service. Brin and Page had performed their work with funding from the Digital Library Initiative (DLI), a multi-agency programme of the National Science Foundation (NSF), NASA and DARPA.
But that’s just one side of the story.
Throughout the development of the search engine, Sergey Brin reported regularly and directly to two people who were not Stanford faculty at all: Dr. Bhavani Thuraisingham and Dr. Rick Steinheiser. Both were representatives of a sensitive US intelligence community research programme on information security and data-mining.
</snippet>

• Apple and MS can be taken over by or sold to other companies, who might have a different approach, or they might sell some divisions of their operation, causing user data to float into another company.

Absolutely (although the chance of anybody cashing out US$ 700 billion for Apple is a bit remote) and I absolutely aknowledge that you don't have privacy per se. I just consider Apple the least evil option right now. I might be wrong in that, in the end it is a subjective evaluation by me.

Gad vide om det måske er lettere/muligt at skabe en eller anden form for privatliv med en Jolla smartphone?

Umiddelbart virker det som om at Sailfish OS er lidt mere "tweakbar" for dem der gider.

Er der nogen her med erfaringer?

Og tak for anmeldelsen. Jeg har været tæt på at brænde penge af på en Blackphone. Det projekt er lagt i graven nu.

It sounds like Blackphone compromised its security gains for the benefit of usability by including Google apps. And honestly, you may get away with letting Google build your house, but you won't get any privacy if you let them stay in your home afterwards.

For comparison, I'm currently running CyanogenMod on a rooted Nexus 5 without Google apps. It's hardly secure (e.g. it has the same list of 150 more or less dubious CAs) but at least Google is nowhere to be seen, and I have basic protections like Privacy Guard and the AFWall+ firewall, which help to reenable the original Android "jail" mechanism of isolated apps. Still doesn't mean that a malicius app couldn't wreak havoc... Fortunately, the selection is limited. ;)

One thing that is painfully obvious is that Android (that is, the thing people think of as Android) is not open source. It's at best "open core", with Google moving increasing amounts of functionality from the Android Open Source Project into closed source Google apps.

Since I have no Google account, and the phone is not registered with Google, I obviously cannot use Google Play store, though I can use various semi-shady sites to obtain free apps from the store, e.g. Rejseplanen. F-droid gives me basics like Firefox (for now, at least), VLC, Document Viewer and PocketMaps. But cutting the Google umbilical cord means that security updates are shaky, and so is the GPS. (Modern smartphones rely on augmented GPS a great deal for optimal GPS operation. There are alternatives to Google though, e.g. Mozilla.)

Apps like Swipp and MobilePay are unavailable: Both apps send your financial data via the Google mothership. At this rate, Jolla might soon have a larger app ecosystem than an "unsupervised" Android phone.

So, yeah... Android is out, from a privacy perspective. So is iOS (at least I can install an app without informing the manufacturer). FirefoxOS to the rescue? ;P

Based on network traces I have seen, Apple do collect a lot of information.

It's kind of hard to see what information though. A while ago I created a special rule for communication to/from 17.0.0.0/8 in iptables on my home-network. On an average day, with 3 AppleTV's, 2 iPhones, 2 iPads and 1 TimeCapsule, approx. 170 Mbyte of data was transferred to and from Apple's network (excluding App-updates)...

Could one build a business on supplying free and safe software for phones?

Maybe a foundation that writes (and releases under some kind of liberal and free license) the software and a business side that install the software onto phones and sells it to regulare people and company and leaves the hacking to people who enjoys this?

There might be some interesting starting-points here : https://en.wikipedia.org/wiki/List_of_open-source_mobile_phones

And here:
http://openphoenux.org/

How is Blackberry doing in the privacy area?
It seemed as a good product several years ago when I worked with them.

Jeg bruger en telefon med Ubuntu, Aquaris E4.5 fra BQ

Den læser i hvert fald ikke PDF over skulderen.

You know, it is possible to disable apps on most Android-based devices, though you still have to rely on the Google/Android ecosystem, and trust the device, when it claims that a certain app is disabled.

It IS however possible to build an Android version for any device, which offers Android support to the hardware.

Alternatively one will have to use any electronical device, keeping in mind, that privacy IS broken. This will move privacy from your device to your mind ...

Sometimes I wonder, if the Cold War really ever ended

GSM baseband firmware, and device drivers is your biggest problem, when creating a truely open source mobile phone.

There are few or no open alternatives to the closed-source.

GSM baseband firmware, and device drivers is your biggest problem, when creating a truely open source mobile phone.

IMHO, your biggest problem will be to sell a smartphone that is not part of the iOS or Android app-ecosystem.

Jolla/SailfishOS might still have some lack of crypto support, except the fundamental GNU/Linux tools of course. And they also don't have tools to control what stuff applications can access etc., except of course you may be able to do something with SELinux or similar, but I don't think it'd be easy.

But they certainly don't have all the default apps spying on your every move by default. And they have plans for a "security" version of SailfishOS partnering with SSH Communications:
https://cdn.jolla.com/wp-content/uploads/bsk-pdf-manager/49_PRESS_RELEAS...

But unless people start putting their money where their mouthes are, soon we might not have Jolla/SailfishOS - or any other privacy respecting, FOSS'ish mobile OS alternative to Android or iOS. Jolla recently almost went backrupt but got saved by investors.

FirefoxOS got discontinued for phones, and if I'm not mistaken Blackberry are moving to Android in 2016. So the alternatives to the duopoly (oligopoly if you want to give MS that much credit) are running out fast.

Jolla/SailfishOS is not perfect (yet) on many levels, but it's still great, and it's our best long-term bet for a decent mobile OS imho.

@Thomas Løcke (og eventuelle andre):

Du skal kunne mere end den gennemsnitlige mobilbruger, hvis du vil tweake på en Jolla. Det siger selvfølgelig ikke så meget, men jeg har en fornemmelse af, at du godt ved, hvordan man bruger en shell a la linux – og præcis sådan en dukker op som app, når man aktiverer ”udviklertilstand” på en Jolla. Man kan herefter logge på den via SSH med en adgangskode, der sættes på ny, hver gang men aktiverer udviklertilstand.

Der har været / er lidt debat om kryptering af telefonen, f.eks.: https://together.jolla.com/question/2158/optional-encryption-of-the-device/

Pt. er det ikke implementeret, men en af brugerne beskrev et hack.

Jeg ved for lidt til at vide, om Sailfish OS er mere eller mindre sikkert end Android, iOS, Windows eller noget helt fjerde. Mit bud er, at det generelt nok er nogenlunde det samme. Men jeg føler mig ret sikker på, at Jolla ikke har snablen nede i dine personlige data – dels er det ikke deres forretningsmodel, dels tror jeg, at firmaet er for lille til, at de ville kunne håndtere den massive mængde af information.
Jeg var positivt overrasket, da jeg fik min Jolla – den kommer med et minimum af præinstallerede apps; der er hverken ur, kalender, lommeregner eller kort. Selv Android-supporten skal installeres. Dette er dog nemt, da det bare er apps, der skal lægges ind via Jolla-marked.

På minus-siden skal det nævnes, at man ikke for hver app kan styre, hvad den skal have adgang til af private ting, så som position, kamera, mikrofon, kontaktpersoner etc. Der har Android en fordel – MEN hvor nyttigt er det redskab i virkeligheden, når praktisk alle Android-apps kræver adgang til et eller andet personligt? Sagen er den, at man selvfølgelig altid kan argumentere for, at en f.eks. en app til at læse stregkoder skal bruge kameraet, men vi har ingen ide om, hvorvidt pågældende app kan finde på at aktivere kameraet uden vores vidende. Jaja, jeg ved det - sølvpapirshatten blev lige fundet frem igen. Men jeg finder betryggende, at når man i Jolla lukker en app, kører den ikke bare i baggrunden, som jeg har oplevet det på min Android

Generelt synes jeg det er sund fornuftigt kun at installere de apps, man virkelig har brug for og holder det på et minimum. Drop dog en Facebook-app, hvis man kan nøjes med en browser; vi ved ikke, hvad appen samler ind af information. Jeg har heller ikke installeret Android-support på min Jolla – jeg har ikke brug for det. Indtil videre kan jeg ”nøjes” med de apps, jeg kan finde på Jolla-marked, selvom udvalget i forhold til Google Play er skrabet.

Desuden vil jeg give Martin Schlander ret – bekymrer man sig om privatliv og sikkerhed, må man give de etablerede noget konkurrence. Dels når det drejer sig om at have snablen nede i vores privatliv, dels når det drejer sig om opdateringer til OS – hvad der for fa… aldrig burde have været et issue! (Pt. ser jeg kun iOS, CyanogenMod, Sailfish OS og Ubuntu Touch, der opdaterer device independent.)

PS: en fin lille oversigt:
https://en.wikipedia.org/wiki/Comparison_of_mobile_operating_systems

Late one to this but the generic sounding Government Root Cert in question seems to be "Government of Taiwan, Government Root Certification Authority" checking the sha-1 thumbprint (F4:8B:11:BF:DE:AB:BE:94:54:20:71:E6:41:DE:6B:BE:88:2B:40:B9)

It's listed in Microsoft Trusted Root CA here (14/10/2016) - https://social.technet.microsoft.com/wiki/contents/articles/35984.micros...

Amazon SNS here: https://docs.aws.amazon.com/sns/latest/dg/SendMessageToHttp.https.ca.html

So is probably ok? I've always felt it would be good to have a collated list of the various different CAs that different vendors trust.

Hej Poul-Henning,

Har du mulighed for og lyst til at fortælle hvordan det går med din Blackphone2?

Jeg overvejer at købe en, så jeg ville sætte pris på en status efter længere tids brug.

Tak.

Jeg er ikke sikker på at det bliver en Blackphone2, men jeg betragter det som et stort plus at du stadig bruger den :-) At de er hurtigt ude med sikkerhedsopdateringer er også et væsentligt plus.

Ville du købe en anden telefon hvis du skulle købe en ny telefon i dag?

Tak fordi du tog dig tiden til at svare.

Hvis du har tålmodighed, kunne Librem 5 være en mulighed:
https://puri.sm/shop/librem-5/

Hvis du har tålmodighed, kunne Librem 5 være en mulighed:
https://puri.sm/shop/librem-5/

Den skal desværre bruges nu :-)