I am moving to GrapheneOS and QubesOS
And here's why you should too!
Many of you will have seen the recent headlines regarding the United Kingdom (UK) government’s overreach into the personal and encrypted data of every Apple device user in the world… but if you haven’t, here’s a taste:
While the reaction by Apple and some sectors of the media has been swift and superficially visceral, it completely ignores that many governments, the UK chief among them, have been steering towards this Orwellian goal for far more than a decade. People forget that, for example, in the early 2010s the US Government and the then- Head of the FBI James Comey were already demanding technology (smart device) and platform (social media and app) companies build backdoors into the encrypted solutions you use every day to enable government surveillance and bulk data collection.
They also forget that in 2018, and while the WEF was already engaged in maneuvering many of their controlled politicians like Justin Trudeau, Joe Biden, Jacinda Adern, Scott Morrison, Emmanuel Macron, Boris Johnson and Rishi Sunak into positions of absolute and sometimes dictatorial power ahead of taking some level of global control during the Covid-19 global fiasco, the Five Eyes countries had already foreshadowed that they were going to force creation of these encryption backdoors.
And they further forget that in that same year, 2018, and under the guise of saving Ausralian citizens from terrorism that seems to have never actually visited Australia’s shores, the Australian Government enacted The Assistance and Access Act (AAA), 2018 - world-first legislation allowing government enforcement agencies, sometimes on little more than flimsy pretence and a request signed by a senior officer, to not only compel technology companies to hand over user details and data even when encrypted, but also to provide solutions that would either permit: (i) interception of the data as it is being transmitted or received by the technology; or (ii) allow law enforcement or government officers the ability to decrypt and access the user’s data at will.
What are governments doing?
The types of government that have continuously sought access into our everyday and private lives fall broadly into two types - those: (i) governments that are overtly controlled by globalists in organisations such as the WEF who fear for the longevity of their power and the financial gain that comes from controlling the lives and thoughts of their citizens; and (ii) governments of repressive, dictatorial and/or religiously oppressed cultures. The first rely on collective fearmongering and the now infamous tripartite problem-reaction-solution Hegelian dialectic approach to direct attention and the thoughts of citizens toward some amorphous threat other than the real threats that affect the lives of their citizenry, while the second simply resort to claiming the existence of such things as supposed culturally-undermining moralistic threats justify the leader’s power-creating or protecting dictats.
It could be argued at the moment that some governments exhibit both types at the same time, to which I would respond; the more alike the descriptions in Orwell’s 1984 a government becomes, the more likely it is that they are behaving as both types at the same time. For example: the UK government have, for most of the last 5 years, used a combination of both types to end up where we are today. It cannot be refuted that the UK government are, in fact, working hand-in-glove with and enacting the policies of unelected globalist supra-national organisations like the WEF. Their own website tells us so:
WEF policies are becoming UK law, whether or not the citizens vote for or want it. Take the ‘net zero’ environmental policies and the related ‘15 minute city’ concept that the mainstream media and net-zero supporting academics repeatedly told us were simultaneously both a new ‘planning best practice’ and ‘conspiracy theory’ (here, here, here and here). In mealey-mouthed articles and talks that were clearly intended to let them accept acclaim if it worked and downplay their involvement if it didnt, the WEF both promoted 15 minute cities and decried them at the same time as not always being a ‘best fit’ solution. Speaking out against the concept, such as pointing out that in application citizens might be ostensibly imprisoned within their 15 minute city and allowed outside its boundaries a limited number of times or only with permission - even though WEF-member UK government politicians (here and here) promoted and local authorities like Oxford Council created 15 minute city policies that said exactly these things - meant you could be labelled a conspiracy theorist and climate change denier; someone to be shunned, ridiculed and ignored. This included even labelling entire non-mainstream political parties.
Investigating this example finds that the UK government and their local authorities were being directed by a supra-national globalist organisation both in the macro (net zero and climate change) and micro (15 minute city) toward approaches for controlling UK citizens (type 1) and, were using the mainstream media and name-calling to opress citizens and repress free speech (type 2) - effectively acting as both types simultaneously. And this isn’t the only example - we have seen this play out in the UK recently with discourse around: trans issues; particular politicians; the Southport killer; the influx, funding and criminality of illegal boat-people immigrants; muslim rape gangs and the so-called covid vaccines. All the while, large factions of the native anglo-saxon white British population are becoming disenfranchised as they are repeatedly told to simply accept all these things that the government, who often acknowledge the influence of the unelected globalist organisations, are doing on their behalf. It has become so bad in the UK that news reports regularly show major fraud, violent or sexual offenders receiving sometimes no custodial sentence at all and not being deported for their aggrevated crimes because they are: muslim, have no friends or their children dislike chicken nuggets (here, here, here, here, here and here) - while those of white anglo-saxon descent are being criminalised, prosecuted or given lengthy custodial sentences often for little more than expressing an opinion or re-posting a meme on social media that someone decided was ‘inappropriate’ or contained ‘hurty words’ (here, here, here, here, here and here). This bias in favour of weaker or non-custodial sentences for ethnically non-white people in Britain is now even enshrined in law. But, if you are an indigenous white anglo-saxon British person who calls it out for being exactly what it is using the politician’s own words (here and here) - a racist and biased law and exemplar of Starmer’s ongoing two-tier justice system - you are labelled a racist liar and called offensive names (the examples are, while I still felt uncomfortable doing so, the ones I felt were safest and least-offensive to reproduce).
Why are government mandated backdoors bad?
While the Australian and UK governments argue that provisions within their legislation protect your privacy during legitemate encrypted online tasts such as internet banking, and require technology companies to provide encryption backdoors whilst preventing the creation of systemic weaknesses1, this ignores that any solution, even a government mandated one, that facilitates intrusion into end-to-end-encryption (E2EE) has introduced, and is, a systemic weakness.
There have been several proposed solutions that include either that (using a social media messaging app as an example):
(a) the app doesn’t use encryption at all - it just says it does.
(b) the app provider acts as their own Certificate Authority and thus issues and has access to every user’s private and public keys.
(c) the app provider could use a man-in-the-middle (MITM) model whereby all messages are forwarded to the app provider’s server which decrypts, copies, re-encrypts and forwards the message to the intended recipient.
(d) the app provider or law enforcement could act as a key escrow service - putting everyone’s encryption keys in one basket that would be a very attractive target for hackers with ill intent.
(e) the app provider issues an update that tells their app to clone the message when you hit send and encrypts it once with the public key of the recipient and a second time with a public key from the app provider, and then sends the message to both the intended recipient and a server belonging to the app provider. This would mean that the social media messenger company would retain a copy of every single message you send and receive and could decrypt it at will - making it potentially available to their own staff, police, government agencies and, given the high number of recent incidents, any hacker who is able to gain access to their servers.
(f) the app provider embeds a backdoor into the encryption protocol in the form of a compromise that makes the encruption reversible. Microsoft and the Bill and Melinda Gates Foundation have previously shown interest in and even funded the Turing Institute to create reversible encrypted Digital ID in this manner.
The key issue with every single one of these ‘solutions’ is that they weaken encryption and make it equally possible for police and government busybodies and hackers to also access your data. Our governments choose to either ignore that any backdoor into our encrypted data for them is a backdoor for everyone else as well, or gaslights us that it is not possible and therefore we are conspiracy theorists for thinking it. That, or they use the disingenuous statement that if you aren’t doing anything wrong, then why does it matter?
My Technology Test-Bed
Over the last week I have been working with a group of different technology products seeking to identify the one that was more security protecting and, at least in the near-term, least likely to remove our ability to encrypt private data and make it openly available to ‘the government’.
[L-to-R: PinePhone Pro (Sailfish OS), Samsung Fold 3 (Google Android), De-Googled Pixel Pro 9 (GrapheneOS), Apple (current IOS)]
In each case I installed the operating system clean and configured security and encryption following the OS-manufacturer’s specification. I followed this by installing a suite of, where available, common apps that the average person might use for: email (Microsoft Outlook and K-Mail), web browsing (Firefox), banking (HSBC, TSB and Barclaycard), games (Air Traffic Control and Sudoku), media playing (VLC and Podcast Addict), social media messaging apps (Skype, WhatsApp and Signal) and in each case I also installed an app that allowed access to a Synology NAS to draw down images, music and other files and allow ‘cloud’ connectivity for creating backups of the device (DS File).
GrapheneOS is android-based but by default comes fully functional but absent all of the Google apps (Google Play Store, Google App Store, Google Maps, GMail etc) and any Google functionality (including their telemetry monitoring). The GrapheneOS user is able to access and install all of these if they so wish, or use alternative app store and mail solutions like F-Droid, Aurora and K-Mail. It is this ability to use alternative applications and services that provides some of the security and strength of the GrapheneOS proposition, but more about his later.
For the purposes of monitoring network connectivity and traffic I connected each to a secure WiFi network that was separate to my normal WiFi network, and used several industry-standard apps (such as Wireshark, PRTG Network Monitor and a PiHole) to monitor DNS requests and traffic passing to and from the smartphone.
In short, I found a lot of what I expected - including high amounts of almost constant telemetry data going to Google and Samsung domains from the Samsung Fold running Google’s Android and going to Apple from the iPhone. In contrast, there was almost no telemetry monitoring data being transmitted by the PinePhone’s Sailfish OS and the De-Googled Pixel running GrapheneOS.
Something most people are either unaware of or unable to do anything about is the amount of cross-talk between apps, the app store and OS on smart devices. A lot of apps do ‘deals’ with each other to include links, or to allow telemetry and monitoring data. For example, both of the games I installed made procedure calls looking for Facebook libraries that would be installed if Facebook, Instagram or Facebook Messenger apps were installed. They, and the Podcast Addict app, also made internet calls to Facebook and Facebook Content Dellivery Network (FBCDN) servers.
The Android-based OSs (Google Android and GrapheneOS) and Sailfish OS on the PinePhone Pro all supported multiple users and switching between users. However, this functionality was not available on IOS on the iPhone. For the three devices that allowed multiple users I also tested segregating particular types of apps in different user accounts (an attempt at containering apps). What I found here was that while it was possible to separate say banking apps from social media messaging apps, only the GrapheneOS operating system prevented apps in one active user account from cross-talking with apps in another active user account. So, on the Samsung Fold and PinePhone Podcast Addict app in one user account could still make Facebook telemetry calls to libraries in Facebook’s WhatsApp messenger app in another user account. On GrapheneOS this behaviour was blocked by default, but could be manually ‘allowed’ for the specific app if it was found to be absolutely necessary.
Another key strength only provided on the GrapheneOS platform was that when a user acount ‘session’ was ended (i.e. that user completely logged out), all data in active memory for that user, including the encryption keys that allowed access to that user’s files, apps and data, were dropped. This ostensibly means that were your phone to be physically taken and cloned, all data in that user’s ‘container’ remains encrypted and unreadable - and the encryption key itself is stored in the Titan M2 security chip and requires a pin to decrypt before it can even be then used to decrypt that user’s data. In this way, for the most secure experience it is recommended that the ‘Owner’ user account is maintained without Google, Facebook or other apps that might ‘leak’ data, and that all such apps are only installed in specific User containers and sandboxed so that they cannot see outside that user account into either the Owner or other user accounts.
On GrapheneOS I was also able to implement separate VPN instances in each user account such that on testing it was possible for each active user to have a concurrent endpoint in a different country.
In short, Apple and Google can be, as we have seen, ordered to weaken or completely disable encryption and make your data available not just to the government, but to anyone who might want to access it. This, at present at least, is far less likely for GrapheneOS. With GrapheneOS it is also possible to end all of the user sessions and, if following the basic protocol of having few to no apps containing personal data in the Owner profile, have no important unencrypted data accessible to anyone who might demand physical access to your device.
Finally, QubesOS ostensibly works the same as a linux-based desktop operating system as GrapheneOS on the smartphone. I have also been working to develop an image for laptops that installs and configures QubesOS and basic productivity (OpenOffice and Email) and other apps (for graphic design, social media messaging, multimedia consumption etc.) so that I can have a standardised deployment in the same way many organisations do for a Microsoft Windows desktop. My current version is mostly functional and this post has been authored in an encrypted and VPN-enabled user account ‘container’ on a Dell Precision laptop running QubesOS.
In conclusion, I have decided to remove myself and my data from the sometimes fatuous discussion where it concerns the government using legislation to mandate large and popular technology companies give them access to everyone’s personal cloud data, metadata or network traffic. Going forward I am moving myself and anyone in my family that also wants to onto properly secured platforms that limit our exposure and footprint as much as humanly possible. I will also be offering these solutions as a service to others, should they wish to contract my services to do so.
My personal data should stay mine. Your personal data should stay yours. We must protect ourselves against the no-longer gradual shift towards Orwellian totalitarianism in many of our Western countries.
At least until common sense (sic), decency and freedom of speech once more prevails.
AAA 2018, Section 317ZG includes an incredible and entirely unworkable express prohibition against building a systemic weakness or vulnerability into a form of electronic protection and ensures providers cannot be prevented from rectifying a systemic weakness.
Good article. You say multiple times that if this is done for the government some bad actor might get at the (once thought encrypted) data through the backdoor. I think most of us believe that the WORST actor IS the government. They are #1 on my list of people I wish to NOT have my private data because they will NEVER use it for me and ALWAYS use it against me -- there is nothing they can do for me and lots they can do against me. So it is the front door of the back door that worries me the most.
Edward Snowden has long recommended Qubes. I think it's taken as a given that, for serious security, all smartphones are a lost cause. The really paranoid worry about backdoors at the hardware level in the management modules of more recent generations of Intel chips. The German Chaos Computer Club has good content on this.
Problem-reaction-solution IS becoming an extremely useful heuristic, although I feel it's stretching the term to call it Hegelian, except in the loose metaphorical sense. It would have been unknown even to Marx. Trotsky or Lenin might have intuited something like it though ("the worse the better.") The big question is, what does planned reaction (i.e. controlled opposition or anticipated crisis) look like. Trump, or Reform, or AfD? That would be a dispiriting thought for a great many.
The well known Substacker Eugyppius believes the WEF is "a glorified conference circuit" with no real power. I think you are closer to the mark. They are more like a Matroshka Doll with the Davos event as the outer layer providing plausible deniability for their schemes as "floated ideas" (often floated by house intellectuals like Noah Yuval Harari et al. in apparently "speculative terms.")