Your Phone is Giving Away More Than You Ever Bargained For

• About
• Latest Posts

Randy Siegel

Government and Business Development at Purism, SPC

Latest posts by Randy Siegel (see all)

• Flipping the Script: Exploring New Paradigms in Secure Mobile Computing - August 22, 2024
• Phone Kernel Development at Purism - August 19, 2024
• The Evolution of Smartphone Security - August 7, 2024

The year 2007 represented a watershed moment for the modern smartphone industry as we know it.

This was the year that Apple introduced its first iPhone device and Google announced Android via its participation in The Open Handset Alliance (which notably leveraged the Linux kernel and open-source code to create its mobile OS).

Fast forward 17 years to 2024, and it is not an exaggeration to say that these devices are nearly universally used and depended upon daily, worldwide.

In fact, the medium for most web browsing, purchasing and other online tasks has shifted from traditional client-compute platforms such as the desktop or laptop to the small form-factor device.[1][2]

The rise of the smartphone in some way mirrors past technological advances such as the adoption of television. However, critical mass was not achieved with the latter technology until decades after the first broadcasts of the 1920s. Not only did the smartphone reach near ubiquity much more rapidly, but it also created greater stickiness and/or psychological dependency (e.g., Social Media, addictive games, other applications) than TV. After all… smartphones are by nature “two-way” devices. One communicates back and forth with them or interacts with information — often in real time.

It didn’t take the data mining, advertising and big tech industries long to realize that they had struck gold with the ultimate mechanism by which they could extract personal data and tailor consumer and other offerings on a very, very personalized basis.

Similarly, smartphones were also recognized as goldmines for overtly malicious actors – be they hackers, criminal organizations, foreign national state actors, or other governmental entities.

Consumerization of IT Phenomenon Equates to a Larger Attack Surface

It’s important to recall that the history of the modern smartphone really started with the introduction of Research In Motion’s Blackberry device in 1999. The uptake of this unique smartphone was generally driven by its use as a PIM tool (Personal Information Management), handling calendar, contacts and messaging tasks. The device was almost always issued and managed by traditional IT organizations within corporations. The Blackberry was such a hit, however, that people started to use the device in their personal lives.

Blackberry represented the inverse of the consumerization of IT phenomenon in that it was typically centrally managed and depended on a store-and-forward Network Operation Center (NOC) infrastructure. By definition, this architecture required centralized IT to play an oversized role in provisioning, managing, or otherwise controlling the device.

This differed greatly from the iPhone, which started off life squarely as a consumer/personal device. It was only after users realized the shear utility of the device that they started taking it into work and demanding it be supported by centralized IT. The consumerization of IT phenomenon (or shadow IT) bloomed in earnest with this device. (As an aside, I have written in the past about the seminal importance played by Microsoft’s Exchange Active Synch technology, which greatly aided/spurred on the use of mobile devices within the enterprise.)

Critical Mass

The shear ubiquity of these devices have made them the go-to platform for developers, network operators, OEMs, advertisers, data brokers, and many others seeking to effectively reach large swaths of the population. Additionally, the emergence of Artificial Intelligence (AI) and Machine Learning (ML) has only aided in the efforts for more efficient data mining and exploitation of that data.

Relative to the “data,” there are many, many different flavors available for exploitation that the end-user probably has not even contemplated. Not only is there the raw data such as bytes consumed, browsing history, purchases made, calls/texts initiated and received, strides taken/miles walked (along with stride length via the device’s gyroscope, accelerometer, and GPS triangulation), geographical location, etc., there is also associated metadata. Often, metadata can be just as instructive in creating a picture of the end user’s daily lifestyle and habits as the actual data. Some examples of smartphone metadata include:

1. Telephone Metadata: When you make or receive phone calls, metadata includes call duration, status (incoming, outgoing, or canceled), date, time, and call type (voice or video).
2. Image Metadata: When you take a picture with your smartphone, it records technical information in the image’s metadata. This includes details like the camera model, aperture, shutter speed, ISO, and focal length.
3. File Metadata: File size, creation date, and means of data creation (e.g., photo taken, downloaded, or received) are examples of metadata associated with files stored on your smartphone.

Corporate Data Mining

It should come as no great surprise that Big Tech is keenly interested in smartphones because they serve as fuel for massive data collection efforts. Personally, I believe that the Software as a Service (SaaS) movement, which is based on a regular “subscription” model and is typically cloud-hosted, has only helped to accelerate these collection efforts. Increasingly, applications rely on web services based in the “cloud” that interact moment-to-moment with connected devices. The Cloud’s computational and storage power is a big part of the Artificial Intelligence and Machine Learning efforts at amassing as much information as possible. Often, this information can be “weaponized” against a mostly unknowing and/or uncaring public.

It’s important to remember that the smartphone market is basically a duopoly. In the United States, as of this writing, Apple has 55.42% of the market share and Android has 44.27%. Worldwide, Android dominates with a 69.88% market share, while iOS leads in the US with 61.45%.[3][4]

Since there are essentially few other options for consumers/end-users, most simply feel compelled to agree to Apple and Google’s egregiously one-sided End User Licensing Agreements (EULAs), which basically grant specific permission for these tech titans to use the data any way they see fit.

Google’s primary business is to sell advertising. They do not sell search engines. They give away the latter to get data from the former activity.

Apple has always policed their ‘walled garden’ ecosystem with an iron fist. Recall Apple charging exorbitant rates for Independent Software Vendors (ISVs) to sell so-called, “in-app purchases?”

“Fortnite” creator Epic Games sued and won a judgement against Apple stipulating that Apple can no longer prevent developers from including buttons or links in their apps that direct users to alternative payment methods outside of Apple’s own in-app purchase system – a system that charged developers commissions of up to 30%!

Even if one were to give Big Tech the benefit of the doubt about why they are collecting personal information (e.g., to personalize and improve the user experience), the asymmetric relationship between user and company is troubling and should be viewed with skepticism and caution.

By willingly signing away your rights to your private data and metadata, one may be inadvertently hurting oneself.

Why should giant corporations be granted a position of trust? Are not Google and Apple for-profit corporations that by definition seek to maximize shareholder value (typically by increasing revenues)?

The only thing that corporations can be counted to do is to try and make money.

Despite all the niceties and “public service announcements,” at the end of the day, their goal is to maximize shareholder value which equates (typically) to increased revenues and associated stock increases. It is in these companies’ best interest to access your data. There is actually an incentive not to protect your personal data!

Perhaps even more troubling, both Google and Apple’s main production takes place in China — a totalitarian state renowned for its involvement in all aspects of life, including and especially business. China (or more formally, the Peoples Republic of China – PRC) has often been named as responsible for nation-state actors trying to disseminate disinformation and/or actively embark on offensive hacking operations against the United States and other Western Countries. (Interestingly, many of the same big tech companies that are the self-appointed guardians of our private information are also among the most frequent targets for nation-state-sponsored hacking attempts. Why should we believe that Apple, Google, Microsoft, et al can prevent the hijacking of our personal data especially as they face a daily barrage of nation-state sponsored hacking attempts?)

What assurances do we have as consumers, individuals and Americans that the supply chain is protected and devoid of malicious code or other attack vectors? Are we simply to trust Big Tech to “do the right thing?”

Not only the Original Equipment Manufacturers (OEMs) have a stake in data collection, so too does every member of the mobile ecosystem, including silicon chip vendors, electronic circuit board vendors, peripheral makers, mobile network operators worldwide, those providing Wi-Fi, Cloud Service Providers (CSPs), Managed Service Providers (MSPs) and dozens and dozens more. The amount of data being actively collected by The Google Play Store and the Apple App Store alone is massive.

Purism’s Role – A Social Purpose Corporation

Purism devices are not actively or passively sharing your personal data since they do not rely on traditional big tech platforms such as Apple’s iOS or Google’s Android. Similarly, there is no interaction with an Apple App Store or Google Play Store.

Purism devices run on an open-source, hardened Linux Kernel. While Linux is also at the heart of Android OS, it is by no-means “open sourced” anymore. (I will write later on the multiple “forks” of Android.)

Additionally, Purism has devices that are manufactured in the United States. The supply chain and hygiene of the devices are safeguarded by US Citizens. This greatly lessens the threat of offensive and non-friendly nation-state actors nestling an attack in the hardware, firmware or Layer 7 software.

Perhaps most importantly of all – Purism is a Social Purpose Corporation (SPC). Here’s what that means:

1. Social Purpose Corporation (SPC): Unlike typical corporations that prioritize profit maximization, an SPC places social purposes above profit. Purism’s mission revolves around digital rights, privacy, and civil liberties in technology. By becoming an SPC, Purism ensures that its core values remain intact while allowing for external investment to facilitate growth without compromising its mission.

2. Immutable Social Purposes: Purism’s articles of incorporation define its social purposes, which cannot be easily changed. Any modification would require the support of those holding at least three-quarters of the voting shares. This commitment ensures that Purism’s positive impact on digital rights remains consistent throughout its existence.

3. Security by Design: As an SPC, Purism requires to release all source code, never hold encryption keys, never spy on its users, and to ensure you own your device (not rent it for spying).

Conclusion

Purism devices provide end-users peace of mind by protecting privacy and ensuring fidelity of communications. No information is gathered, analyzed, or in any way harvested for advertising and/or other “reasons.”

Many applications ranging from PIM (Calendar, Contacts, Messaging) to web surfing are provided out of the box. Since Purism leverages Open-Source Code from a large community, anyone can build an application for use on the Purism platform. The burgeoning universe of developers can and will create whatever type of application needed.

The trade-off for today’s ease of use is to share all of your personal information. At Purism, we look to a future where you no longer will be forced to share this PII for basic functionality. We believe that in our ever-accelerating world of information sharing and associated data harvesting, there will be a backlash of individuals who wish to retain their privacy.

Purism is leading the way for a more secure future.

Please join our newsletter today or email us info@puri.sm

Purism Products and Availability Chart

	Model	Status	Lead Time
	Librem Key (Made in USA)	In Stock ($59+)	10 business days	Learn More Buy Now
	Librem 5	In Stock ($699+) 3GB/32GB	10 business days	Learn More Buy Now
	Librem 5 COMSEC Bundle	In Stock ($1299+) Qty 2; 3GB/32GB	10 business days	Learn More Buy Now
	Liberty Phone (Made in USA Electronics)	Backorder ($1,999+) 4GB/128GB		Learn More Buy Now
	Librem 5 + SIMple (3 GB Data)	In Stock ($99/mo)	10 business days	Learn More Buy Now
	Librem 5 + SIMple Plus (5 GB Data)	In Stock ($129/mo)	10 business days	Learn More Buy Now
	Librem 5 + AweSIM (Unlimited Data)	In Stock ($169/mo)	10 business days	Learn More Buy Now
	Librem 11	In Stock ($999+) 8GB/1TB	10 business days	Learn More Buy Now
	Librem 14	In Stock ($1,370+)	10 business days	Learn More Buy Now
	Librem Mini	In Stock ($799+)	15 business days	Learn More Buy Now
	Librem Server	In Stock ($2,999+)	45 business days	Learn More Buy Now