“The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated …”
— The 4th Amendment to the United States Constitution
I’ve been so busy working on our new country home that I’ve neglected to write more about computer privacy and big tech. But lately, this topic has been dogging me.
Not my First Rodeo
So why should you trust what I say about this tech? You shouldn’t. You should always verify everything. I would.
I do know a few things about privacy and mobile devices. I have some thirty-plus years of experience in software development focused on privacy. As an OG Cypherpunk, I passionately embraced the motto “Cypherpunks write code.” I’ve had fun (they say) writing hundreds of thousands of lines of code, including an open-source cryptography library, and hold a couple of patents.
I pioneered one of the first secure texting apps designed specifically for the iPhone, inventing things as we went along. Before that, I worked on the core cryptography code for PGP Corporation, which produced the first commercial email encryption system.
I even worked at Apple at a time when the government actively opposed the availability of strong cryptography. Despite the political climate deterring Apple’s leadership from prioritizing user privacy, I discreetly organized an annual conference (funded by Apple and held on their campus) and inspired many third-party developers to create their own cryptographic solutions.
As the Internet became popular, some members of Silicon Valley culture made efforts to challenge the government to promote individuals’ rights to safeguard their privacy. However, as time went on, the surge to exploit consumer data eclipsed these efforts. Governments no longer need to compromise cryptography to monitor individuals since people now consent to their devices automatically sharing information online.
Sensing an exciting opportunity, I founded a start-up dedicated to empowering customers with ownership of their data. Ultimately, I chose to leave Silicon Valley, but that’s a tale for another time.
What finally pushed me over the edge.
While I personally view Google and Meta as thinly veiled surveillance and manipulation platforms, I foolishly believed that Apple was attempting to do a better job of protecting user privacy.
One day, a friend texted me a photo he had taken of us enjoying dinner together. I noticed that the iPhone was adding in metadata about who sent the photo and most likely the result of it’s facial recognition algorithm.
This observation started to concern me. Further checking confirmed that this data was also synced with my other iCloud devices, and checking the iCloud website also indicated some knowledge. The iPhone was assembling a social network and uploading it to Apple. Yes, I know that you can turn on Advanced Data Protection, and that should prevent Apple from accessing it. But that doesn’t prevent Apple from processing and creating meta-data while it’s on your device.
Combining this tracking with Apple’s latest infatuation with AI built into the operating system creates the potential for privacy intrusions at an entirely new level. Now, let’s consider the increasingly incestuous connection between government and big tech and this becomes a force multiplier.
I might not be so worried if I had more confidence in Apple’s corporate ethics. However, their recent actions, such as collaborating to shut down Parler and eagerly assisting the government regarding the January 6th event, suggest that they are not champions of free speech. I don’t feel the trust I had for Apple anymore.
Oh, and did I mention that the iPhone is still tracking when it’s powered off?
Maybe I don’t consider Apple as evil as Google, Meta, or the pre-Elon Twitter, but I am still concerned about its willingness to trade its customers’ privacy for political or ideological biases. Maybe it’s time to move on.
I want to Unplug from the Matrix.
Since the demise of Silent Circle Blackphone, I have been looking for a hardware alternative. I seriously considered the Liberty Phone by Purism. It looks like a good concept, but I wanted some more modern phone hardware. In truth, I have no experience with it; I can’t say one way or another.
A few folks have suggested that I look into the GrapheneOS, but again, I want a turnkey replacement for my iPhone. I have way too many projects these days.
A trusted friend, whom I consider very knowledgeable on the topic, mentioned the Unplugged phone. Later, after I heard Erik Prince, co-founder of Unplugged, interviewed about phones on both the Sean Ryan and Tucker Carlson podcasts, I reached out to my friend again to get some more details about his personal experience.
I don’t know Erik personally; I never met the man or his team, so I don’t have much personal bias about his product, but based on what I am hearing, I am willing to give it a try.
Let me say upfront that I don’t have much experience with Android. I have been an iPhone developer since it was first released. However, I quickly learned how Android works, but there are a few things that are different enough that it is worth searching for websites on “switching to Android”. I also took some time to learn about how the Android user experience functions.
While I was watching some reviews of the Unplugged phone, It was evident that some of the reviewers were also new to Android.
Tech Specs
The Unplugged phone has very respectable tech specs. While it isn’t the fastest or the latest model, I think it addresses its market well.
Size: 6.49" x 3.03" x 0.34" / 210g
Display: FHD+ 1080 x 2400, AMOLED, Gorilla Glass
Storage: 256GB + SDCard
RAM: 8GB - LPDDR4X
CPU: Octa-core:
1 x Arm Cortex-A78 3.0GHz,
3 x Arm Cortex-A78 2.6GHz,
4 x Arm Cortex-A55 2.0GHzNetwork 2G / 3G / 4G / 5G
WIFI 802.11b/g/n/ac/ax 2.4GHz+5GHz
Batter: 4300mAh, Wireless Charging
Camera: Front: 32MP, Rear: 108 MP (Main) + 8 MP (Wide) + 5MP (Macro)
Sensors: Gyro, GPS, Compass, Accelerometer, Proximity, Light, Barometer
Biometrics: Fingerprint Sensor on the Power Button
Unplugged also made some effort to address supply chain risk.
“we have invested considerably in getting the core components and manufacturing processes out of China. We will be doing even more as we mature and iterate our product”.
Good First Impression
It was time to take the plunge. I visited the Unplugged website and purchased a phone along with a case. You can save a little money with a coupon code; keep your eyes open for their next promotion. Unplugged shipped me a unit almost immediately, and I had it within two days.
I was impressed immediately with the care and high quality of the packaging. Even the shipping box had the nice touch of packing it with gift tissue paper. Unplugged was obviously proud of what they made and put effort into the first impressions. Unplugged clearly took pride in their creation and made a strong effort for first impressions.
It took me only a couple of minutes to complete the boot-up, update, and setup process. I have done this countless times on an iPhone, but it felt like the Unplugged experience was slightly better designed.
While holding the Unplugged phone, you can tell it is well-built; it isn’t heavy, but it isn’t fragile either.
As I mentioned above, I initially tumbled a bit, getting my head around the Android UI, but most things were similar enough. It wasn’t a very long learning curve. It was easy enough to recreate a desktop layout that was similar to what I was used to on my iPhone. The Unplugged phone does ship with a few useful apps, but I wanted to try and find as many of the same apps I was used to on my iPhone.
I started looking for apps in the UP Store, and that’s when things got interesting. Unplugged has its own app store that is not connected to the Google App Store. The Unplugged team conducts a vetting process to weed out apps that use Google Mobile Services. If you can’t find an app you want in the UP Store, you can let them know. They will try to add it within a few days.
That said, I was able to find a lot of the same or similar apps. For a few of them, I had to create desktop shortcuts using the Brave browser. No big deal.
The Proton Suite
The password manager I was using on iOS was not available, so I transitioned to Proton Pass. Not only was it easy to import my existing passwords, but I also liked how they integrated the 2FA authenticator UI. I converted all my devices to use Proton Pass.
Even though I was already familiar with the folks at Proton, and was pleasantly surprised at how far they have progressed in the last year. I appreciated that they made a commitment to keep their apps open-source and even posted the audits.
I’ll certainly be looking at some of their other apps as soon as I can.
The Bad and the Ugly.
So far, I have looked at the Unplugged phone as I would any other Android phone. I really like the slickness of the product and the marketing materials; they are top-notch. But the prime differentiator for Unplugged is its claim to champion privacy.
Certainly, tangible items like a physical battery disconnect switch can have their integrity easily verified. Most competent amateur radio operators are capable of doing this.
But there is no way for me to verify that the software, all the way down to the operating system and firmware, has no hidden tracking or backdoors. Software items like the Privacy Dashboard are a nice thought but this too can be faked.
And “therein lies the rub”.
Over the years, the industry has learned a lot about how to verify systems for backdoors and hidden behaviors. As we are now in 2024, the expectations for any product in the realm of privacy are well established. Every introductory course in cybersecurity emphasizes the importance of verification.
And test here we are:
LibertOS and its apps are closed-source.
There is no public verification of the phone’s security claims or independent testing.
Come on, man. You know better than that. You can’t just say, “Trust me,” regardless of who you are or how impressive your team is. I am not trying to come across as some Defcon poser but rather as a seasoned professional in the security world, and something stinks here.
So, let’s clean it up, here are my suggestions:
The Software
Let’s take a look at how the folks at Proton present themselves. Take a look at their open-source page.
For each component, they list a pointer to a GitHub page and the latest audit report. We even did the same thing with Silent Text, along with our internal engineering documents.
I would also suggest hiring someone to write a series of a white-paper about what LibertOS is and how it works. This goes double for your messaging app. This could easily be done by a college student intern.
I can assume that you are effectively a start-up, but do this sooner rather than later. I don’t want to see you burn your reputation.
The Hardware
There are a few things that Unplugged could do to foster more trust in the hardware.
Document how you tamper-proof the firmware.
Both Purism and Apple do a good job of this.Document how you prevent hardware tampering.
Better documentation and detail about where you source your parts
This was a good start, this is better.
TLDR (We used to call this Executive Overview)
So, where does that leave me? I like the phone as an Android phone. It’s well-built, and it runs smoothly and fast enough. It was easy to set up out of the box, and I even found it easy to switch SIMs around. The camera is really good, and my cursory speed tests were fine. The screen was outstanding. There are still a handful of things I need to figure out before this becomes my phone for everyday carry, but those are mostly iPhone to Android migration.
But as I mentioned, If I were, for example, a reporter writing from hostile locations, I can’t say that I would be comfortable with it. As a privacy professional, I can’t recommend it either until the items I list above are addressed. All the interviews in the world can not substitute for verification.
Open source your code, write some whitepapers, publish the audits, and write a guarantee letter from the executives that you are unaware of any back doors. Put your personal reputation on the line here.
That said, I wish Unplugged good hunting. The world needs more people who believe in the importance of privacy and have the conviction to do something about it.
NOTE: Since I wrote this article, I have been in contact with someone close to the Unplugged staff. They told me that Unplugged is working on fixing the open-source and peer-review issues I mentioned, and we can expect updates in the near future.
Other reviews
The Andres Segovia Show
A lot of great stuff here; he takes forever to get to the point, though.Adam Callen Nyedis
- He was new to Android, and maybe he had an older version of the HW/SW; I didn’t have the issues he had.Adventure Cruiser
- He actually opened the box and used it.Not A Grayman
- After opening the box, she talks to the CEO.Kenny at Mental Outlaw
- Mostly speculation. He didn’t have the device, but some of his points are valid.
Note: I just got burned by their method of proxying the Google store. I was using the Proton wallet app; Proton updated it on Nov 20th, and this required me to use an updated app to talk to the Proton server. it's 10 days later, and the app is not updated in the Unplugged store. I wrote a bug report to both proton and unplugged. -- Luckily, you can use the website to access the proton wallet. But this defeats the point of the app. Kind of a deal breaker.
Do you know who made the CPU? It doesn't seem to be listed on their website..