As a means to give our work direction and a clearer purpose, KDE is currently in the process of soul-searching. Here’s my proposal of what we should concentrate and focus on in the coming years. I’d welcome any feedback from the community to make this proposal better, and rally up more support from the community, and others interested.
So here’s the Big, hairy, audacious goal that — in my opinion — KDE should focus on, and should adapt its strategy for:
“In 5 years, KDE software enables and promotes privacy”
Privacy is the new challenge for Free Software. KDE is in a unique position to offer users a complete software environment that helps them to protect their privacy. KDE, being community-driven and user-focused, has the opportunity to put privacy on top of the agenda, arguably, being in this position, KDE has the obligation to do this, in the interest of the users.
The effect is expected to be two-fold:
- Offer users the tools to protect privacy and to lead a private and safe digital life without compromising their identity, exposing their habits and communications
- Setting a high standard and example for others to follow, define the state of the art of privacy protection in the age of big data and force others to follow suit, thereby increasing pressure on the whole industry and eco-system to protect users’ privacy better
Leaking user data, allowing users to be tracked, collecting their most private information in databases across the world means that users lose control of their identity and what parts they want others to know, and what they want to keep for themselves. Worse, collecting data in so many places, often commercially, but also by governments means that the user has little way of knowing what is known about him or her, let alone being able to determine who should be able to control what. Data being persistently collected means that not only today's security measures and policies are relevant, but also the future's. This poses multiple great risks.
KDE adds a 5th Freedom to the 5 principal software Freedoms:
“The freedom to decide which data is sent to which service”.
Personal Risks for Users
Risks that individual users run are, among others:
- The more data that is collected, the bigger the risk of Identity Theft becomes
- More collected data means that decisions will be made for the user based on skewed or incomplete information (imagine insurance policies)
- Collected data may end up in the hands of oppressive regimes, posing risks to the user when travelling, or even at home
- User's most private secrets may end up in the wrong hands
Socio-economic effects that effect how society, national and international communities work, are:
- Free speech is compromised
- Journalists need tools to communicate secretly, lacking that, freedom and independence of press cannot be guaranteed
- Trade-secrets cannot be kept, free markets cannot function without tools protecting privacy
- Sovereignty of nations cannot be guaranteed
- Cyber-attacks may lead to shift in power
What it will take?
- Privacy-respecting defaults
- Offering the right tools in the first place
We can only guarantee privacy if we also value security.
- Functioning code-review
- Quick turn-around times for software updates, especially security fixes
- Prefer to use encrypted communication where possible, prefer HTTPS over HTTP where possible, avoid unencrypted connections
- Storing sensitive information only in an encrypted way
- Moving away from inherently insecure technologies, i.e. default to Wayland instead of X11
- Avoiding single points of failure and centralized control
KDE software supporting this goal should:
- Only collect and send data when necessary and clear and sensible from within the context. No hidden telemetry sending user stats, not HTTP connections downloading content, no search queries to online services without the users explicit consent (or where it's entirely clear from the context, e.g. web browsers, software updater, etc.).
- Use anonymity where it is possible, for example by using Tor connections for things like weather updates that don't require user identification
- No collection of privacy-relevant data without clear purpose.
- Conservative defaults: a user should not have to make changes to the software configuration to avoid leaking data. Secure and private by default. (Software may be configured to be more leaky if that benefits the user, but the risk to that should be clear, either from context or explicitely stated.)
- Use clear and consistent UI and design language around network-related options
Offering the Right Tools
KDE needs to make an effort to provide a comprehensive set of tools for most users' needs, for example:
- An email client allowing encrypted communication
- Chat and instant messenging with state-of-the art protocol security
- A webbrowser (self-provided) that has private default settings
- File storage and groupware solutions
- Other tools that allow offline operation and independence from popular cloud services
- Support for online services that can be operated as private instance, not depending on a 3rd party provider
- State-of-the-art support and integration for services like Tor, Matrix, Zeronet, etc.
- KDE e.V. allows anonymous donations via bitcoin (or other crypto currencies)
- Adaption of blockchain where useful
How we know we succeeded
Static and runtime analysis tools:
KDE software can be audited for compliance with common, security related standards, such as:
- NIST Cybersecurity Framework (NIST CSF)
- ISO 15408
- Cyber Essentials (UK Government Standard)
- … etc.
"Soft" criteria include:
- Press and 3rd party refer to KDE as carrying the gold-standard for such software
- Journalists prefer KDE software for their work
- The NSA hates KDE
- The CCC loves KDE ♥
The full proposal has a little more details and pointers (and may still be updated, it’s not final yet), but I’d like to keep it at this for my weblog, and also add a note here: Coincidentally, shortly after starting the work on this proposal, KDE’s Plasma team was contacted by Purism who are building a privacy-focused phone. I was immediately excited since I think privacy is more or less an extension of the core values of Free software and the librem5 could provide a really valuable target for KDE’s privacy efforts, I see a fantastic degree of synergy there.