A video game studio with a Blizzard of sexual harassment allegations.
In this episode we talk about a major sexism and harassment suit against Activision Blizzard, and what might be one of the best websites on the internet, gail.com. Then we speak with Kyle Rankin, Chief Security Officer at Purism, about their mission to make computers and phones focused on security and privacy, and what people should potentially beware of when using phones from independent phone producers such as the newly announced Freedom Phone.
Saron Yitbarek is the founder of Disco, host of the CodeNewbie podcast, and co-host of the base.cs podcast.
Josh Puetz is Principal Software Engineer at Forem.
Kyle Rankin is the Chief Security Officer at Purism, SPC, and the author of a number of books on security and infrastructure, most recently Linux Hardening in Hostile Networks for Pearson.
[00:00:07] SY: Welcome to DevNews, the news show for developers by developers, where we cover the latest in the world of tech. I’m Saron Yitbarek, Founder of Disco.
[00:00:16] JP: And I’m Josh Puetz, Principal Engineer at Forem.
[00:00:19] SY: This week, we’re talking about a major sexism and harassment suit against Activision Blizzard and what might be one of the best websites on the Internet, Gail.com.
[00:00:29] JP: Then we speak with Kyle Rankin, Chief Security Officer at Purism, about their mission to make computers and phones focused on security and privacy and what people should potentially be aware of when using phones from independent phone producers, such as the newly announced Freedom Phone.
[00:00:43] KR: Since you’re not looking at necessarily going to be going through all of the source code, maybe you’re not censoring things, but how are you protecting users from actively malicious things that are going to steal their data?
[00:00:54] SY: Since we started last episode with a dark nightmare story, we decided to start this one off with something light and incredible, and that is the website Gail.com. So apparently, Gail.com, spelled GAIL.com, gets visited tons of times by unique hits due to people mistyping gmail.com. This happens so often that Gail.com is just an FAQ page about the site and statistics about how many hits the site receives as well as how many misaddressed Gail.com emails get rejected per week. We’ll put the page in our show notes, but just to spread the joy further, we would like to go through the short FAQ here for you with me reading the questions and Josh reading the answers. Josh, are you ready?
[00:01:42] JP: Okay. I’m channeling Gail.com. Yes, I'm ready.
[00:01:44] SY: You're channeling Gail? Let’s do this. Question, why isn’t there any content? There’s literally no content on this website. It’s literally just an FAQ.
[00:01:52] JP: It’s just an FAQ. Yeah.
[00:01:53] SY: It’s just an FAQ. So it says, “Why isn’t there any content here? Can’t you at least throw up a picture of your cat for the Internet to check out?”
[00:02:01] JP: “Sorry, I have a cat, but she’s pretty unexciting by Internet standards. As for why there’s a very little content here, we wanted to keep the server’s attack surface as small as possible to keep it safe.”
[00:02:11] SY: Such a good answer. “Interested in selling Gail.com?”
[00:02:15] JP: “Sorry, no.”
[00:02:16] SY: “How did you manage to get Gail.com?”
[00:02:19] JP: “My husband registered it as a birthday gift back in 1996.” I should point out, we took a little look at this and her husband’s website is Kevin.org. Nice matching.
[00:02:28] SY: Oh, amazing! Power couple! Power couple! I love it. “How many times a day is this page visited?
[00:02:35] JP: “In 2020, this page received a total of 5,950,012 hits, which has an average of 16,257 per day.”
[00:02:46] SY: Wow!
[00:02:47] JP: “Looking at just unique hits, we’d received a total of 1,295,284 for an average of 3,539 unique hits per day. Occasionally, we get Twitter-bombed and we may receive several tens of thousands of visitors a day. As an example, on July 21st, 2020, we received 109,316 hits.” That is incredible!
[00:03:12] SY: That’s really incredible. What I love is that there are over five million total hits, but only one million unique, which means a lot of people are making the same typos over and over again.
[00:03:24] JP: Right, but there’s a lot of repeat visitors.
[00:03:26] SY: A lot of repeat visitors. Maybe they just like reading the FAQ. Who knows? Next question, “Why is your website so popular? Are you one of those famous people that no one knows why they’re famous?”
[00:03:36] JP: “No, I’m not famous. It seems likely most visitors simply mistype Gmail.com and end up visiting Gail.com by mistake.”
[00:03:44] SY: “I tried to send some photos to my girlfriend and typed Gail.com instead of Gmail.com in the address field. The photos were of a very personal nature. Can you please delete them?”
[00:03:55] JP: This is the best part.
[00:03:57] SY: So that really happened. Yeah.
[00:03:57] JP: I really, really like this. Yes. “There are only two valid email addresses on the Gail.com domain. So it is extremely likely your photos were rejected by my email provider and tossed into the bit bucket. Another interesting Gail.com factoid: my amazing email provider, ProtonMail, rejects about 1.2 million misaddressed emails per week to the Gail.com domain.” 1.2 million mails are coming to Gail.com every week.
[00:04:25] SY: Per week. Per week.
[00:04:26] JP: Those can be important messages. It’s horrifying.
[00:04:28] SY: It could be. Yeah. Yeah. Yeah. “I think you’re infringing on my trademark.”
[00:04:33] JP: “If you consult with someone well-versed in trademark law, they will tell you that you can’t have an exclusive trademark on a common word or name. My husband and I successfully defended ourselves against an attempted domain takeover in 2006; see WIPO Case D2006-0655 for more information.”
[00:04:55] SY: That’s right.
[00:04:56] JP: I’ll just point out that the WIPO is for the World Intellectual Property Organization and they’re actually tasked with ruling on cases where people think their trademark is being infringed against. We’ll have a link to this case in the show notes. It’s fascinating to read.
[00:05:11] SY: “Are you interested in monetizing Gail.com?”
[00:05:13] JP: “No, but thanks for asking.”
[00:05:15] SY: “Don’t you know you could throw some ads up and make money?”
[00:05:18] JP: “Yes, I know, thank you.” She must get this question all the time.
[00:05:22] SY: All the time. Yeah.
[00:05:23] JP: “For those who feel they need more advertising in their life, please have a look at our swanky Electronic Frontier Foundation ad below. If you believe in a free internet, please consider clicking on the link and donating to the EFF. If you have a question not answered above, feel free to send it to FAQ@gail.com. Thanks for visiting.” I’ll also point out. We did send an email to FAQ@gail.com. They neglected to take us up on our offer for an interview.
[00:05:51] SY: She’s super busy, man. She’s a very popular lady. She’s got stuff going on.
[00:05:55] JP: I love the idea that way, way back in the dark ages of the internet in 1996, I think I was on AOL dial up in ’96. That Gail and Kevin, if those are their real names, which we think they are, they were able to just go to a register and register Gail.com and Kevin.org and have a nice match set of domain names. I mean, just any four letter or five letter domain today is hundreds of thousands of dollars to register.
[00:06:25] SY: Absolutely. And I don’t know if you’ve been noticing this, but I’m seeing a trend towards those expensive domain names again. Before, I feel like we were very comfortable dropping vowels and letters and making things shorter, you know what I mean, just to kind of make it work. We added like, “Hey,” to the beginning or go to the beginning of our domain names just to make it kind of work. Like even Forem, right? We went out and we found Forem.com, which is like a legit name that I’m sure it’s probably hard to get. So I feel like we’re kind of moving back to the Gail.com era of trying to get those really simple domain names again. So I’m sure hers is even more valuable today than it was 10 years ago.
[00:07:06] JP: If you ever look around for like four or five-letter domains, there’s this great site I’ve used in the past called domainnamesoup.com.
[00:07:13] SY: Oh, what is that?
[00:07:14] JP: You can do letter searches. So you can say, “I’m interested in a four-letter domain and I would like it to start with, oh, let’s say G.” It’ll just give you a list of all the possible letter combinations, starting with G and it’ll tell you which ones are available and which ones are taken.
[00:07:30] SY: That’s awesome.
[00:07:30] JP: Spoiler, they’re all taken.
[00:07:31] SY: Yeah.
[00:07:34] JP: But I definitely remember a good number of years ago. I’ve worked at companies that have considered changing their names to match a four or five-letter domain name that was available versus what the company was named.
[00:07:47] SY: Wow! Yeah, I see that. I totally believe that. But what a little gem of the internet, right? I mean, this isn’t new. This has been around for a long time and it seems like it’s kind of making the rounds yet again recently, but I just love this. I love that there’s this woman, her name is Gail. She’s got Gail.com. She’s got a little FAQ. She uses ProtonMail, which is very old brand.
[00:08:07] JP: Very old school. Oh, yeah.
[00:08:09] SY: Yeah. It tracks. She just wants you to give a little bit of money to EFF, like that sort of thing. She’s like, “If you got money, give it to the Electronic folks. Thanks for stopping by.” I love it.
[00:08:19] JP: Yeah, best I can figure. I took a look at the Internet Archive Wayback Machine, that’s at web.archive.org, and you can take a look at websites back through time, they call it, and it looks like until about 2010, Gail.com just had a real nice old school under construction image on it. And the FAQ has gotten longer as the years have gone on. So it’s kind of interesting to see how Gail.com has also evolved.
[00:08:47] SY: Yeah, absolutely. I’m so glad that our producer found this, I think. Was it you, Levi? Was it Levi?
[00:08:53] LS: It was me.
[00:08:57] JP: Be honest. You were scoping for Levi.com. Weren’t you?
[00:08:59] LS: No. I was scouring the Twitter feed again, just like is my want and it popped up. Somebody else had spotted this.
[00:09:08] JP: This is delightful. It’s from another age of the internet. I think it’s absolutely delightful.
[00:09:30] JP: Now for some darker news, we also want to give a trigger warning for anyone who’s sensitive to topics of sexual harassment and self-harm. Last season, we had talked about the instability of the video game industry with Jason Schreier, Reporter at Bloomberg and Author of Press Reset, where we got into the pattern of follies and blunders video game studios make leading many to shut down and their overworked developers displaced without much in the bank and having to start over again.
[00:09:54] JS: I think studio shutdown can happen for lots of different reasons. I mean, sometimes a studio releases a flop or runs out of money. Sometimes it’s just corporate shenanigans up above, like with Disney, launching a bunch of studios and then deciding a few years later, “Actually, we don’t want to get into games. We don’t want to be in games anymore.” So really, it can happen for all sorts of reasons. But the through line is that when it happens, workers are just screwed. So it’s up to the kind of generosity of management whether those workers will get severance, whether they’ll get proper notice ahead of time and all the other things that you might expect in a humane society. So that’s kind of the biggest thing is that there are no protections in place. The other through line I would say is that this volatility has led a lot of people to burn out of the video game industry, and that’s like a real problem, I think. It feels unsustainable. And I think the main reason for that is that if you lose your job in the games industry, you might have to move across the country or across the world for your next gig.
[00:10:53] JP: Now we’re going to talk about another terrible aspect of at least one major video game studio to some of its developers. After a two-year investigation by the California Department of Fair Employment & Housing, the agency found that the large video game company, Activision Blizzard, which has made major blockbusters like World of Warcraft and the Diablo franchise, cultivated a “frat boy culture” that led to rampant discrimination, sexual harassment, and unfair pay towards its women employees. In the suit against the company, which we’ll put in our show notes, the State of California writes, “Unlike its customer base of increasingly diverse players, defendant’s workforce is only about 20% women. Its top leadership is also exclusively male and white. The CEO and president roles are now and always have been held by white men. Very few women ever reached top roles at the company. Women that do reach higher roles earn less salary, incentive pay, and total compensation than their male peers.” The women would also receive lower starting pay for similar positions as their male counterparts and women would also be promoted more slowly and terminated faster than men. The investigation also found that women would often have to fend off unwanted sexual advances, including groping, unwanted sexual comments and other forms of harassment from their male coworkers, including high ranking executives and other members of leadership. One disturbing part of the suit states, “In the office, women are often subjected to cube crawls in which male employees drink copious amounts of alcohol as they crawl their way through various cubicles in the office, and often engage in inappropriate behavior towards female employees. Male employees proudly come into work hung over, play video games for long periods of time during work while delegating their responsibilities to female employees, engage in banter about their sexual encounters, talk openly about female bodies and joke about rape.”
[00:12:38] SY: Jesus!
[00:12:39] JP: Another especially horrific part of the suit talks about a particularly heinous example of the sexual harassment where “a female employee committed suicide during a business trip with a male supervisor would brought butt plugs and lubricant with him on the trip.”
[00:12:53] SY: Oh my God!
[00:12:53] JP: Wow! The suit also details how human resources failed to take effective measures about the many complaints they received towards unlawful harassment, discrimination, and retaliation. More than 2,600 current and former Activision Blizzard employees have signed an open letter in support of the lawsuit. And employees are planning a walkout this week in support of it.
[00:13:14] SY: Wow!
[00:13:15] JP: I mean…
[00:13:17] SY: Are we surprised? I guess is the first question. I mean the gaming industry, I know someone, a good friend of mine, who’s been in gaming for many, many years. She’s highly technical. She’s an engineer. She’s absolutely brilliant and she’s had to just fight her and claw her way through that industry to get the respect that she deserves and she’s always telling me just how difficult it is to be a woman in the gaming industry. So I can’t say that I’m particularly surprised. And we all remember like Gamergate and all of the women gamers out there who have been harassed, doxed, et cetera. Unfortunately, I’m not surprised.
[00:13:56] JP: I’m not surprised that it exists. I think it’s the scope of the claims about the harassment. I don’t know. I really shouldn’t be surprised at all. It’s horrible. It sucks when it’s so baked into the culture, we should say allegedly, at a company and it’s so pervasive that I just feel for all the employees that have been trying to change this and how many brick walls they must have hit for the state to come in and press a lawsuit. States don’t do that just on a whim. Right?
[00:14:28] SY: That’s what I was wondering. It’s like, “Wow! What was the story? What were the series of events that led to the state getting involved?” That’s a lot. That’s deep.
[00:14:37] JP: Right. Because they will usually not bring a lawsuit unless they think they can win, and it’s a pretty open and shut case. And for the state to bring a lawsuit against a huge employer, like Activision Blizzard, I think at last count pre-pandemic, they had almost 10,000 employees.
[00:14:53] SY: Wow!
[00:14:54] JP: That’s pretty serious.
[00:14:55] SY: That’s a lot.
[00:14:55] JP: So that means there must be so much evidence and so many instances of this happening that the state finally compelled to finally do something about it.
[00:15:04] SY: Absolutely. And they’re doing a walkout. So it’s not just the suit. It’s also something the employees are taking action about, the 2,600 current and former employees kind of banding together and showing that they’re not just going to wait for the suit, they’re going to do something right now, something that they can do, which is walk out. So kudos to them for taking action alongside the suit as well.
[00:15:26] JP: Yeah. There were some statements that came out from the current head of HR that a lot of the employees thought were pretty not great. There’s been a lot of PR maneuvering by Activision Blizzard to try to say what companies always say in this case, as these were isolated incidents, they go against their policy, et cetera, et cetera. It’s hard to see where the company will go from this. I’m really curious to see what will happen as part of the legal case. And if we see any kind of settlement, I hope the current and former employees that have been impacted by this, and that’s frankly, honestly, every female employee that has ever worked there, it sounds like, get something out of this. I'm struggling to see how any kind of a court decision can even start to make this better.
[00:16:15] SY: And that’s what I was wondering. It’s like you have this really deep, it sounds like, as you said, allegedly a very deep embedded culture of misogyny and drinking, which, I mean, I swear like the integration of alcohol and work has always been very confusing to me. I get if you go to a happy hour after work, but I’ve been at companies where they drink during the day. And I’m just like, “What are you guys doing? We have stuff to do. What are you doing?” But anyways, and so I’m wondering, where do you go from here? You get sued, whether or not it was successful, I’m sure it’s going to set waves in the game. Hopefully, it sets some type of impact in the gaming industry, but then what? Do you just fire all the executive people and hire more nicer people? Is that the solution? What’s the cleanup look like?
[00:16:59] JP: I'm pretty sure that’s not what’s going to happen.
[00:17:01] SY: Probably not.
[00:17:02] JP: I can’t imagine all the executives are going to be like, “Well, okay, we’re out.”
[00:17:06] SY: “I did a bad job. I’m done.”
[00:17:08] JP: Right. How do you even start to fix that?
[00:17:08] SY: So is this even a fixable problem? Exactly. Is it changeable? Or do you just have to, as an employee, go to a different company and just hope for something better?
[00:17:17] JP: Yeah, I’m really curious what will happen. Well, Activision Blizzard, will they have to pay fines? If they pay fines, do employees get any of that money?
[00:17:26] SY: Right. Where does the money go?
[00:17:28] JP: Yeah, I'm really struggling to see how this gets better. I salute everyone that has spoken out about this, everyone that’s walking out. I think it’s an incredibly brave thing to do for every person that’s walking out or signing that letter. There’s probably five to ten more that don’t feel secure enough at their jobs to have the luxury to do that.
[00:17:45] SY: Absolutely. So now onto the Freedom Phone. Eric Finman, whose claim to fame is buying $1,000 worth of Bitcoin as a teen and ending up a millionaire, announced the creation of his own independent $500 smartphone preloaded with a bunch of banned and not banned conservative leaning apps, and with a mission of protecting users First Amendment rights and privacy.
[00:18:08] EF: I made it in Silicon Valley and I’ve accomplished a lot in my life already, but now I’m leaving big tech to fight for free speech because the big tech overlords are violating your privacy, censoring your speech, and I think that’s so wrong. That’s why I created the Freedom Phone and its uncensorable app store.
[00:18:27] SY: Now, to be honest, I was at first hesitant to talk about this and kind of give it any press, but I think it’s worth mentioning for a few reasons. For one, there is major criticism of the idea to create a completely uncensorable app store just in general, not only are you inviting potential vitriol and hate speech to run rampant, but it’s also sure to be a vector for malware. There’s a good reason why apps are vetted and censored beyond its content. I thought that was worth the conversation. The second is that this isn’t the first independent phone with the mission to protect users’ privacy. Another one such phone is called the Librem 5, which is manufactured by Purism. And coming up next, we speak with Purism’s chief security officer to compare and contrast its mission with something like the Freedom Phone and what are the issues companies should consider when creating their own phones and what consumers should consider when choosing to use a phone that’s created by companies outside of the major sellers after this.
[00:19:42] SY: Here with us is Kyle Rankin, Chief Security Officer at Purism. Thank you so much for joining us.
[00:19:48] KR: Thank you for having me.
[00:19:49] JP: Let’s talk a little bit about Purism. Tell us about the company and the work that you do there.
[00:19:54] KR: So what we do is we make hardware, so laptops, servers, mini PCs, and a phone that all run free software. They’re all also focused on privacy and security. So in the case in particular with the laptop and the phone, they both have hardware kill switches on the side or on the top, depending on the device where you can flip them and it actually cuts the circuit for the webcam and microphone and separately for the Wi-Fi. And then on the phone also for the modem even, it will cut the power. And we also promote a version of an operating system called PureOS that is running a hundred percent free software. And the idea behind that is, one, for security people, you can audit it and see what’s happening behind the scenes. For people who are developers, you can modify all of the software. It’s all based on this giant stack of free software that’s been around for a long time. And so you can modify it, you can audit it, all of that sort of thing. It’s probably important to say that Purism is a social purpose corporation. So what that means is that different states have the ability to incorporate something like a benefits corporation in some places, essentially what it allows us to do is be a for-profit company, but we can instill our ethics and values into our corporate charter. So in our case, our corporate charter says things like, “We will use free software whenever possible. We will protect the privacy and security of our customers,” things along those lines. And it allows us to have something to point to sort of like govern how we run the company. It also helps protect us in the future in case let’s say that someone wanted to invest in us and then force us to violate our ethics just because it would be more profitable, we can point to our articles of incorporation.
[00:21:39] SY: I want to dig into the phone that you just talked about, the Librem 5, which you mark it as “a security and privacy focused phone with a secure supply chain”. I want to unpack that a little bit. Let’s start with this idea of it being secure and private. What makes it more secure and private than say the standard Android and iPhone that we are familiar and used to?
[00:22:03] KR: It starts from the fact that we, as a company, have put privacy and security into our charter and as our obligation, we’re starting from a foundation of not wanting to collect people’s data and not wanting to monetize data. So for example, on Android, sort of the fundamental function of the operating system is to collect data at least for Google and usually also for the apps that you install after the fact. So it’s sort of baked into the OS. We start by not putting either Android or iOS on the phone, but we use PureOS, which is the same OS we use on our laptops. And so it’s not impossible to hide spyware or to attract people using free software. It’s certainly possible, but it’s more difficult to hide it because people can audit it. And more importantly, not only if someone notices that someone is starting to like capture my contact list, let’s say, on an application, if it’s free software, people can simply fork the application and make a separate version of it that removes all of those bits that they don’t like. So that helps sort of govern this community of developers so that there’s less of a risk of that. So it starts by doing that, by being on a foundation of free software. On top of that, we also add things like the hardware kill switches. We believe that the individual that’s holding the device should be in control of the device. They shouldn’t have to transfer all of their trust to us, the company, to be secure or to have privacy, which is normally the model you’d see on Android or iOS. The idea is the individual should really hand over trust to either Google or Apple to protect their security and privacy and not really have a lot of agency themselves. Our standpoint is the individual should have control over all of that. So that’s one reason why we put hardware kill switches on our phone because we want the individual to say, “You know, I’m concerned about perhaps the recent Pegasus Spyware that hit the news recently and people are concerned about that. Well, what’s your recourse?” If you’re an individual, you can look to see whether you’ve been affected, maybe if you can find the tools to do that. But if you’ve been infected, you have very little recourse. In our case, what we’re saying is the individual even has the ability to turn off the cameras and microphone on their phone whenever they want and no sorts of malware, spyware could do anything about it because it’s physically disabling the device. The same thing goes with the modem and the Wi-Fi card. Basically all of the sensors that are in your phone that normally you don’t have much control over or if you do have some control, it’s like an airplane mode button that’s purely software. Our approach is to put those controls in hardware so that when you turn them off, you can know for a fact that they’re turned off.
[00:24:46] JP: One of the other things you mentioned is a secure supply chain. I’m wondering if can you tell us, what is a secure supply chain and why is it so important?
[00:24:53] SY: So there’s a couple of different aspects of having a secure supply chain. One of them is the software itself. And on that side, that’s where free software becomes so very important. Because what we can do, because we can see every bit of source code that goes into our operating system, we’re able to track that source all the way to the developers who wrote it and even have the option to do something that’s called reproducible builds. Because even though our software is built with source code, like everybody else, but it then gets compiled into binaries that you can’t necessarily easily read. Because we’re using free software, we have the ability to take source code that someone’s written, build a binary out of it, and then compare it to the results that we made or that someone else made and see whether it’s changed. So basically, we have a complete audit trail from the moment that someone wrote source code to the binary that’s running on your system. Most of the software on our operating system are working to have a hundred percent coverage there. So you don’t necessarily have to trust Purism when we say the source code that you can read and inspect matches the software you’re actually running on your system. You can audit that and third parties can audit that. But beyond that, also, when it comes to the phone, something else that we’ve done recently is we have a Librem 5 USA version of the phone that allows us to tighten up the hardware supply chain as well. So we for a long time worked to secure the software supply chain on our devices. But with the Librem 5 USA, what we’ve done is we’ve built a completely separate supply chain for the electronics and the device. So what we call the PCBA, the main board inside the phone, is made in the USA and qualifies for that. And that required us to build a completely independent supply chain of parts, everything down to individual little resistors and all of those, all of those circuits and chips that we then build in our facility in California. The idea is to have as few hops as possible, less because we don’t necessarily trust some other country or some other company to make things. For instance, we did this years ago for a USB security token that we still call the Librem Key, where we have a good relationship with the original company that designed the device named Micro Key, but they manufactured their keys in Germany. And while they are a trusted company, we decided it would be to our benefit to manufacture them in the United States and our facility just because we have that much extra oversight and control over the device. We can look at it from the moment that it’s a bare board with no chips on it all the way to the point that it’s a packaged device and it’s completely under our oversight.
[00:27:37] SY: So I want to get into the operating system itself, PureOS. You say that yours is a fully free, ethical and open source operating system, not based on Android or iOS. How and why did you create this independent operating system? I imagine it would have been simpler just to take Android and kind of skin it and modify it and do your own thing. Why did you just start from scratch?
[00:27:59] KR: When we created a phone, we realized what we want to do is create the same freedoms and the same software that we appreciate on our laptop on the phone. Because we view the phone as just another computer, instead of it somehow being different from the computer that you would use like a laptop or a desktop computer. We want it to run the same software and run the same operating system that has fully free software. And that’s not easily an option on Android, but more importantly, if we did it with Android, what we wanted to create was what we’re calling a convergence device. And what that means is you can take our phone, and I actually do this myself. I’ve replaced my previous laptop with my phone plugged into a laptop dock, which is basically you can think of it, like if you took a laptop screen and keyboard and battery but took the computer out of it, and I dock my phone to it and I use it as my full laptop and using the same exact software that I would use on my laptop. And when I plug it in, I have a full laptop that has all of that software. When I unplug it, it’s all sitting on my phone. And because it’s that same software that we trust the individual has control over what their phone does, we wanted to build a foundation that respected people’s privacy. And there are certainly a number of Android projects that are built off of free software that you can audit and that have privacy protections in place, but we still felt like the foundation makes you beholden to Google for instance for how they’re doing updates. So for instance, recently they have announced that they are getting rid of their traditional packaging format for Android applications, and they’re replacing it with a new packaging format that requires you to go through their play store, which will sort of put them once this transition completes so that all applications have migrated to that new format, a risk that a lot of Android developers will have is if they decide not to use the new packaging format, they may be locked out at future Android devices. And Android could very well remove the ability to side load up applications, which it’s gotten into the news a lot about how on Apple devices, they can control which applications you’re allowed to install. And on Google, that’s true too if you go through the Play Store, but there’s always been this sort of side channel where you can side load applications that aren’t necessarily in the Play Store. This removes that opportunity. Now for us, we didn’t want to have that kind of control over individuals. We think that if you have a device, we don’t own the device. You should be able to do what you want to with it.
[00:30:29] JP: So what is it about iOS and Android operating systems that might not make them as secure as PureOS?
[00:30:38] KR: So to me, I would say both of them are very secure operating systems, but the difference is how they achieve that security. In both cases, the way that they secure themselves is by locking everything down so that it’s under their control and less under the individual’s control who has the device, which is marketed in the name of security, but it’s really more about the vendor having control over the device because it’s in their interest to have tight control. And because we are basically in a duopoly on the phone market where you have two vendors, essentially, that control that market, they have a lot of say over what happens in those markets. And so having tight control, you’re seeing this in particular Apple’s been leading the charge for a long time. So they’re ahead in terms of these security measures. And again, they’re marketed for security, things like having hardware on the device that verifies that every bit of code that runs on the device is approved by Apple. I mean, they have very sophisticated security measures and very intelligent security teams that are incredibly talented. However, I still believe that security is the, is what they market these measures for, but the reality is what it comes down to is it gives Apple control over how you use the device. And if you decide to use the device in a way that they don’t want you to or if you wanted to use software from a competitor of theirs that they don’t approve of, they have the authority to stop you. And we’re starting to see more and more of the last couple of years them exercise that authority more where in the past it was always sort of a looming threat. And on Macs, for example, on Mac laptops, it’s not the case yet. You can still install software from a third party, even if Apple doesn’t approve of it on a Mac. But on an iPhone, you can’t.
[00:32:26] SY: Yeah.
[00:32:26] KR: And there’s a transition into that on Macs you’re going to start seeing in the coming years. They already are working toward that because in the recent deposition with the Epic versus Apple case, you had one of the VPs talk about the fact that they view their Macs as inherently less secure than their iPhones because they don’t have that ability that you can install whatever software you want that hasn’t been approved by Apple. They made a strong case for why they feel like they’re the only people that should be trusted to decide what applications can run on your hardware. So it’s clear that if you work there as an executive and you believe that, then you’re going to be building Macs in the future that you’re going to be locking down. I believe essentially iOS and macOS will merge at some point and be a single operating system with the same kind of controls that iPhones have. So all that to say, I think that there’s a lot of security to be had there, but there’s a lot of security inside of a jail cell too. You’re very safe inside there.
[00:33:24] SY: Yikes!
[00:33:25] KR: Right?
[00:33:26] SY: Are we comparing the Apple and Android platforms to being in jail?
[00:33:31] KR: No. See, I mean, a lot of people will use that kind of rhetoric. To me, I don’t go that far, but I do liken it more to like… a lot of people feel like they’re like in an elite gated community with those devices, like, “Yeah. I have some restrictions.”
[00:33:44] SY: Right, the whole gated garden. Yeah, the idea, right, a walled garden.
[00:33:46] KR: Yeah. I have to pay a homeowner’s association fee and I do have to make sure my lawn is tidy, but they keep the roads nice and it’s nicer in here. But the reality is closer to I would say more like a nursing home.
[00:34:02] SY: I love all these analogies.
[00:34:06] KR: And again, there’s plenty of legitimate reasons to live in a nursing home. They provide excellent care for people that need that kind of assistance. However, most of us don’t choose to live in a nursing home right now. And it’s because while we might appreciate having all of our meals planned for us and all of the extra things that go along with that, we also appreciate the freedom that goes along with living in the house that we choose and all of the other things. So there’s certainly valid reasons for you to have phones that are locked down to a degree perhaps because you have children and you want to be careful about what they have access to, that sort of thing. But when it comes to regular adults, I would say that the restrictions that you find on devices like iPhones are much closer to being in a nursing home where you sort of have to get permission to do anything. You don’t necessarily have a lot of autonomy. You have autonomy within sort of the bounds that they’ve defined for you, but the moment that you break out of those bounds, you find very quickly that you’re not allowed to just do whatever you want.
[00:35:06] SY: So we’ve talked mostly about the benefits of having an operating system that’s not Android, that’s not iOS based, but I’m assuming there’s some trade-offs too. So what are some downsides? What do you kind of give up? What do you lose by using an operating system like PureOS?
[00:35:23] KR: One of the things that some people will notice, and this has been sort of traditionally the same thing if someone is used to running a Windows or Mac computer and then they switch over to something running either Chrome OS or a Linux distribution of some kind where if you’re used to a particular application and that developer hasn’t decided to port the application to the other platform, then you have to look for an alternative if one exists. So there are some applications, for example, like Clubhouse that only work on the iPhone. And if you’re an Android user and you want to join Clubhouse, you’re sort of out of luck. So there are applications like that that haven’t been ported, just like they may not have been ported yet to Android, they may not have been ported to PureOS or Linux distributions like PureOS in general. So you have to end up looking for alternatives for things. Now when it comes to Android and iOS applications, because our phone runs the same applications as our laptops do, we have this huge suite of applications, but they’re not phone applications. They are desktop applications that we over time have worked to adapt to the phone so that they fit on the screen and they work well on that smaller screen, but they’re the same exact applications. And if you put them on a bigger screen, they function like the bigger version of the application because they are the bigger version of the application. But if you’re used to an Android specific program, there’s a chance that it may not run natively on our phone. However, there are also some emulators that are available that you can use to run some Android applications on our platform too.
[00:37:00] JP: So switching gears a little bit, we’ve heard a lot in the last couple of weeks about something called the Freedom Phone and they also market that device as a privacy first phone. I’m wondering if you’ve heard about this phone and what you think about it.
[00:37:17] KR: Yeah. Yeah. I’ve been following some of the stories about it as well. Yeah. I mean, I know a reasonable amount about it as much as I guess anybody else because a lot of the details are sort of hard to find right now.
[00:37:27] JP: Right. It’s not shipping yet.
[00:37:29] KR: I mean I was sort of expecting a project like this to crop up. We saw something similar, like right after the Snowden revelations, and everyone was really concerned about like spying on their phones and that sort of thing, what you saw was a number of startups that would take sort of an off-the-shelf Android device, and then make some customizations to the free versions of Android that were available and maybe install a couple of security-focused applications, maybe do a couple of other tweaks and then sell it as a new bundled secure phone. You saw a number of startups came and went over the last five years, for instance, that had that business model. And what I think Freedom Phone signifies is we’re seeing a new approach where some people are realizing that there’s some money to be made in doing a bundle that’s instead of focused on security apps and sort of curated security apps, it’s curated privacy apps. So like in this case, I believe they use one of the free versions of Android and then they include one of the sort of free versions of Play Store. Their Play Store apparently uses Google’s Play Store as a backend. It’s unclear, but that’s what sort of people that are looking at screenshots are sort of deducing from it. But yeah, so it seems like basically it’s like sort of a curated collection of Android applications, I suppose, for folks that didn’t want to go to the trouble of setting them up themselves. I mean, again, there’s plenty of other projects out there that you can get an Android device that isn’t running Google’s version of Android, but running sort of a free version of it.
[00:39:00] SY: So one of the other major differences between your products is that the freedom phone is said to not only come with some apps that have previously been banned from the traditional app stores, but that they have their own “uncensorable” app store, which will let basically any app go through. That sounds like a nightmare scenario to me, but you are the chief security expert in the conversation. We’re not sure of course the implementation of their version of this, but just theoretically, when people hear uncensorable, it might sound appealing and that, “Oh, anyone can say anything and we’re free.” But in reality, is that maybe the right way to go?
[00:39:41] KR: So setting aside for a second some of the ethical questions around censorship, if we set that aside for a second and just talk about the security implications of it, one major problem that even the Google Play Store has now with all of the resources that Google can bring to bear on a problem is counterfeit applications, applications that have malware and all of that sort of thing. And the problem is, is that because you can’t inspect the source code, it’s very difficult for an individual to know what’s what, and it’s very easy for someone to write a malicious application and then publish it. And in this case, if you don’t have any sort of ability to moderate that, then Android is a right platform for having an application gobble up all the data and ship it somewhere. I mean, there’s already plenty of applications like why does my calculator need access to my contact list.
[00:40:31] SY: Exactly.
[00:40:32] KR: As a result, my concern would be if you’re making no attempt to moderate what applications you have on your platform, and especially since it looks like they might be back ended by the play store anyway, but if you’re making no attempt to moderate that, how are you going to protect users? Since you’re not looking at necessarily going to be going through all of the source code, maybe you’re not censoring things, but how are you protecting users from actively malicious things that are going to steal their data?
[00:40:57] SY: Going back to the nursing home example, which is a little bit of a morbid analogy. We don’t have generally good feelings about nursing homes, I think, but one of the benefits is it does keep people safe, right? Especially if you are a senior citizen who has Alzheimer’s, dementia, any type of issue where you might need a little bit support, if you do it right it has the potential to keep you safe. So in that sense, that is a service that we do get from the app stores that are not a free for all as we do get some of that protection.
[00:41:29] KR: Yeah, absolutely. Yeah. And like you said, there’s plenty of legitimate value for nursing homes for people that need that extra care. Absolutely. And when it comes to phones, whether every individual needs that level of care or not to be safe, my argument would be that I think most people don’t need that extra level of protection to be on the internet and to own a computer. But other people do feel it’s an advantage, I suppose. One of the things that the Freedom Phone points to is one of the legitimate concerns about it that it points to is the concern about having two companies that have complete control over the software that is installed on computers that people use. And there are legitimate problems with that because it does put an immense amount of power in two companies’ hands to decide what software is allowed to exist. So this sort of comes out of, I think, a legitimate concern over that. And what appoints to beyond Freedom Phone one way or the other is a need to have alternatives. Because with alternatives, you don’t necessarily have beholden to just two companies to decide what software is allowed to exist. And the current trend is definitely going more and more toward the vendor that makes your computer gets to decide what software goes on it because there is a very lucrative market now in getting a cut from your app store. And there’s, again, a number of lawsuits against Apple and there’s concern with Google in the same way that if you’re a company that sells software and you’re in that business and you decide that you’d like your software to run on an iPhone, you have to give Apple a cut of your proceeds. There’s literally no way around it. Right?
[00:43:13] JP: What advice or guidance would you give to consumers that are perhaps considering the Freedom Phone or considering any kind of phone purchase? What sort of questions should they be asking about their privacy and security needs?
[00:43:28] KR: Yeah, a couple of things. So one is how much control will they have to not only install software that they want to install on the device, but also remove software. One big problem that is both on a lot of desktop computers and even worse on phones is the fact that in particular with Android phones is often whatever company you buy the phone from gets to pre-install applications on your phone. And in many cases, Android allows them to control whether you’re allowed to remove them. That’s the bigger concern. So you’ll end up with a device that has maybe games and all these other applications. And in particular, you’ll see this a lot in sort of the mid and low range phones that are competing on very razor thin margins. And the reason you see them there is that those companies get kickbacks from the app developers to pre-install those applications and promote them, either just directly from getting money for pre-installing them, and in those companies, the incentive is not simply just marketing, but the incentive is also by having it pre-installed and the user can’t remove the application. If those applications happen to capture your data, say, they are a calculator app that gets your contact list or gets your browsing history or that sort of thing, that’s incredibly valuable information for them to have that they can then sell.
[00:44:49] SY: So I want to talk about the role of the independent phone producer because as you mentioned Purism isn’t the only place that’s done this or tried this. Freedom Phone is not the first either. There are many attempts at making this happen, some more successful than others. And so I’m wondering, as an independent phone producer, what are the different things that you’ve kept in mind that you think others should keep in mind when it comes to creating your own phone, especially if it’s intended or hoped for wide consumption?
[00:45:21] KR: There’s a couple of things. So the biggest one, and this is one that people will talk to us a lot about with our own devices is there’s a concern about number of applications. So in particular, if you’re not using Android, I mean, iOS really isn’t an option for an alternative. You’re not going to get Apple’s permission to use iOS on a device. So that’s sort of out as an option. So in terms of phones, we’re talking about Android alternatives. So the first thing that can sit for people to think about is, “Okay, if we’re going to be basing a platform on Android, then where are we getting the software from? Are we going to use the Play Store?” If so, then you sort of are subject to a lot of Google’s control over the device if you go that route. If you’re using one of the alternative application stores, then you have to think about, “Are you using one that’s curated by another party?” Or if you’re going to do that yourself, that’s also a whole lot of effort to manage all of the software that’s going into your own application store. Beyond all of that, like in our case, because of the approach that we took, we’ve had to expend a lot of effort in software development to achieve what we’re trying to achieve. How you deal with a mobile interface what application platform you’re going to be based on, I think that’s the biggest thing for someone making an alternative phone needs to think about. And the other one is there’s already so many of these alternatives on the market in terms of Android projects. But one of the reasons that they sort of are launched and then die is that it’s really difficult to keep up with Android hardware. And a lot of times when you get a particular Android phone, the hardware sort of locked in place where you have a particular version of Android runs on that particular version of hardware and it’s all very disposable. An average Android user will probably keep their phone maybe two, three years before they look for an alternative. And in most cases, these vendors only ship updates for a particular phone for maybe two years, maybe three or four on the upper end for security updates. And so that’s the other thing to consider is, “Okay, if you’re creating this phone, are you creating something that’s going to be e-waste in two or three years where the end user either, if they want to be secure, they need to have updates? But if you’re no longer going to provide updates after a couple of years, what’s the user supposed to do then? Are they supposed to throw away the phone and buy your latest phone? Or how are you going to address the longevity of the phone?” Because we have a massive problem right now with e-waste in phones.
[00:47:52] JP: I’m curious. Before the Librem 5, what phone did you use and what was your experience like?
[00:47:58] KR: I have always had sort of a challenge when my choice is between Android and iOS, because it really put my own sort of ethics on the balance scale. So like, “What do I value more? Do I value my freedom more? Do I value my privacy more? Do I value my security more?” Or because either of those choices, where they rate those three options is different. So I ended up getting an Android device before the Librem 5. I guess because even though I value my privacy, I suppose I’ve valued my freedom a little bit more. So that combined with the fact that when I got that phone, I also happened to be working at a company that was all in on the Google Apps Suite. So it was sort of like a company phone in a way where, “Okay, well, we’re going to be using Google Calendar for everything, Google Drive,” and all of those, everything else that’s wrapped into that. And so I’m already in that ecosystem. I might as well go all in. But I have to say, it’s really nice now knowing that I have zero tethers to Google with any of the applications on my phone now. It’s all sort of under my control. It feels very freeing, I guess.
[00:49:04] SY: Well, thank you so much for being on the show.
[00:49:06] KR: Thank you for having me. It’s been my pleasure.
[00:49:19] SY: Thank you for listening to DevNews. This show is produced and mixed by Levi Sharpe. Editorial oversight is provided by Peter Frank, Ben Halpern, and Jess Lee. Our theme music is by Dan Powell. If you have any questions or comments, dial into our Google Voice at +1 (929) 500-1513 or email us at firstname.lastname@example.org. Please rate and subscribe to this show wherever you get your podcasts.