The Freedom Phone is not great at privacy
Apr. 16th, 2022 04:03 pm![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
mjg59The Freedom Phone advertises itself as a "Free speech and privacy first focused phone". As documented on the features page, it runs ClearOS, an Android-based OS produced by Clear United (or maybe one of the bewildering array of associated companies, we'll come back to that later). It's advertised as including Signal, but what's shipped is not the version available from the Signal website or any official app store - instead it's this fork called "ClearSignal".
The first thing to note about ClearSignal is that the privacy policy link from that page 404s, which is not a great start. The second thing is that it has a version number of 5.8.14, which is strange because upstream went from 5.8.10 to 5.9.0. The third is that, despite Signal being GPL 3, there's no source code available. So, I grabbed jadx and started looking for differences between ClearSignal and the upstream 5.8.10 release. The results were, uh, surprising.
First up is that they seem to have integrated ACRA, a crash reporting framework. This feels a little odd - in the absence of a privacy policy, it's unclear what information this gathers or how it'll be stored. Having a piece of privacy software automatically uploading information about what you were doing in the event of a crash with no notification other than a toast that appears saying "Crash Report" feels a little dubious.
Next is that Signal (for fairly obvious reasons) warns you if your version is out of date and eventually refuses to work unless you upgrade. ClearSignal has dealt with this problem by, uh, simply removing that code. The MacOS version of the desktop app they provide for download seems to be derived from a release from last September, which for an Electron-based app feels like a pretty terrible idea. Weirdly, for Windows they link to an official binary release from February 2021, and for Linux they tell you how to use the upstream repo properly. I have no idea what's going on here.
They've also added support for network backups of your Signal data. This involves the backups being pushed to an S3 bucket using credentials that are statically available in the app. It's ok, though, each upload has some sort of nominally unique identifier associated with it, so it's not trivial to just download other people's backups. But, uh, where does this identifier come from? It turns out that Clear Center, another of the Clear family of companies, employs a bunch of people to work on a ClearID[1], some sort of decentralised something or other that seems to be based on KERI. There's an overview slide deck here which didn't really answer any of my questions and as far as I can tell this is entirely lacking any sort of peer review, but hey it's only the one thing that stops anyone on the internet being able to grab your Signal backups so how important can it be.
The final thing, though? They've extended Signal's invitation support to encourage users to get others to sign up for Clear United. There's an exposed API endpoint called "get_user_email_by_mobile_number" which does exactly what you'd expect - if you give it a registered phone number, it gives you back the associated email address. This requires no authentication. But it gets better! The API to generate a referral link to send to others sends the name and phone number of everyone in your phone's contact list. There does not appear to be any indication that this is going to happen.
So, from a privacy perspective, going to go with things being some distance from ideal. But what's going on with all these Clear companies anyway? They all seem to be related to Michael Proper, who founded the Clear Foundation in 2009. They are, perhaps unsurprisingly, heavily invested in blockchain stuff, while Clear United also appears to be some sort of multi-level marketing scheme which has a membership agreement that includes the somewhat astonishing claim that:
Specifically, the initial focus of the Association will provide members with supplements and technologies for:
9a. Frequency Evaluation, Scans, Reports;
9b. Remote Frequency Health Tuning through Quantum Entanglement;
9c. General and Customized Frequency Optimizations;
- there's more discussion of this and other weirdness here. Clear Center, meanwhile, has a Chief Physics Officer? I have a lot of questions.
Anyway. We have a company that seems to be combining blockchain and MLM, has some opinions about Quantum Entanglement, bases the security of its platform on a set of novel cryptographic primitives that seem to have had no external review, has implemented an API that just hands out personal information without any authentication and an app that appears more than happy to upload all your contact details without telling you first, has failed to update this app to keep up with upstream security updates, and is violating the upstream license. If this is their idea of "privacy first", I really hate to think what their code looks like when privacy comes further down the list.
[1] Pointed out to me here
The first thing to note about ClearSignal is that the privacy policy link from that page 404s, which is not a great start. The second thing is that it has a version number of 5.8.14, which is strange because upstream went from 5.8.10 to 5.9.0. The third is that, despite Signal being GPL 3, there's no source code available. So, I grabbed jadx and started looking for differences between ClearSignal and the upstream 5.8.10 release. The results were, uh, surprising.
First up is that they seem to have integrated ACRA, a crash reporting framework. This feels a little odd - in the absence of a privacy policy, it's unclear what information this gathers or how it'll be stored. Having a piece of privacy software automatically uploading information about what you were doing in the event of a crash with no notification other than a toast that appears saying "Crash Report" feels a little dubious.
Next is that Signal (for fairly obvious reasons) warns you if your version is out of date and eventually refuses to work unless you upgrade. ClearSignal has dealt with this problem by, uh, simply removing that code. The MacOS version of the desktop app they provide for download seems to be derived from a release from last September, which for an Electron-based app feels like a pretty terrible idea. Weirdly, for Windows they link to an official binary release from February 2021, and for Linux they tell you how to use the upstream repo properly. I have no idea what's going on here.
They've also added support for network backups of your Signal data. This involves the backups being pushed to an S3 bucket using credentials that are statically available in the app. It's ok, though, each upload has some sort of nominally unique identifier associated with it, so it's not trivial to just download other people's backups. But, uh, where does this identifier come from? It turns out that Clear Center, another of the Clear family of companies, employs a bunch of people to work on a ClearID[1], some sort of decentralised something or other that seems to be based on KERI. There's an overview slide deck here which didn't really answer any of my questions and as far as I can tell this is entirely lacking any sort of peer review, but hey it's only the one thing that stops anyone on the internet being able to grab your Signal backups so how important can it be.
The final thing, though? They've extended Signal's invitation support to encourage users to get others to sign up for Clear United. There's an exposed API endpoint called "get_user_email_by_mobile_number" which does exactly what you'd expect - if you give it a registered phone number, it gives you back the associated email address. This requires no authentication. But it gets better! The API to generate a referral link to send to others sends the name and phone number of everyone in your phone's contact list. There does not appear to be any indication that this is going to happen.
So, from a privacy perspective, going to go with things being some distance from ideal. But what's going on with all these Clear companies anyway? They all seem to be related to Michael Proper, who founded the Clear Foundation in 2009. They are, perhaps unsurprisingly, heavily invested in blockchain stuff, while Clear United also appears to be some sort of multi-level marketing scheme which has a membership agreement that includes the somewhat astonishing claim that:
Specifically, the initial focus of the Association will provide members with supplements and technologies for:
9a. Frequency Evaluation, Scans, Reports;
9b. Remote Frequency Health Tuning through Quantum Entanglement;
9c. General and Customized Frequency Optimizations;
- there's more discussion of this and other weirdness here. Clear Center, meanwhile, has a Chief Physics Officer? I have a lot of questions.
Anyway. We have a company that seems to be combining blockchain and MLM, has some opinions about Quantum Entanglement, bases the security of its platform on a set of novel cryptographic primitives that seem to have had no external review, has implemented an API that just hands out personal information without any authentication and an app that appears more than happy to upload all your contact details without telling you first, has failed to update this app to keep up with upstream security updates, and is violating the upstream license. If this is their idea of "privacy first", I really hate to think what their code looks like when privacy comes further down the list.
[1] Pointed out to me here
Awesome!
Date: 2022-04-17 04:28 am (UTC)no subject
Date: 2022-04-17 08:58 am (UTC)no subject
Date: 2022-04-17 01:34 pm (UTC)I don't think Clear Foundation is linked to Scientology
Date: 2024-01-23 02:30 am (UTC)No commentary or personal opinions implied.
Thanks!
Date: 2022-04-17 08:59 am (UTC)It's always nice to see a-holes exposed.
Membership agreement
Date: 2022-04-17 09:58 am (UTC)The relationship between Federal and State Agencies, the privacy of records, and non-participation in [medical insurance]: In addition, I understand that, since the Association is protected by the 1st, 7th, 9th, and 14th Amendments to the U.S. Constitution, it is outside the [jurisdiction and authority of Federal and State Agencies and Authorities] concerning any and all complaints or grievances against the Association, and Trustee(s), members or other staff persons. All rights of complaints or grievances shall only be settled by an internal Association Committee. Therefore, for the benefit of the association and its members, I agree not to seek any remedy for relief in the [Public Domain]. I agree that my violation of any part of this membership contract would result in a [no contest legal proceeding] against me.
...
The relationship of the services you choose to receive: I understand that the [doctors, nurses], and other providers who are fellow members of the Association are offering me advice, services, and benefits that do not necessarily conform to conventional medical care. I do not expect these benefits to include [on-call coverage, hospital care, or the usual and customary care provided by most physicians]. I will receive such [primary and specialist care elsewhere]. I fully understand that any benefits I may receive from the Association might or might not be covered by my [health insurance] and are not covered by [Medicare]. I fully agree not to file a lawsuit [malpractice, civil, or any other suit] against a fellow member of the Association, unless that member has maliciously forced me to a “clear and present danger that rises to the level of substantive evil” of “Criminal Intent”. I acknowledge that the members of the Association do not carry [malpractice insurance]. No member will intentionally cause any other member of the Association harm be it physical, spiritual, emotional, or financial. If such a danger arises, I will make a grievance report to the Association for an equitable decision against the other member(s).
...
Privacy and Safety of members and information: no malpractice insurance coverage: My activities within the Association are a private matter and I lawfully refuse to share with the [Public Domain, State Medical Board], the [FDA], [FTC], [Medicare], [Medicaid] or my own [insurance company] or any other [public corporation, including government agencies] without both my express permission and that of the Association. All records and documents remain as property of the Association, even if I receive a copy of them.
...
Why Join a Private Membership Association (PMA)?
In the US, there is a separation of Private and Public, (some refer to it as “church and state”).
...
In the Public domain, medical doctors are required to treat patients according to what is called the “standards of care”. These guidelines are considered mandatory edicts by medical boards. When a physician consults with a patient, the physician must apply a diagnosis code to represent what is wrong with the patient. Once that is done, the care of the patient is dictated by a set of standards established by drug companies, insurance companies, and federal agencies. These practices are enforced by insurance companies (refuse to pay) and medical boards (sanctions and licensing approvals). Many would assume that if a better way of treating the patient was discovered, their physicians would be free to use that therapy. That is not true. Physicians are not allowed to use the most modern methods until boards (who are highly influenced by pharmaceutical and/or insurance companies) decide to allow physicians to do so. Since much of what ClearUnited, but not limited to ClearCellular, ClearCenter and ClearUnited provide(s) is outside the scope of the “Standard of Care”, we operate as a safe Private Member Association (PMA) in order to lawfully provide our members with the most advanced therapies.
For some reason, the South Park iTunes EULA episode springs to mind.
Re: Membership agreement
Date: 2022-04-25 05:33 pm (UTC)no subject
Date: 2022-04-18 01:24 am (UTC)Can you provide commands
Date: 2022-04-23 02:39 pm (UTC)