Anonymity Concerns in Non-Whonix Qubes

This sort of thing comes up often, so I’ve just added a new FAQ to address it:

2 Likes

@adw: Thanks!

I would suggest adjusting the last paragraph “When you need privacy, use Whonix. When you use a non-Whonix qube, do not expect it.”, as it is a bit too strong and ignores the fact that Whonix doesn’t work for all websites.

Perhaps something along the lines of:

The Qubes Project understands that Whonix doesn’t work for all websites, and in some cases it should not be used at all, even if it would “work”. Provision of privacy in these situations is outside the scope of the Qubes Project; but you may be able to find some assistance in increasing your privacy in the Qubes Forum.

In short, when you need privacy, use Whonix if possible. But be sure to first take the time to learn how to use it correctly!

I actually like the hardline approach. Anonymity is really hard (and also loves company). It’s unlikely that anyone will come up with a better solution than Whonix / Tor so I feel it’s important to make users have no doubts about the anonymity being broken if whonix is not used.

(Note: Even is using whonix anonymity is not guaranteed – if using applications without stream isolation)

I’m always open to improving the language, but I’m not sure I understand the suggestion.

I grant that Whonix (perhaps Tor Browser, specifically) may not work on some websites, which is entirely understandable. I think that falls within the domain of Whonix, not Qubes directing people to use Whonix.

We could say, “Use Whonix, except when you can’t, in which case don’t,” but that seems unnecessary. There’s no need to tell people not to do things they can’t do, since they can’t do them anyway! But perhaps I’m misunderstanding your suggestion.

Well, I was trying to add a bit of reality…

Taking @deeplow’s hardline suggestion, from the Qubes Project point of view there are really only a few hardlines:

  • Anonymity/Privacy is out of Scope
  • However Qubes Project recognizes it is a concern and is happy to incorporate and recommend Whonix (perhaps adding reasons - best of class, good working relationships, whatever)
  • This is in no way a guarantee - it is impossible given the current technology - even if used as directed - to guarantee Anonymity/Privacy

Beyond that are the simple realities that Whonix doesn’t always work, Whonix must be used in the right way, Anonymity/Privacy is also wanted when Whonix is not in use, Firefox or whatever will for sure be regularly resorted to, etc. Either the Qubes Project wants to recognize and address these realities in some way, probably by pointing users to the Qubes & Whonix Forums, or the Qubes Project wants to say nothing and ignore them. To me, the former is more “user friendly”…

I don’t think that not mentioning the shortcomings of Whonix in this FAQ entry is to ignore them. It’s simply to recognize that the Whonix wiki already covers them comprehensively. To mention them in a pointer to Whonix seems like unnecessary duplication of effort. Nothing is perfect, and no one should expect any software to be perfect. Not every pointer to a piece of software or recommendation of a piece of software needs to come with a disclaimer listing its flaws. That seems too legalistic.

At any rate, even if we did agree that such flaws should be mentioned, this FAQ entry would be not be the place to mention them. Rather, the Whonix page (in the Qubes docs) to which this FAQ entry links would be a far more appropriate place. And you’re more than welcome to submit a PR against that page adding them. :slight_smile:

1 Like

Sorry if I wasn’t clear. Although of course including Whonix as part of this context, I was not trying to turn this into a Whonix shortcomings thing. (Especially since I use and appreciate it too!)

I was hoping to focus more on and address the expressed users’ desires for Anonymity/Privacy in other situations. It seems to me that a blanket, hardline “use Whonix” all-or-nothing-SOL statement just doesn’t address the concern, especially given all the Forum activity on this topic over the years.

But, your call!

1 Like

What do you propose?

Ideas for your consideration, trying to include the basics of all concerns expressed so far:

Does Qubes OS provide anonymity or privacy?

Qubes OS is focused on reasonable security. However, Qubes OS recognizes the increasing concern for anonymity and privacy.

Users desiring anonymity and privacy will appreciate the integration of Whonix into Qubes, which makes it easy to use Tor securely. For more information, including how to use Whonix correctly & safely, please see Whonix.

What about anonymity and privacy in non-Whonix qubes?

Qubes OS does not claim to provide any anonymity or privacy (as opposed to security) to Non-Whonix qubes, including DisposableVMs. While some features of Qubes OS may coincidentally help anonymity and/or privacy, this is not their purpose.

Anonymity and privacy are far more difficult than is commonly understood, and cannot be guaranteed given today’s technology. In addition to the web browser, there is also VM fingerprinting and advanced deanonymization attacks that most users have never considered, just to mention a few examples. The Whonix Project specializes in protecting against these risks.

In order to achieve the same results in non-Whonix qubes (including DisposableVMs), one would have to reinvent Whonix. Such duplication of effort makes no sense when Whonix already exists and is already integrated into Qubes OS.

For anonymity and/or privacy, use Whonix (correctly).

If using Whonix is not possible or appropriate, anonymity and privacy are the user’s responsibility. In such a situation, you may be able to find some limited assistance in the Qubes Community Forum.

1 Like

Thanks, @QubicRoot. I’ll update these entries, drawing on some of your suggestions. :slightly_smiling_face:

Ideas for your consideration, trying to include the basics of all concerns expressed so far:

Does Qubes OS provide anonymity or privacy?

Qubes OS is focused on reasonable security. However, Qubes OS recognizes the increasing concern for anonymity and privacy.

Users desiring anonymity and privacy will appreciate the integration of Whonix into Qubes, which makes it easy to use Tor securely. For more information, including how to use Whonix correctly & safely, please see Whonix.

What about anonymity and privacy in non-Whonix qubes?

Qubes OS does not claim to provide any anonymity or privacy (as opposed to security) to Non-Whonix qubes, including DisposableVMs. While some features of Qubes OS may coincidentally help anonymity and/or privacy, this is not their purpose.

Anonymity and privacy are far more difficult than is commonly understood, and cannot be guaranteed given today’s technology. In addition to the web browser, there is also VM fingerprinting and advanced deanonymization attacks that most users have never considered, just to mention a few examples. The Whonix Project specializes in protecting against these risks.

In order to achieve the same results in non-Whonix qubes (including DisposableVMs), one would have to reinvent Whonix. Such duplication of effort makes no sense when Whonix already exists and is already integrated into Qubes OS.

I think this is untrue and unnecessary. There are alternatives to
Whonix for users who value anonymity or privacy. (These are not the
same, and should not be conflated.)

For anonymity and/or privacy, use Whonix (correctly).

If using Whonix is not possible or appropriate, anonymity and privacy are the user’s responsibility. In such a situation, you may be able to find some limited assistance in the Qubes Community Forum.

Or indeed, on the mailing lists. The Forum stands alongside other means

  • it does not supplant them.

“untrue” applies to the last paragraph beginning “In order to …”? Or do you think other things before that are untrue as well?

Re. necessary, Qubes & Whonix have a relationship that seems worthy of highlight. I also don’t believe that should be to the exclusion of other alternatives, but others have seemed to disagree.

Conflating wasn’t intended - yes, anonymity and privacy are different. Both have been mentioned, and the intent was to just list both. Appreciate better wording ideas!

Neither was slighting the mailing lists - was just in a “Forum mindset”. :slight_smile: Presumably @adw can phrase something more general regarding support avenues.

Many of your comments in the other multiple VPN thread are pertinent as well…

I’m sorry I was unclear.
Both “untrue” and “unnecessary” were intended to apply solely to that
paragraph. I believe the remainder is clear and sets out the position of
Whonix within Qubes.
There are alternatives and users may wish to implement them within the
Qubes framework.

To be clear, while I greatly appreciate @QubicRoot’s feedback, I do not agree with all of it, so I did not use all of it in my last update. (However, I recognize and appreciate the willingness to help, which counts for a lot, even if we don’t agree on every last thing. :slightly_smiling_face:)

In particular, I ultimately decided not to include the following final paragraph:

There are several reasons for this. To name a few:

(I agree that privacy, anonymity, and pseudonymity are importantly distinct concepts, but I’ll just use “privacy” below for the sake of brevity.)

  • In addition to it not being possible or appropriate, some users may simply choose not to use Whonix. But whether it’s impossible or appropriate can be very complicated. Some users may think it’s inappropriate only because they don’t know about bridges or because they have unrealistic expectations about alternative privacy tools, for example.

  • Privacy is always the user’s responsibility. Neither Whonix nor Tor can guarantee privacy, and it is always possible for users to compromise their own privacy while using such tools, no matter how good they are. (No privacy tool can stop you from telling strangers your real name in a chat, for example.) So, we don’t want to insinuate that privacy is the user’s privacy only when not using Whonix.

  • Users always have a chance to find assistance on the mailing lists and the forum, whether it’s about Whonix or non-Whonix stuff, privacy or non-privacy, as long as it’s Qubes-related. No guarantees, but there’s a chance.

You all can see what I decided to do in the live entries:


I believe that these are accurate, but I’m always open to suggestions for further improvement.

Regarding some of the points that have been raised:

  • VPNs are a matter of controversy. For example, the Whonix documentation states: “The consensus opinion of security professionals is that VPNs pose more risks than benefits, and it is for this reason Whonix ™ does not endorse their use.” In light of this controversy, I am reticent to make an official statement about Qubes OS privacy endorsing their use as an alternative to Whonix. It’s fine that we have (external) VPN documentation. It’s one thing to tell people how to do something when they ask. It’s another to tell them to do. (I’ve already added this link to the top of the VPN doc so that people can make informed decisions for themselves.)

  • These FAQ entries should not be taken to imply anything about the relationship between the Qubes and Whonix projects beyond what they say, namely that Whonix is integrated into Qubes, and Whonix specializes in providing advanced privacy features that other templates (e.g., Fedora and Debian) do not.

2 Likes

No worries! Especially since a reread shows I inadvertently left out a word - should have read “… entirely the user’s responsibility. …”. But even with that included there are still issues - isn’t wordsmithing fun?

I do think, though, that @unman’s comments remain valid. The reinvent Whonix paragraph reads too much like the Whonix way is TheOnlyWay™, and users shouldn’t do anything else…

Glad to help the creative juices…