For instance, why doesn’t the Qubes OS website at least have a banner warning about it?
For those who don’t know, it’s a US anti-encryption bill that has potential to essentially end digital privacy as we know it by putting legal pressure on software and hardware vendors to implement backdoors like those proposed by Apple…
If it passes, PC manufactures can quite possibly be forced to implement unremovable backdoors and maybe even remotely backport them to existing PCs via Intel ME, AMD PSP, and Microsoft Pluton…
Welcome to the community @Boorooch. While the topic you raise is important, it is also technically off-topic in this forum.
We do have a “All around Qubes” category that is open to regular members of this forum and in there we do indeed discuss the EARN IT Act and many other topics that are of interest to Qubes OS users but not strictly specific to Qubes OS … which is the requirement to be on-topic in the rest of the forum.
The Qubes OS team has answered on similar occasions that if they would be compelled by law, they would rather stop Qubes OS development then comply. The core team developing Qubes OS is based mostly in Europe and wouldn’t be affected by US laws.
When it comes to ME and similar technologies you might want to look into me_cleaner, coreboot and Heads. Not a perfect answer but as good as it gets currently.
Yes, but Qubes OS will lose most of its purpose (along with Tor, I2P, Monero, and all other privacy software), as people living in undemocratic countries who need it the most will no longer be able to find hardware without backdoors (see this article by EFF)…
When it comes to Qubes OS (Intel/Amd 86x64) there is no such thing as “hardware without backdoors” for a very long time. Again: me_cleaner, coreboot, heads is as good as it gets.
I am sure @adw saw your post and the core team is aware of EARN IT.
The way I see it (as just another community member), posting political/activist messages on the Qubes OS website would open a can of worms. Once one starts with it, by what criteria to choose? Would this distract from Qubes OS? These kind of things are better left to organizations dedicated to such things like EFF in the US or the CCC in Germany/Europe.
As I understand it, the EARN IT Act targets the user data (e.g., texts, DMs, photos, emails) hosted by tech companies like Facebook, Apple, Amazon, and Google. In general, these companies decide whether to encrypt that user data, either server-side or by providing an end-to-end encrypted service to users. For example, when iPhone and iPad users upload their photos to iCloud, they’re encrypted server-side in iCloud, but Apple can still decrypt them, because Apple holds the decryption keys. By contrast, when two Signal users message each other, the messages are end-to-end encrypted, so the Signal Foundation can’t read them. The aim of the EARN IT Act seems to be to compel tech companies to scan user content and either report to or provide access to government and law enforcement entities. Since the content has to be decrypted in order to be scanned, this could prevent those companies from offering truly end-to-end encrypted services and could effectively serve as a back door to any server-side encryption.
How would this affect Qubes users? One of the tenets of the Qubes philosophy is to distrust the infrastructure. Following this principle means intentionally refraining from sharing valuable cleartext (i.e., unencrypted data) with the sorts of service providers the EARN IT Act targets. For example, a Qubes user might decide to have a Facebook account where she doesn’t consider any of the data shared with Facebook confidential. Perhaps it’s just to keep in touch with family members and old classmates and share the occasional cat meme. By contrast, when she wants to communicate confidentially, this user might use PGP-encrypted email with a local client. Similarly, while this user might upload her backups to Amazon or Google for cloud storage, she uses the Qubes backup tool to create encrypted backups so that she’s not relying solely on server-side encryption. Even if the EARN IT Act (or something like it) were to pass, the data that she considers confidential wouldn’t be affected, since she intentionally practices distrusting the infrastructure and uses Qubes to help her implement that strategy.
In other words, Qubes is designed to help people safeguard their privacy and security in a world where the EARN IT Act and similar legislation passes. After all, there are already totalitarian nations with similar or worse laws, and some citizens of those nations use Qubes to protect their digital lives.
It’s also important to remember that this is proposed legislation in only one country, albeit a huge one. As terrible as it would be if it were to pass, there would still be other countries where tech companies have the freedom to offer more trustworthy encryption services, and Qubes users would still have the tools they need to distrust the infrastructure. (I didn’t see much in the linked articles about hardware backdoors, but the principle applies there too: There would still be hardware produced in other countries that aren’t compelled by US law to insert backdoors. Granted, it would be a huge blow, since so much hardware production occurs in the US.)
I agree wholeheartedly. The Qubes OS Project is not itself an activist organization. (While our members, partners, and associates are free to be activists individually, none are required to be.) Our aim is to do one thing, and do it well: Develop and maintain a reasonably secure operating system.
This doesn’t mean we’d never take a public position on a policy issue. As an extreme example, we would likely take a public stance against a credible attempt to ban security-oriented operating systems like Qubes in a major democratic nation (and similarly for attempts to ban upstream software on which Qubes depends, like LUKS/dm-crypt and GPG). However, given our philosophy of intentionally distrusting the infrastructure, it’s not obvious that rallying to the defense of tech companies to encrypt user data (that we don’t really think should be in their hands in cleartext in the first place) is in our wheelhouse. Moreover, it’s a bit odd to think about our tiny project trying to stand between a multi-billion-dollar group of tech companies and the most powerful government in the world, like an ant between two tanks. At present, the Qubes OS Project is neither large nor powerful and does not wield great influence. As Sven pointed out, there are other organizations who are much better suited to this task (including the task of organizing many small open-source projects in mounting some sort of campaign).
I know that people can become quite passionate about their political beliefs. It is tempting to believe that one’s cause is right and just and that no sane, good person could oppose it. This often leads to using emotionally-charged, moralistic rhetoric in an attempt to persuade (or guilt) others (such as the Qubes OS Project or its team members) into supporting one’s cause (whether those members individually agree or not). However, it’s important to take a step back and recognize that, while using the project as a tool to further one’s political agenda might seem desirable when it’s a cause you support, that runs the risk of being short-sighted, because next time it could be a cause you oppose. Instead, I think a better use of that zeal is to aim to persuade your fellow Qubes users and community members. After all, the goal of getting the project to support one’s cause is to reach its users, but here we are on an open forum where anyone is free to speak to those users directly (in the correct section, in accordance with the Code of Conduct, and subject to moderator approval, of course).
Qubes should shut down and replace its website with a page telling people to look deep within themselves and find that, deep in their souls, they have always considered their local governments their gods.
Don’t believe me? Consider this. If people really didn’t want governments to be gods, they would fight like hell against the recent efforts to take away what little remains of their online privacy, such as the devastating anti-encryption laws that are currently being considered by the US and the EU. Privacy software such as Matrix, Signal, Tor, and, indeed, Qubes would warn users in every conceivable way, up to and including nag bars in actual apps. Banners would sprout all over the web, people would be protesting on the streets, much like they did in the fight against SOPA and the loss of Net Neutrality. But none of that is happening. Even conspiracy theorists are strangely silent…
(Alternatively, you can put up banners condemning these proposed laws. Just a thought.)