The Qubes OS Privacy Question

A long time debate split across many topics and which never ends is the big question about if Qubes OS is only about security or is it about both security and privacy. I will summarize in short what has been said and point at some facts. Then I will bring a completely new perspective into all of this which will blow your minds away.

The anti-privacy people point to sections of the qubes os website which says it’s an OS for security. The privacy people point to sections of the website which says it’s for both security and privacy. Two such sections are

1. Home page there is a heading that says “what’s in qubes?” with a sub heading saying “Serious Privacy”.
2. In the Donate page it says “Qubes OS is a free and open source operating system that focuses on security and privacy.”

And then we have the famous legendary Edward Snowden, known by everyone to have risked everything to leak the mass surveillance crimes NSA is doing. Edward Snowden is an icon for privacy and security and neutrality. If Qubes OS is not about privacy, then why have Edward Snowden on the homepage?

Clearly, there are two factions in the Qubes OS community. Anti-privacy faction vs the Security and Privacy faction. Or should we say institutions vs the people? Why would I say that? If you look at the team page, you can see almost everyone in the team has a invisiblethingslab email address. Does that mean they all work for ITL? ITL is a security research company offering their services to corporations. They help corporations to use Qubes OS.

On the partners page it says

ITL has supported Qubes OS development from the beginning of the project in 2010 to the present. The company’s primary source of revenue is security research and development.

How much influence has ITL had on the development of Qubes OS? They are a security focused company and they don’t care about privacy.

Is Qubes OS built for institutions or for the people? ITL say they try to help corporations to make use of qubes os. The community who thinks Qubes OS should be both security and privacy says it should be for the people but the people who say it should only be for security, their answers about who the target audience is not so clear to understand.

How centralized is Qubes OS? How does someone become a team member? Do you have to work for ITL? How many of team members work for ITL? Why are community contributions seen as second class citizens when it comes to trust? The docs from my perspective seem to give a bit of a warning whenever something is not from the team, but is a community contribution.

I hope my fears are wrong that Qubes OS is strongly controlled by ITL, and ITL is a for profit company working for institutions, helping them to improve their security by using Qubes OS.

It also makes me wonder if ITL might have been the ones who introduced Mullvad to Qubes OS and helped them start using it to improve the security of the Mullvad developers. Mullvad is of course a company that loves privacy and support it, but in this case, they might not care about privacy when it comes to Qubes OS because for them it seems like an opsec tool for the development and maintenance of Mullvad.

I stopped to read here. It doesn’t seem to be a summary but a simplification, the reality is not just about privacy vs. anti-privacy…

It would have been better, at least, to label that side “security only” and perhaps more accurately, “security primarily.”

Because “anti privacy” implies they are willing to do things to wreck privacy, whereas their real attitude is more like, “Sure Qubes helps with privacy but that’s a happy side-effect of the security; it’s not our primary goal.”

The main problem with the whole debate lies in the ambiguous concept of privacy.^[1] In any case, it seems at least problematic (if not outright wrong) to assume that privacy necessarily means complete anonymity. I do not want to go into the question of whether there can be such a thing as anonymity in the strict sense on the internet - especially in the context of social platforms or web forums.

However, if one understands privacy as the mere possibility of being able to decide for oneself who receives which personal data, Qubes (even without whonix) offers some means of creating something like information “domains” with different pseudonyms and accounts in different VMs, each with its own application instances. In addition, profiling can be made more difficult by disposables and the necessary deletion of browser data.
If you are prepared to accept that Qubes provides whonix^[2], you can even achieve a certain degree of anonymization in transit.^[3] None of this is “unhackable”. Just as little as Qubes itself. But it increases the effort for attackers considerably.

I can certainly understand that not everyone is satisfied with these measures. But to conclude from this that the Qubes project makes false promises or at least actively raises false expectations is … how should I put it? … outrageous. Compared to current “industry standards” (coughing my latte through the nostrils while writing this), everything that Qubes offers is already “Mission Imposssible” level.

Without wishing to appear rude, I would like to express that the supposed problem is based on a misguided expectation to the same extent that Qubes does not implement enough privacy concepts.

1. Right to Privacy, a Complicated Concept to Review (Ali ALibeigi / Abu Bakar Munir / MD Ershadul karim) – https://digitalcommons.unl.edu/cgi/viewcontent.cgi?article=6272&context=libphilprac (PDF) ↩︎

2. Tips on Remaining Anonymous (Whonix project) – Tips on Remaining Anonymous ↩︎

3. What attacks remain against onion routing? (TOR project) – What attacks remain against onion routing? | Tor Project | Support ↩︎

You’re missing the biggest piece of evidence of all: Whonix!

Whonix is arguably the most privacy-centric OS in existence today, and it’s integrated into Qubes OS, which requires a huge amount of (ongoing) work from both the Whonix and Qubes developers. There would be absolutely no way to justify this if the Qubes devs were “anti-privacy” or even uncaring about privacy.

Is there any persuasive evidence that an “anti-privacy faction” really exists?

Most but not all.

Qubes OS wouldn’t exist at all if it weren’t for ITL. That’s like asking how much influence a parent has had over her child. ITL is basically just a small group of devs who are mostly the same devs who created Qubes OS. It’s not some big corporation.

That’s like saying, “His mother works as a math teacher, so she only cares about logic and numbers, not about emotions,” the implication being that she must not be a good mother. Just because ITL is a security-focused company doesn’t mean that the devs don’t care about privacy when developing Qubes OS.

For the people, but ongoing development requires money, and helping institutions use it seems like a good way to keep the open-source project alive.

To join the core team, one has to be approved/hired by the project lead (which is @marmarek).

No, there are several core team members who don’t.

They’re not. The project welcomes community contributions. The core team regularly collaborates with community contributors to fix bugs and add features in Qubes OS and other aspects of the project, such as the website and documentation. However, the project takes a “trust, but verify” approach to all contributions, because bad actors could pretend to be upstanding community contributors in order to subvert the project or attack Qubes users in some way, e.g., by attempting to insert malicious code into Qubes OS.

This is because the core team hasn’t had a chance to review external docs for accuracy and safety. It’s to avoid the sort of situation where, for example, a well-meaning community member writes some external documentation containing instructions that accidentally open a security vulnerability, and a link to this external doc is added to the official Qubes documentation. Without a warning, some users might follow the link to the external doc, not realizing they’ve left the official documentation. They might then follow the instructions in the external doc, open a security vulnerability in their systems, and blame Qubes OS or the project.

Thank you ADW for your reply. It answers a lot of things I was wondering about. I’m fairly new to qubes os so you can also take this topic as feedback how new users perspective might be. I suggest being more up front with this information and adding it to the website.

So, who is the person who decides if qubes os is security only or security and privacy? who decides that? is it ITL? Is it a vote from all team members? Is it Marmarek the project lead? Do community contributors get votes? How does someone get a vote? And if it is only the project lead who makes this decision, I wonder how such a decision is made. Does it matter what the community is saying here on the forum?

ITL is very talented at security and ADW’s informative reply makes ITL sound even better, I didn’t know anything about ITL before. So I’m happy they are contributing their expertise to qubes os but I just don’t like the idea of qubes os is basically their product. I understand qubes os wouldn’t exist without them from your reply, but we should plan for the future. I prefer when the people are in charge, not just 1 person who decides everything in their own personal interest. It would be great if there were several companies/organisations involved in development of qubes os. Maybe another group of developers who are more focused on privacy but for that to be possible we need qubes os to be both security and pricy, not only security.

I think that’s a bit semantic and subjective argument. From my perspective if someone says “security and privacy” and then you say “no, only security” that means “no privacy”. But like I said, it’s debatable semantics so lets not get stuck on that. But I admit I am biased when choosing some of the wording.

I just want a topic where we can have this privacy and security vs only security debate. The community is clearly divided on if qubes os is only security or security and privacy. That doesn’t seem right how the community is divided. What qubes os is about should be clear without confusion. And the website for qubes os gives conflicting statements where it sometimes sounds like it’s only security, and sometimes it says it both security and privacy.

You do know, that you too can spare a dime just like these aforementioned companies/organisations, don’t you?

Glad I could help.

There’s a (just now reopened) issue about this:

Well, it’s not like this is a formal government with bylaws or a constitution, so there’s no definitive answer to your question. In theory, the project lead could decide one thing, but if all the other devs, contributors, and users disagreed strongly enough, they could all leave (and potentially fork the project), so it’s not as though he has unlimited power. Everyone has some degree of influence.

I think it absolutely does matter what the community is saying here on the forum, because if members of the community present strong arguments, they could convince the devs that some course of action is or is not a good idea, for example.

I wouldn’t say that Qubes OS is ITL’s product. It’s more like ITL’s (or, more specially, the devs’) passion. ITL does other work in order to keep Qubes OS alive.

Also, it’s more than just “contributing their expertise,” because they created Qubes OS from nothing and have kept it alive ever since.

First of all, it is not the case that one person is deciding everything in their own personal interest. FWIW, the CEO of ITL is not the same person as the project lead of the open-source Qubes OS Project, and I have not seen any evidence of either of them (or anyone else on either team, for that matter) putting their own personal interest ahead of either the Qubes OS Project or ITL.

Second, what exactly do you mean by “the people [being] in charge”? Like a democracy? A worker collective? This is a complex and thorny issue that depends heavily on one’s political views. For example, capitalists and socialists will have very different opinions about the best way to operate a company, and this forum is not an appropriate venue for such political debates.

However, what we can say is that the Qubes OS Project is a small, largely informal open-source software project with a loose collection of devs and other contributors in a mostly flat hierarchy. Compared to the most popular operating systems, it’s arguably already a good example of a project where “the people” are in charge.

You might think it would be better if decisions about Qubes OS were made by user vote, but security is a complex topic that many people get wrong. The devs receive many suggestions and requests that sound good at first but that, upon closer examination, would weaken the security of Qubes OS, sometimes in subtle and counterintuitive ways. The devs have decades of formal education and real-world technical experience not only in building secure computing systems from the ground up, but, even more importantly, in breaking systems that were supposed to be secure. For example, they’re world-class experts in extremely technical areas like x86 virtualization, kernel exploitation, advanced rootkits, hypervisor attacks, firmware vulnerabilities, and many more. As Bruce Schneier said:

Anyone can invent a security system that he himself cannot break. I’ve said this so often that Cory Doctorow has named it “Schneier’s Law”: When someone hands you a security system and says, “I believe this is secure,” the first thing you have to ask is, “Who the hell are you?” Show me what you’ve broken to demonstrate that your assertion of the system’s security means something.

You want the people who are the best at breaking secure systems to be the ones building your secure system, which is why the ITL devs are so effective. Turning decision-making over to a user vote would very likely weaken the security of Qubes OS (not to mention that bad actors could then launch a Sybil attack to fabricate a bunch of votes in favor of intentionally weakening the system so it’s easier for them to attack).

I’m inclined to agree. FWIW, we do already have a little bit of that with 3mdeb (example) and tabit-pro (example), but I can see the value in there being more.

Well, we already have a form of that with the Whonix team working on Whonix, which is then integrated into Qubes OS.

You should open an issue for this to be fixed/improved and maybe even consider submitting a pull request yourself.

So far, I have seen 2 dirty words on this forum:

1. reasonable
2. trust

It seems ‘privacy’ is another candidate.

Clearly, there are two factions in the Qubes OS community. Anti-privacy faction vs the Security and Privacy faction.

I haven’t seen a single community member who is against privacy. There are just people with different level and depth of understanding what privacy is, what anonymity is, how they differ, how that affects their own life, how all that relates to security etc.

That doesn’t mean there aren’t things which can be improved.

ITL has supported Qubes OS development from the beginning of the project in 2010 to the present. The company’s primary source of revenue is security research and development.

And that’s somewhat better than an OS developed e.g. by a grocery store, don’t you think?

How much influence has ITL had on the development of Qubes OS? They are a security focused company and they don’t care about privacy.

Just like I mentioned in another thread, the particular way you state certain things is problematic.

I hope my fears are wrong that Qubes OS is strongly controlled by ITL, and ITL is a for profit company working for institutions, helping them to improve their security by using Qubes OS.

Don’t worry. “By 2030 you’ll own nothing and be happy.”

I think the problem for me and probably for some amount of other people learning about qubes os is we don’t know the history of the dev team (and ITL), we’re not familiar with who they are. That makes it a bit uncomfortable having trust centralized in one company. But ADW’s replies were great and helps a lot with that.

One of the big issues I had in mind when creating this topic is almost every time someone discusses privacy improvements of some kind, there’s always people arguing against it and it always come back to the same arguments about qubes os is only security vs security and privacy. I was hoping we could somehow solve those circular arguments that never end and because they slow down constructive debates around privacy improvements. That is at least my experience so far.

The problem is github is bad for privacy so for people like me who care about that it’s a deterrent from contributing. We have a topic that discusses that problem. Contributing on GitHub requires JS and that creates challenges and some are discouraged - #177 by qubist

I don’t see how your question is relevant or what the point of the question is.

I think the original post was poorly stated - there are no factions as
described: no pro-privacy and anti-privacy groups. There is a wide
spectrum of understanding about what “privacy” means, and what measures
can be taken to mitigate threats to privacy.
If someone tells me they are in favor of privacy, so far they have told
me nothing. Like being told some one is in favor of Free Speech.
What matters is what they do.
Attempting to shoe horn this in to a binary divide is not helpful.

Qubes has always provided tools that enhance a users ability to keep
data out of the public domain, should they wish to do so. Whonix claims
to deliver maximum anonymity and security, and is integrated in to
Qubes. The combination probably provides reasonable anonymity and
security.

It’s worth pointing out, yet again, that only about 15% of Qubes users
are Tor users - so a lesser number are Whonix users. (Based on the only
metric we have.) Does this mean the remainder do not care about
“privacy”? They may be using other methods to secure their private data.

The devs will always listen to the community. The resurgence of the Qube
Manager is an example of this, but you need only look at issues and
enhancement requests to see the process at work.

I never presume to speak for the Qubes team.
When I comment in the Forum I speak for myself.

I think the problem for me and probably for some amount of other people learning about qubes os is we don’t know the history of the dev team (and ITL), we’re not familiar with who they are.

One of the big issues I had in mind when creating this topic is almost every time someone discusses privacy improvements of some kind, there’s always people arguing against it and it always come back to the same arguments about qubes os is only security vs security and privacy.

Quite right. There are certain contradictions related to Qubes OS which I have tried to get clarity about. Unfortunately, repetition of established patterns and the tolerance to off-topic noise makes actual reasoning practically impossible.

I was hoping we could somehow solve those circular arguments that never end and because they slow down constructive debates around privacy improvements.

Unlikely.

Privacy does not mean any level of anonymity, it’s really that simple.

If you say, “I told Tom my address in private” it means you expect Tom not to share your address with others. It does not mean Tom doesn’t know your identity.

Sadly, some of the people most vocal about privacy seem to think privacy and anonymity are different words with the same meaning.

Please add, your anonymity, privacy, is dependent on Tom’s compute privacy, security, anonymity, and his not sending you some kind of malware, as well as having it.

Which includes anyone else who uses Tom’s computer, or is behind his Modem, Router connection. but what do I know?

I tried to put it friendly

Privacy does not mean any level of anonymity, it’s really that simple.

If someone’s identity is not to be revealed, then anonymity is part of privacy.

If you say, “I told Tom my address in private” it means you expect Tom not to share your address with others. It does not mean Tom doesn’t know your identity.

It doesn’t mean the opposite either.

“I told Tom my address” != “I told Tom who I was + my address”

“I told Tom my address in private” != “I told Tom my address in private + not to share it” != Tom will not share it under any circumstance

People who appreciate the security benefits but are actively anti-privacy don’t have a reason to avoid Qubes, so I’d assume that given they exist, they’re here.

Bigfoot is here!

actively anti-privacy

What does this mean?

actively: doing something, so you might see some effects
anti: against
privacy: whatever definition you want to go with - it’s unlikely to affect “they don’t have a reason to avoid Qubes”

You were already using this concept.