September 5 2024 GM

From TCU Wiki

Is There HOPE for Phone Privacy? CalyxOS and Privacy-Focused FLOSS Phone Solutions

Glitter Meetups

Your phone: useful tool and trusted companion or sneaky spy spilling all the private details of your life? You decide! This presentation aims to shed light on the phone privacy threats that users face (like location tracking, insecure communications, and more) and how privacy-focused FOSS smartphone operating systems like CalyxOS can be the foundation of effective mitigation strategies to safeguard our mobile devices. This meetup will discuss the top threats to phone privacy and learn how CalyxOS’ “privacy-by-design” approach to digital security can help us better protect ourselves and our digital identities.

Chirayu Desai (he/him), CalyxOS Tech Lead has been working on Android and open source software since 2012. He has worked on all things Android, right from the hardware level code to working on various apps. He holds a Bachelor's degree in Computer Engineering and works remotely from Ahmedabad, India.

What is Glitter Meetup?

Glitter Meetup is the weekly town hall of the digital rights and Internet Freedom community at the IF Square on the TCU Mattermost, at 9am EDT / 1pm UTC. It is a text-based chat where digital rights defenders can share regional and project updates, expertise, ask questions, and connect with others from all over the world! Do you need an invite? Learn how to get one here.

Notes

Can you give us a brief overview of what Calyx is? As an organization and a FOSS tool, for those of us unfamiliar?

  • Calyx is a digital privacy organization. We do a bunch of things. In the US, we have a membership program wherein you can get a hotspot with unlimited data. We run a completely free and anonymous VPN service, called CalyxVPN. We also run a lot of Tor exits.
  • The project I work on is called CalyxOS - our Android custom ROM / distribution. It replaces the software that runs on your phone with something that's more privacy friendly, and includes a lot of other awesome open source privacy tools.
  • CalyxVPN is available for Android (any Android!) on F-Droid

Is Calyx the OS that comes packaged in with Fairphone these days?

  • We'd certainly like that, but no, by default the Fairphone comes with their own Fairphone OS. However you can easily install CalyxOS on it.
  • Fairphone is quite supportive of our efforts. They've sent some devices, and also helped us out in other ways. We have a communication channel with them which is very helpful!
  • We will be bringing a Fairphone (and some others) as demo devices to GG, if you're attending and would like to check it out!

So, CalyxOS is a mobile operating system developed by you all, that anyone can download on their phone? What makes it special?

  • Yes! Because Android is open source, we're able to take what Google has created, remove a lot of their tracking, and add in privacy friendly alternatives.
  • The way Android is designed, every single phone model needs a specific version, so we're only able to support a limited number of devices.
  • CalyxOS works on some Motorola devices, Google Pixels, Fairphones, Shiftphones. We're constantly working on adding more devices. The list is on our website, https://calyxos.org

And who should use this?

  • CalyxOS is designed for everyone! We want it to be user friendly enough for anyone to use it.
  • We do add certain features that would be more useful for certain people, such as journalists or at-risk people.

Is there an installation manual for people interested in exploring the OS? Is hard to install this on a phone?

  • The installation procedure is on the website https://calyxos.org/install/
  • We also have a very active community who're always happy to help with any questions about installation and usage. https://calyxos.org/community/
  • We have a getting started guide at https://calyxos.org/start which gives an overview of the various things you can do with the OS
  • The installation procedure of CalyxOS involves tweaking a setting on the phone, and then running our flashing tool on your computer. We also have a new website which lets you directly do the entire install from your browser - no need to download anything, it guides you through the whole thing right from your browser.

Can certain apps also come pre-installed in CalyxOS? Can you tell us which?

  • We want to make it easy to have a good out of the box experience, so you don't have to figure out which privacy friendly app to use for weather or e-mail. It's all right there, but it's also optional and not forced on you. We want to provide better options, not mandate choices.
  • Some examples of the apps included are Tor browser, OONI Probe, RiseupVPN. The full list is at https://calyxos.org/docs/guide/apps/
  • We also built our own encrypted Backup application, so you can safeguard your data. It's included in most custom Android OSes out there so you can freely use it to switch phones as needed.

Are there any phone privacy threats you have come across, observed or identified that makes using a privacy by design phone important for at risk groups? Could you tell us how CalyxOS mitigate those?

  • A lot of our features are based on the privacy threats we've seen or read about. One example is a bluetooth timeout feature. A lot of public places around us use bluetooth beacons to track people through their phones. On CalyxOS, you can set bluetooth to turn off automatically after a certain time it was last used.
  • Let's say you have your phone connected to your car via bluetooth. Once you walk away from the car, and if you have the timeout set - it's going to know that the car disconnected, and turn bluetooth off automatically, thus preventing that tracking.
  • One of the features the team has been working on for some time are security levels for the phone. We have a lot of features like the above, and we realise that it can be a lot to configure. So we're going to add 3 levels that you can choose from while first setting up the device.
  • The safest level there disables things such as USB access, developer options and installation of unknown apps entirely. We've noticed that those are the most common vectors for malware or harmful threats to get onto your phone, and so we're building this feature to cut off their access entirely. There can still be more sophisticated methods, but this cuts off the most common and easiest vectors.
  • Another thing we're very proud of is supporting phones for longer than manufacturers do.
  • We're just about done providing updates for the Pixel 3, a phone that launched 6 years ago. Google stopped updating it 3 years ago, but we didn't. We try to keep it updated with security fixes as much as possible. It's not perfect, but it's better than not having any updates at all. Our goal is to extend the longevity of devices as much as possible, and not base it on some arbitrary timeline.
  • The CalyxOS team has put so many great features in with at-risk groups and digital privacy defenders in mind, like a panic button that allows for deletion of pre-selected apps (say, those you might not want LEOs or border crossing officials to see), a special firewall to prevent apps from accessing the internet without your ok, and more
  • Security updates are very important in the cat and mouse game against threat actors, and we work really hard to ensure that those get out in a timely fashion to all of our devices.

Can people just buy a phone directly from you all with the OS installed?

Is CalyxOS just available in the US or people from else where can access it?

  • Everyone can access it. For example, if you download CalyxOS in Taiwan, the phone will still work.
  • In fact, we include a lot of apps out of the box to help with this, so even if you're in a place with internet censorship, our hope is that one of those tools can help get you online.

Are there plans at Calyx to extend the OS to other devices that is not android and laptops? To get the same privacy features?

  • Motorola, Fairphone, and Google Pixels (ironically Google's phones are the best to put a custom Android on). CalyxOS unfortunately is Android only. Our team has a lot of experience with it, and a lot of the work we do wouldn't apply in other devices, because of all the differences.

If I recommend Calyx OS to a non-technical human rights defender, is there someone or people who can support them install and maintain it?

  • For troubleshooting and support, head directly to CalyxOS' community of programmers and users at https://calyxos.org/community where you can talk directly to @cde and @nickcalyx in real time here on Mattermost!