I worked on this project and we've been quite concerned with this issue. I definitely hope people will come away with a clear sense of their risks and of what the tools do and don't do.
which is about threats and risks which in many cases we don't have good ways to mitigate, and I tried to be fairly thorough. For example, we don't have an unambiguously good and convenient way to mitigate handset location tracking, burner phone detection, or compromise of baseband processors. So I hope people will read those parts too and get a sense of perspective!
I also tried to make sure that the sections about PGP mention unprotected metadata, unprotected subject lines, and the lack of forward secrecy (compromising your private key will let someone go back and read your old messages). The PGP sections still need another editing pass to unify the content better across platforms, but a lot of those risks do get mentioned somewhere.
If you can think of other analogous sections we should write about risks that are hard to mitigate, I'm glad to write them! And if you can find things in the existing document that you feel give people a false sense of security, please let us know and we can try to fix them.
I realize that there's a pretty serious risk that any security guide will make people feel like they "did the right thing" and are communicating safely, then still get compromised. We are always struggling with the pull of "privacy nihilism" that would lead people to simply use plaintext communications over the Internet and GSM network because there are (for example) vulnerabilities in their OS or baseband, or because most encryption tools don't protect metadata. It's challenging to know what to say about risk when surveillance is a multi-billion-dollar industry and a lot of very smart people have made an entire career out of it.
One point of view is that a lot of the mitigations really need to come from the platform developers, so desktop and mobile OSes need to ship with more crypto out of the box, turned on by default, in the default communication tools, etc., and hire a lot more vulnerability researchers. If you favor that point of view, I definitely encourage you to try to push things along from that direction too!
Regarding tracking mobile phones and privacy there is some good info in these IRC logs related to multilateration and U-TDOA, and that the precision of locating a mobile phone signal is comparable to that of GPS (given enough towers):
It's a curious set of things you've chosen to communicate to users about the security of mobile phones. For instance, it's important to your page to tell users that phones make it harder to "replace the operating system". That's true, but from the vantage point of security, operating system replacements are mostly a tool for attackers, not defenders.
If you are defending against somebody capturing your credit card number when you buy something online, replacing the OS is mainly done by the attacker.
If you are defending against a NSA-like agency flagging political discourse and discovering you and your friends, the most usual method for defending against those starts by replacing your OS.
It might be more accurate, though confusing for lay readers, to explain that replacing the operating system can both increase--by keeping more up to date than official updates might allow--and decrease--by deactivating security features that also prevent rooting--your security, even for a single given threat model.
I wrote most of this section
https://ssd.eff.org/en/module/problem-mobile-phones
which is about threats and risks which in many cases we don't have good ways to mitigate, and I tried to be fairly thorough. For example, we don't have an unambiguously good and convenient way to mitigate handset location tracking, burner phone detection, or compromise of baseband processors. So I hope people will read those parts too and get a sense of perspective!
I also tried to make sure that the sections about PGP mention unprotected metadata, unprotected subject lines, and the lack of forward secrecy (compromising your private key will let someone go back and read your old messages). The PGP sections still need another editing pass to unify the content better across platforms, but a lot of those risks do get mentioned somewhere.
If you can think of other analogous sections we should write about risks that are hard to mitigate, I'm glad to write them! And if you can find things in the existing document that you feel give people a false sense of security, please let us know and we can try to fix them.
I realize that there's a pretty serious risk that any security guide will make people feel like they "did the right thing" and are communicating safely, then still get compromised. We are always struggling with the pull of "privacy nihilism" that would lead people to simply use plaintext communications over the Internet and GSM network because there are (for example) vulnerabilities in their OS or baseband, or because most encryption tools don't protect metadata. It's challenging to know what to say about risk when surveillance is a multi-billion-dollar industry and a lot of very smart people have made an entire career out of it.
One point of view is that a lot of the mitigations really need to come from the platform developers, so desktop and mobile OSes need to ship with more crypto out of the box, turned on by default, in the default communication tools, etc., and hire a lot more vulnerability researchers. If you favor that point of view, I definitely encourage you to try to push things along from that direction too!