On Purism’s Marketing of the Librem 5

My impressions of the Librem 5 were picked-up by on the Purism sub-reddit, and from there a few other places, including Purism’s official community support forums. I was a bit surprised by the amount of interest (any) in my impressions, which were the first time I really sat down and looked at the phone after having casually used it for a week. There was some good discussion and healthy debate on Reddit, and some comments which inspired me to post a response. I want to take this opportunity to expound on the way the Librem 5 has been marketed, how this influenced my reviewing of the phone, and more generally my concerns with the way that Purism has been publishing what I believe to be misleading articles on their blog, capitalizing on consumer fear, and casting uncertainty and doubt, as a way of propping-up the Librem 5 through generalities and incomplete truths.

Regarding the marketing of the Libem 5

Purism traded on its history producing hardware and earlier successful crowdfunding campaigns, while promising a phone that would be suitable not just for CTOs and developers, but for parents concerned about their children. They specifically refer to there intent at a "mainstream" phone. The pre-order shop page following the successful crowdfunding phase promised several features and indicated that the purchaser should expect to receive the phone in April 2019. By September 2019, Purism announced that they would be releasing batches of various levels of completeness, cumulating in "Evergreen"–they also added a version-2 called "Fir" which was generally not mentioned, other than on an FAQ.

Q: If I receive the Librem 5 from one of the first batches, will I have a fully functional phone? A: Yes! Even the very earliest batches will be capable smartphone, including a modern web browser and core cell phone functionality. Q: What is PureOS, exactly? A: PureOS is a GNU/Linux-based operating system, which powers all of the privacy-focused laptops Purism ships. PureOS has been lovingly and painstakingly optimized for the touch screen of the Librem 5. PureOS is also Free Software Foundation endorsed. Q: If I order today, what shipping batch will I be in and when will my Librem 5 arrive? A: Orders placed today will likely fall in Batch Evergreen. Order now to secure your place in line–we are doing everything we can to process orders faster than the queue is filling up, and will continue in that effort.

"Core smartphone functionality" was earlier used to include things like eMail, messaging, and standard camera functionality in addition to voice calling, although the FAQ refers to "cell phone" rather than smartphone. Regardless, by the time Evergreen was shipping–the mainstream production and final v1 batch–all functionality should have been available, and he FAQ even refers to the process of porting PureOS to mobile in the present perfect, which would indicate that it has been completed. Several news posts on the Purism site through 2020–including the one announcing the delay to mid-August for Evergreen, as well as more recent Dogwood updates–did not indicate any unexpected issues with the software timeline. In February 2019, an entry even indicated that there would be a wider breadth of software available given the delays they were announcing then:

Finally, the extra time for Librem 5 hardware fabrication will benefit software advancements that continue without slowdown, such as quality testing, providing a greater number of default apps,… Based on our historic delivery on our promises, we feel more comfortable in advancing towards the delivery of the Librem 5 phone in the third quarter of 2019.

In the Evergreen eMail and blogs, reference was made repeatedly to shipping the Librem 5 mass production version.

Regarding Purism's Marketing on the Blog

In my response, I cast assertions that Purism was being disingenuous and misleading, and I intend to explain more specifically what I meant and to what I was referencing with the various articles in the video. Some of the articles are misleading through implication and omission, such as suggesting that a user might be able to watch Netflix through the default Web browser. The more abhorrent pattern to which I take offense, is the manner in which some of the articles appear to capitalize on a sensationalist headline or lead-in, describe the subject vaguely or fallaciously extend the concept beyond the referenced source, and then without adequate (or any) explanation state that the Librem 5 or Purism is the solution. With the Librem 5, there are two principal targets to which this is applied–the Android operating system generally (often by treating it as equivalent with Google) and Apple (sometimes simply because they are the other dominant player).

The most egregious example of this is the headline: "Android’s Secret Backdoor, and How Purism’s Business Model Avoids This Type of Threat". In that article, Purism references a New York Times article that describes the problem as certain manufacturers having installed additional malware not part of Android itself. In comparison, there is nothing that would prevent another manufacturer from deciding to install PureOS on its devices, but adding additional, potentially malicious, code. Beyond 3rd party issues about which the article discussed, even in the case of reproducible builds, who is to say that the code provided by Purism is the code that's shipped on the device?

Apple is a regular punching bag, most recently and ironically on the subject of advertiser ID which exists theoretically as an "anonymous identifier", but which can easily be disabled entirely, leaving iOS apps with no identifier to use. Moreover, Apple has stated they're going to make this the default behaviour. When Purism jumps on an article about Apple synchronizing messages across devices, it ignores how Apple says the feature works:

“We offer call history syncing as a convenience to our customers so that they can return calls from any of their devices,” an Apple spokesperson said in an email. “Device data is encrypted with a user’s passcode, and access to iCloud data including backups requires the user’s Apple ID and password. Apple recommends all customers select strong passwords and use two-factor authentication.”

Theoretically, this could be tested by inserting yourself as a MITM, dumping the data and analyzing it; but that may prove inconclusive. In the end, you can either trust Apple is doing what they say or not trust them–but then you're in the same situation with Purism and LibremOne. Purism completely ignores what Apple says it's doing as part of a product feature, and which nobody has shown evidence isn't being handled securely, in the way they say; instead leaving out any reference to encryption and simply saying that Apple is sending user information into its cloud. A similarly misleading article, aimed at Apple, was about the San Bernardino iPhone:

We can use the only known legal precedent as an analogy. If you have a safe that requires a key to unlock it, a warrant is legally required to force the holder of that key to turn it over, thus gaining access to the contents of the safe. If, however, you have a combination safe, you can claim the 5th amendment, and no warrant, no court, can compel you to incriminate yourself, extracting the combination from your brain. That same logic can be applied to the Apple v FBI case. Apple has the key to your phone, by controlling the operating system. Apple can, at any time, circumvent the security features that are supposed to protect you by simply upgrading the operating system. … You don’t actually own your phone. If we truly owned our phones, court ordered warrants would be served directly to the owner of the phone. The warrants in the case of Apple v FBI were served to Apple, who actually has control of your phone.

Of course, in this situation, the legal owner of the device was dead, which is why the government was pursuing other potential options. That aside, there are factual errors in the statement, and a misunderstanding of the government's request. While there's an assumption that Apple could have modified the OS to allow a brute-force of the password, they claimed they couldn't–and in the current version of Apple's phone, the actual validation happened in baked hardware, which even they wouldn't have been able to bypass (unless they waited several years for a flaw to be discovered…). Ridiculously, Purism even holds-up the fact that Apple is positioning its concern over user privacy in a negative manner.

Fortunately, not all of the articles are vacuous and misleading. A 2018 article, written by Purism's Chief Security Officer acknowledges Apple's stance:

First, we’d like to applaud Apple for joining Purism and other companies in speaking out in favor of user privacy and against the unethical data collection practices that fund so many tech companies.

The article describes the difference between Purism and Apple's stances, and why Purism believes their's is the right position for users without denigrating Apple in the process. Purism should be explaining why they feel their positions and their philosophy are beneficial, and providing clear differences between them and their competitors. Purism shouldn't be trying to play dirty marketing games, building nebulous feature charts without explaining what they mean and using straw men to defend their products. They should be showing why they're different, and why their better; or why this time we don't need to worry about mobile Linux fragmenting.

Maybe they should just let Kyle Rankin be the only person with publishing access.