Adding kill switches to protect your privacy is not as simple as you might think

The use of modern electronic devices such as laptops, tablets, smart phones, smart watches, smart speakers and autonomous vehicles are a growing threat to people’s privacy and security because these devices not only have the ability to collect massive amounts of very personal data, but they rely on a whole host of services from companies such as Google, Amazon, Facebook, Twitter, Microsoft, Tencent, Alibaba and Yandex which mine that personal data for profit, or companies like Samsung, Apple or Tesla, which are collecting that data to better train their AIs.

Governmental agencies like the US’s National Security Agency (NSA), Britain’s Government Communication Headquarters (GCHQ), China’s Ministry of Public Security and India’s Central Monitoring System (CMS) love to get their hands on this information, as was shown by Edward Snowden’s revelations. The “five eyes” nations, which include the US, Canada, UK, Australia and New Zealand, agreed in August 2018 to establish a mutual framework for dealing with the fact that the internet is “growing dark” because so much much of its traffic is being encrypted. As part of this framework, Australia passed an Assistance and Access Bill in December 2018, requiring tech companies to provide the government access to communication services under a warrant. The other “five eye” nations probably decided that they would face too much of a public backlash if they tried to pass similar laws, so instead they convened a two day meeting with Facebook, Google, Microsoft, Roblox, Snap and Twitter in late July to pressure them to provide back doors to their encrypted messaging services.

Many electronic devices have settings in the software to turn off components such as cameras, microphones, cellular modems, Wi-Fi, Bluetooth, NFC, GNSS, proximity sensors, ambient light sensors, gyrometers, accelerometers and magnetometers that can be used to spy on people, but a spate of recent scandals have shown that people can’t trust the software running on their devices. When Airplane Mode is activated in Android, a Fox News report in November 2018 found that Google was still collecting geolocation data and sending it on their servers once a Wi-Fi connection was reestablished. A bug discovered in January 2018 in Apple’s Facetime allows a caller to hear audio from the person being called before they accept or reject the call. This is not a new problem. Edward Snowden revealed in 2014 that the NSA had developed software that pretends to turn off the phone, but it remains on and continues transmitting data to NSA servers. Back in 2006, it was reported that the FBI uses software that remotely activates the microphone to spy on suspects and places a phone call to the FBI without the suspect knowing.

Since software settings can easily changed, only physical switches to turn on and off components can be completely trusted to prevent data collection. Larry Sanger, the co-founder of Wikipedia, wrote a recent blog post arguing that “vendors must start adding physical on/off switches to devices that can spy on us.” I fully agree with Sanger on the moral imperative to protect people’s privacy and respect their digital rights, which is why I preordered Purism’s Librem 5 to help finance the production of a Linux phone that will have 3 hardware kill switches that are capable of cutting the electrical circuits to all sensors on the phone.

Librem5_render_shell-l5-1

Render of the future Purism Librem 5 phone with 3 hardware kill switches on the left side to turn off the microphone/camera, Wi-Fi/Bluetooth and cellular baseband, respectively, or all sensors on the phone when all 3 are switched off. Source: Purism

Most people assume that it would be easy to add physical switches that turn off components on their electronic devices so they won’t collect their personal data. Unfortunately, the problem is much harder than most people assume. Adding physical switches imposes extra costs and adds extra engineering. In some cases, the ability to cut the electrical circuits to components will significantly change the weight, size and ergonomics of devices.

The cheapest way to implement an on/off switch for a camera is to add a little plastic cover that slides over the lens of the camera. With its 2018 lineup of Thinkpads, Lenovo introduced the “ThinkShutter” that the user can slide to cover the webcam in the X280, X1 Carbon, X1 Yoga, T480, T480s, T580 and P52 models. This sliding cover for the webcam was made necessary because Thinkpads have introduced new eye-tracking software which many people consider to be too invasive of their privacy.

OLYMPUS DIGITAL CAMERA

ThinkShutter to cover the webcam on the Thinkpad P52. Source: Lenard Gunda

This solution works fairly well to stop light from reaching a webcam mounted in a laptop screen. However, it doesn’t work very well with cameras in tablets and smartphones, because the sliding cover can be opened or closed when those devices are pushed into or pulled out of tight pockets, purses, sleeves, etc. The plastic cover has to have a locking mechanism to hold it in the open or closed position. This means that some amount of physical force has to be applied to move the plastic cover. Lenovo found a solution to this problem by putting the cover slider on the edge of the Thinkpad X1 Yoga where it is less likely the slider will be accidentally opened or shut when shoved into a tight bag:

tp-x1-yoga-shutter

ThinkShutter on the edge of the X1 Yoga so it can be used in tablet mode. Source: ZDNet

However, adding a mechanical slider takes up quite a bit of space in the bezel, which might be acceptable in a 2-in-1 convertible like the X1 Yoga, but not in a tablet or smartphone, where the entire industry is trying to get rid of bezels. The camera lens is already the thickest part of mobile devices, and a plastic sliding cover will add another 1 mm to the thickness of the camera’s hump, which many manufacturers want to avoid for stylistic reasons.

In other words, plastic covers that slide over camera lens might be cheap to implement, but they won’t work well for smartphones and tablets. Covering a microphone also doesn’t work well because it only muffles it. To completely turn off a microphone, the electrical circuit to the microphone has to be cut, which means adding hardware kill switches to the circuit board.

Purism was the first company to add hardware kill switches to laptops, starting with its Librem 15 v1 which was released in June 2015. The Librem 13 and 15 laptops have two switches to kill the power to the camera/microphone and Wi-Fi/Bluetooth.

Libem13_15_kill-switches-1024x432

Two hardware kill switches for the Wi-Fi/Bluetooth and camera/microphone in the Librem 13. Source: Purism

Only recently, however, have other PC companies started to follow Purism’s example. HP decided to compete with Lenovo’s ThinkShutter by adding a hardware kill switch to cut the power to the webcam in its Spectre x360 13 and 15 laptops, which were released in October 2018.

hp-spectre-x360-13-Webcam-kill-switch.png

The webcam kill switch in the Spectre x360 13. Source: CNet

Given the competitive nature of the laptop market, we are likely to see more laptops on the market with sliding covers and kill switches for the webcam in the near future, especially in high-end enterprise models, since industrial espionage is a growing security threat for businesses. Once a few enterprise laptop models appeared on the market with Trusted Platform Module (TPM) chips, all the other enterprise laptop makers quickly started adding the feature, and the same will probably start happening with webcam switches in the future.

What is interesting is that none of the major laptop makers have decided to include physical switches for the microphone, which represents just as large of a security threat as the webcam. My guess is that Lenovo looked at the cost of hardware kill switches and decided to go the cheaper route with sliding plastic covers, which don’t work with microphones. HP, however, could have included the microphone in its kill switch, but didn’t probably because the only other company offering it is Purism, a tiny San Francisco-based company that sells a couple thousand Linux laptops per year.

Not all the tech companies are unaware of the problem with microphones listening in on our conversations. Thinkpads have a setting in the BIOS to turn off the microphone. Apple announced in November 2018 that its new Macbook Air and Macbook Pro will disconnect the microphone when the lid of the lapbook is closed. Of course, almost nobody realized that it was possible for a Macbook to be listening when it was closed and supposedly sleeping, which raises questions for the other laptop makers about their devices.

The question is why did it take so long for the major laptop makers to start worrying about this issue, which has been a concern among users for many years. People have been putting tape over the webcam and microphone holes in their laptops for over a decade. The C-Slide webcam cover has been selling on Amazon since May 2011 and there are currently dozens of companies selling stickers and sliders to cover webcams as after-market parts.

C-Slide_webcam_cover

The C-Slide sliding webcam cover sells for $5.94 on Amazon.

The stories of webcams being abused to spy on people has appeared repeatedly in the news over the last decade. The story about how high school students in a Philadelphia suburb were putting tape over their webcams and suing their school district for spying on them made national news in 2010. The Blackshades remote administration tool (RAT) which allowed for remote spying over the webcam reportedly infected half a million computers. The arrest of 97 hackers in 19 different countries for using Blackshades was an international news story in 2014. In 2013, Ars Technica called webcam spying with a RAT the “revolver of the Internet’s Wild West.” In 2014, The Atlantic published an article entitled “The Webcam Hacking Epidemic” and proposed legal reforms to deal with the problem. The picture of Mark Zuckerberg’s laptop with tape over the webcam and microphone went viral on social media in June 2016.

The electronics industry has had plenty of signs over the last decade that consumers would like to be able to turn off components that can be used to spy on them, but they didn’t start acting until recently. At this point, none of the major laptop makers is offering hardware kill switches for all four of the critical components–microphone, webcam, Wi-Fi and Bluetooth–like Purism has been doing since 2015.

Among the major tech companies, only Google has arguably been on the ball regarding this issue. It introduced the Google Home smart speaker in November 2016 with a “Mute” button that cuts the circuit to the microphone. The microphone can be powered off with either a voice command or the Mute button, and can only be powered back on by pressing the Mute button again. Google will add a hardware kill switch to its upcoming Nest Home Max that not only cuts the power to the microphone and camera, but also adds an orange LED light and an onscreen indicator to let users visually verify that these components are shut off. However, it is hard to praise a company like Google for these actions when its whole business model is based on collecting user data to build personal profiles for targeted advertising. Google has been more aware of the problem than other companies, partly because it has helped create the problem by developing technologies like Google Assistant and Google Home that are constantly listening to our speech.

google-home-mic-upturn-counter-marine

The Mute button on the Google Home. Source: Android Central

Although the large tech companies have been largely oblivious to what Purism has been doing, the other Linux laptop companies have been watching Purism closely. Linux is a domain which attracts users who care passionately about security and personal privacy. When Purism announced on October 17, 2017 that all its laptops were being sold with Intel’s Management Engine disabled, it put pressure on the other Linux companies to follow suit. System76 announced a little over a month later on November 30 that its firmware update would also disable the ME, and Tuxedo Computers in Germany announced the same on March 14, 2018, and ThinkPenguin also started disabling it around the same time period.

Purism started hiring Coreboot developers in mid-2015 to work on porting Coreboot with the SeaBOOT payload to its laptops. Since mid-2017, Purism has been selling its Librem 13 v2 and 15 v3 with Coreboot, making it the first company to market a new x86 laptop with a mostly-free BIOS and a 100% free operating system.

Purism’s efforts to implement Coreboot in its laptops inspired the other Linux laptop makers to follow its example. People have been asking System76 to preinstall Coreboot since 2008 and even organized a petition for it in 2010. The Denver-based company, however, didn’t start working on it until after Purism started selling Coreboot machines, but now System76 is getting close to being able to run everything except its Thunderbolt ports on Coreboot. Slimbook announced in April 2019 that it “had heard the petitions” of its users and was starting work on migrating to Coreboot. Likewise, Tuxedo Computers recently announced that it had hired a Coreboot developer to work on migrating its laptops to Coreboot as well.

While the other Linux companies have followed Purism’s example in their software, very few Linux companies have any experience designing their own hardware. Adding electrical switches to cut circuits means that companies selling devices with hardware kill switches have to do custom circuit board design. If hardware kill switches were part of the standard reference designs put out by Intel and AMD for laptops, Qualcomm, Mediatek and UNISOC for phones, and Rockchip, Amlogic, Allwinner and nVidia for tablets, then this would not be that expensive. Unfortunately, the current situation is that device makers have to custom design the board to add electrical switches and custom design the case with holes for those switches. In addition, the switches which are moving parts have to be tested for failure over time.

This extra engineering for hardware kill switches is one of the reasons why Purism’s devices cost significantly more than its competitors. Almost every other company that sells new Linux laptops, namely System76, TUXEDO Computers, Slimbook, Think Penguin, StationX, Entroware and Juno Computers, take a base design from Clevo and slaps their logo on the top. Among the makers of new Linux laptops, only Purism, Star Labs and PINE64 custom design their own Linux hardware. Asking a boutique hardware seller to add hardware kill switches means that the seller needs to license the reference board design from Intel, AMD, Qualcomm, Mediatek, nVidia, etc, and then modify it, which means hiring engineers to do the work and finding their own board and case manufacturers in China.

Of course, the big electronics companies like Lenovo, Dell, HP, Samsung, LG, Huawei, etc. can easily make this happen, since they already design their own hardware or they can just tell the Taiwanese/Chinese ODMs to make it for them, but only recently have we seen much interest on their part in adding physical switches to their devices. Even companies like Apple which spend millions of dollars advertising about how they protect the privacy of users haven’t bothered to add switches which might disrupt its famous design aesthetic.

Another challenge is that software has to be modified, so that it can deal with the camera, microphone, Wi-Fi, Bluetooth, cellular baseband and GNSS suddenly being cut off and not communicating. Webcam software such as Cheese doesn’t know how to handle the webcam being turned on and off in the Librem 13/15. Cheese has to be restarted in order to detect that the webcam/microphone has been switched on.

Adding hardware kill switches to cameras, microphones and sensors isn’t that big of a change to the circuit board, since these are already separate components, so it is relatively easy to add new points on the board where the circuit can be cut. However, it is a huge engineering challenge to switch off the flow of electricity to the cellular baseband, GNSS, Wi-Fi and Bluetooth, because these components are usually built into the System on a Chip (SoC) in mobile devices. There is no way to cut the power to these components without shutting down the entire device. Of course, these components can be turned off using software in the SoC drivers, but then they can just as easily be turned on again in the software without the user knowing it.

Because these components are integrated into a single SoC, any component can potentially access the data of another component. Even though the cellular processor and application processor in mobile SoC’s are typically separate and they use separate cache memory, they both typically have access to the same RAM, so they can potentially access each other’s data. Even if the cellular baseband/GNSS and Wi-Fi/Bluetooth are placed on separate chips, they are typically connected via a PCIe bus which allows Direct Memory Access (DMA) to the RAM. Software running the CPU/GPU can potentially spy on the memory being used by the cellular baseband/GNSS and vice versa.

The only sure way to prevent components from being able to spy on other components within a device is to place the components on separate chips and to connect them via buses that don’t allow Direct Memory Access. Unfortunately, the majority of Wi-Fi/Bluetooth and cellular baseband/GNSS chips are directly integrated into the SoC or they are connected to the SoC via PCIe so they have DMA and can potentially be turned into spying devices. For this reason, the Librem 5 uses USB 2.0 over an M.2 connector to communicate with its cellular baseband, SDIO 2.0 to communicate with its Wi-Fi/Bluetooth and I2C to communicate with its GNSS, because none of these bus protocols allow DMA. In addition, it is easier to design hardware kill switches for these serial buses, because they have fewer wires to cut than in a PCI bus and they are better designed to deal with a loss in communication than a parallel bus like PCIe.

Using separate chips takes up a large amount of space on the circuit board and adds significantly to the total cost of a device. An integrated SoC is the most economical way to provide all the functionality found in today’s mobile devices. Qualcomm sells its Snapdragon mobile processor for an average price of $24 per chip, but the price ranges between $10 for the cheapest 400-series to $125 for its high-end 800-series. Lower-end manufacturers like Mediatek probably charge $8-$25 per SoC and UNISOC scrapes the bottom of the barrel at $6-$15 per SoC.

The Snapdragon 845 comes in a package size of 12.4 x 12.4 mm. In contrast, a separate cellular baseband chip is typically 29 x 33 x 2.5 mm in size and its costs over $30, because it contains a huge heat spreader and is only manufactured in small production runs due to the segmentation of cellular bands and limited demand. Nobody makes separate cellular baseband chips without the heat spreader, because these chips are typically mounted on a mini-PCIe or M.2 card, so they can’t use the same cooling mechanism as an SoC mounted on the motherboard.

Look at what Purism had to include in its Librem 5 with 3 hardware kill switches just to provide the same functionality as a typical mobile SoC like a Snapdragon:

  • NXP i.MX 8M Quad CPU/GPU, 17×17 mm, ~$20
  • Gemalto PLS8 cellular baseband, 29x33x2.2 mm or BroadMobi BM818, ~$35
  • STMicroelectronics Teseo-LIV3F GNSS, 9.7×10.1 mm, ~$10
  • Redpine Signals RS9116 Wi-Fi/Bluetooth, 9.1×9.8×1.2 mm, ~$10

In addition, the Librem 5 will need a separate TI TPS65983 USB 3.0 host/Power Delivery chip (6×6 mm) to provide fast charging, which is included in most of today’s mobile SoC’s. If Purism wants fast processing of audio and video, it will need to include a separate chip to match the digital signal processor (DSP) and/or image signal processor (ISP) found in Qualcomm’s Snapdragon, Mediatek’s Helios, Samsung’s Exynos, Huawei’s Kirin, Xiaomi’s Surge and Apple’s A-series, not to mention their neural/AI processors which are often employed in audiovisual processing. Plus, the Librem 5 will need to include a separate chip to convert the video to HDMI Alt Mode or DisplayPort Alt Mode, which is also included in today’s high-end mobile SoC’s.

The Librem 5 is probably going to consume more energy in order to operate all these separate chips compared to an integrated Snapdragon or Helios. It will need a large circuit board to hold all these extra chips, plus one side of the board will be occupied by 3 kill switches. Today’s smartphones have tiny circuit boards with cutouts for the thicker components such as the battery, camera, USB port and headphone jack, which allows for very thin cases. Look at how small the circuit board is for the Galaxy S10+ which is just 7.8 mm thick:

SamsungS10_SM-G975F_2E-Mainboard-Marked

Circuit board for the Samsung Galaxy S10+. Source: Tech Insights

This kind of tiny circuit board that occupies less than a fourth of the phone’s body is only possible with an integrated SoC that is 153.8 mm2 in its package size, whereas the chip packages to provide the same functionality in the Librem 5 will occupy 1453.7 mm2, which is 9.5 times larger. The Librem 5 needs a large circuit board to hold all these extra components, as is shown in a screen capture of its circuit board which takes up roughly 60% of the phone’s body in its recent reveal video:

Librem_5_image_with_diagram

To hold all these extra components, the Librem 5 will be roughly 14 mm thick, whereas today’s standard smartphone is around 8mm thick. Smartphones have gotten increasingly thinner over time, which runs counter to trying to sell a thicker phone with hardware kill switches. According to the gsmarena.com database, the percentage of new Android and Apple phone models that are 9 mm or thinner has increased from 15.5% in 2012 to 54.6% in 2015, and to 80.0% in 2018. There are only five smartphone models currently on the market with large touch screens that are as thick as the Librem 5, but they are all ruggedized models with huge batteries.

ThicknessOfSmartphones2012-2018

The Librem 5’s thick case is justified because it will be the first phone in the world with a replaceable cellular baseband and an M.2 slot to hold it, plus it will sport an openable case, a replaceable battery and a smart card reader to insert an OpenPGP card for an unalterable identity in secure communications. However, just adding hardware kill switches is likely to add at least 2 mm of extra thickness to a conventional smartphone, due to the giant cellular baseband package which is typically 2.5 mm thick and the large circuit board.

Purism’s CTO, Nicole Faerber, talks about the problem that the company had in designing the Librem 5 with such a large circuit board and the need for a large battery to power all those extra components. When asked on the Purism forum, “What is the intended battery’s capacity?,” she responded:

As big as possible :slight_smile:
The issue is that this will be a trade off between component sizes, overall device size and the battery size. The hardware designers are now working on two approaches and we need to see where they [e]nd up with.

How thick a device would you still accept? This is basically the biggest question here. Battery capacity is in direct proportion to its physical volume. The more capacity the more volume = space you need. Since we use modules for baseband and WiFi and these take up significant space and since we use the iMX8M which is not available as POP (package on package) our PCB will become pretty large. If you want to have the battery side by side with the PCB this leaves little room for the battery. That’s why are now looking into having the battery kind of sandwiched between display and PCB so that we have the full area for the battery. The capacity becomes a question of thickness only.

So how thick a device would be acceptable for you? 10mm? 11? 12? 15? 20?

Purism further complicated the design of the Librem 5 by selecting the i.MX 8M Quad with a 1.5GHz 4x Cortex-A53 CPU and 28nm node size, because it is the best SoC to run with 100% free software. No conventional phone maker would ever use such a large and energy-inefficient chip which isn’t optimized for cell phone usage. The i.MX 8M Quad’s CPU performance is comparable to a Snapdragon 425 released in Q3 2016 which costs roughly $10, but the Snapdragon 425 also includes a digital signal processor, image signal processor, fast charging, Wi-Fi, Bluetooth, GNSS and cellular baseband which the i.MX 8M Quad doesn’t provide. I guesstimate that it will cost Purism $80 in separate chips to provide the same functionality in the Librem 5 as a Snapdragon 425 that costs 1/8 of the price, plus another $25 in extra manufacturing costs for the large circuit board with 3 physical switches.

Part of that difference in price is the fact that component manufacturers can demand higher prices from Purism, because the company is buying its parts in small quantities and it isn’t a large, established phone maker that can negotiate the best prices. Furthermore, Purism requires hardware that runs 100% free software in U-Boot and the Linux kernel, which often means more work for the manufacturers since Purism won’t use their standard proprietary drivers. Purism reportedly worked with Redpine Signals so that its Wi-Fi/Bluetooth chip could be operated over USB without a binary blob, so Purism probably isn’t getting the best price for the wireless chip. The cellular modem in the Librem 5 is also probably expensive, because Gemalto charges extra for its specialized security components and Purism had to convince BroadMobi to mount its chip on an M.2 card.

A conventional smartphone with hardware kill switches that uses proprietary drivers has more options than the Librem 5 and can get better prices for its components. Plus, it can save on costs by not taking the extra step in the Librem 5 of using a separate GNSS chip. Nonetheless, I guesstimate that a big phone maker like Samsung or Huawei using three separate chips for the CPU/GPU, cellular baseband/GNSS and Wi-Fi/Bluetooth will pay 4 times as much for the same functionality as a low-end integrated SoC like the Snapdragon 429 and twice as much to match the functionality of a high-end integrated SoC like the Snapdragon 855. However, it is important to keep in mind that Purism’s decisions to use 100% free software and avoid the PCIe bus make a lot of sense from a security perspective, since it makes every bit of the code verifiable and auditable that can potentially access the memory. Companies which are truly serious about providing security and privacy will have to take similarly expensive steps like Purism is doing with the Librem 5.

How many people are willing to pay $699 for a privacy phone like the Librem 5? I preordered it, but I care passionately about digital rights, software freedom and planned obsolescence, so I’m not a typical consumer. The Librem 5 has a lot of extra costs to pay for 2.5 years of development, adapting GTK and GNOME libraries to work as a mobile operating system, small-scale, custom manufacturing, and its 100% free software requirement.

However, let’s assume that a more conventional boutique hardware company takes standard Android and adds three hardware kill switches for camera/microphone, Wi-Fi/Bluetooth and cellular baseband/GNSS. Just adding those three switches will roughly triple the cost of the chips on the board for the same performance, require a larger battery to compensate for the energy inefficiency to operate more chips, and a thicker case to hold those extra components. The company will have to convince consumers to pay at least $100 extra to cover the extra costs in a phone or tablet for those 3 hardware kill switches.

Given the high burden that hardware kill switches impose in terms of the costs, power consumption, size and weight in mobile devices, it is not surprising that no other maker of smartphones and tablets has attempted to design a device like the Librem 5. Nor are they likely to incorporate hardware kill switches into their designs in the near future, despite the fact that the Librem 5’s hardware kill switches has been attracting a lot of attention since its crowdfunding campaign was first announced two years ago in August 2017.

The only company which seems to be following Purism’s example is PINE64, whose upcoming PinePhone will have 4 hardware kill switches which can be accessed by taking off the back cover that can peel off using finger nail.” Given the fact that the PinePhone is only 9.2 mm thick, the kill switches in the PinePhone will probably be tiny DIP switches, so they won’t be suitable for daily usage like the kill switches in the Librem 5.

dipswitch

4 DIP switches on the Albatron KX400+ Pro Motherboard. Source: 3DVelocity

There is some hope, however, that the major hardware manufacturers will start incorporating hardware kill switches into laptops. Intel and AMD don’t make x86 processors with an integrated Wi-Fi, Bluetooth, cellular modem and GNSS like the mobile SoC’s, so laptop makers can add hardware switches more easily than mobile device makers. Rahul Tikoo, the vice president and general manager of commercial mobility products at Dell, recently told PC Magazine that privacy issues with the microphone is a “focus area” for its next-generation products. However, hardware kill switches for the Wi-Fi/Bluetooth don’t seem to be on any company’s radar at this point.

On the one hand, the electronics companies are finally being pushed to respond to the fact that the public is becoming increasingly alarmed by the privacy implications of surveillance Capitalism and the security risks of electronic devices that have become an intimate part of people’s daily lives. On the other hand, the dictates of modern electronics design do not provide much scope for optimism.

Thinkpad_L420_wireless_kill_switch

The wireless kill switch in the Thinkpad L420. Source: laptopmag.com

Laptops are becoming increasingly like mobile devices in their design, with most of the growth in the industry in thin-and-light and 2-in-1 models. Over the last decade, laptop makers have gotten rid of the indicator lights for wireless access, hard drive access and power. Many keys, such as Print Screen, Scroll Lock, System Request, Number Lock and Pause have disappeared. Function keys and the Page Up, Page Down, Home and End keys are no longer separate keys on most consumer-grade laptops. Wireless kill switches used to be a standard part of Thinkpads, but Lenovo removed them along with the 7-row keyboard in the xx30 models introduced in 2012, and Lenovo has stoutly refused to bring these beloved features back, despite the repeated pleas of its users. It is nearly impossible to find a single button or switch in today’s laptops which is not part of the keyboard, so it is hard to imagine the laptop industry reversing the prevailing trend and adding new switches to cases.

ChangesInThinkpadT4x0Series2007-19

Over the last 12 years, the weight of Thinkpad’s premium 14 inch widescreen series (T61 – T490) has reduced from 2.4 to 1.46 kg and the thickness reduced from 34.9 to 18.9 mm. In all likelihood, laptops will continue getting thinner and lighter, and they will shift over to mobile ARM processors with integrated Wi-Fi, Bluetooth, cellular baseband and GNSS, just like today’s smartphones and tablets. It is hard to imagine hardware kill switches being able to buck these trends in hardware design, but global sales of laptops peaked in 2011, and have been in steady decline ever since. New features, such as the switch from HDD to SSD, large multi-touch touchpads, higher resolution screens, touch screens, Thunderbolt 3 and USB-C with fast charging, have not been able to reverse the declining demand because these features only improve on existing functionality, whereas hardware kill switches on laptops would provide consumers with new features which are unmatched by today’s laptops.

The electronics industry has to be alarmed that global demand for their products in general peaked in 2014 and has been gradually declining ever since. Smartphones which have been industry’s main source of growth for the last decade have finally started to decline. Every analyst firm reported declining smartphone production in 2018, except for Gartner which has a more expansive definition of what constitutes a smartphone. Sales in 2019 have been even worse by all accounts, with Strategy Analytics reporting 7 straight quarters of declining shipments of smartphones.

GlobalProductionElectronicDevices2006-18
It appears that global demand for smartphones will follow the same wave pattern experienced by other types of electronic devices. Global production of desktop PCs peaked in 2007 and have been declining ever since. Portable media players peaked in the same year, and have been replaced by smartphones. Netbooks and digital cameras peaked in 2010. Netbooks have largely disappeared to be replaced by tablets and 2-in-1 convertibles. Digital cameras have become niche products relegated to either the high-end DSLR market or wearable body cameras. Tablets, which were widely predicted to become the next PC 5 years ago, have seen a rapid decline since peaking in 2014. When smartphones and feature phones are added together, the mobile phone market has been declining since 2015, and the recent growth in wearables and smart speakers hasn’t been enough to counteract the decline in the mobile phone market.

WavesInElectronicDeviceProduction2006-18

The commodification of phones and tablets under Android has made it increasingly difficult for the makers of mobile devices to distinguish their products, so they have turned to cut-throat pricing and increasing the specs to generate sales. In this environment, none of the mobile device makers have been able to make much of a profit except Apple and Samsung since 2012.

DecliningProfitMarginsSmartphones

ShareOfSmartphoneIndustryProfits

Although ARM Holdings, Sony, LG and Samsung have made a killing on processor licensing, image sensors, screens and Flash memory, respectively, and data collection has turned Google into the most valuable company in the world, most smartphone and tablet makers lose money on every device that they sell. Analyst firm, Strategy Analytics  estimates that the smartphone industry made $53.7 billion in profits in 2016, but the companies which weren’t one of the top five (Samsung, Apple, Huawei, OPPO and vivo) lost a total of $3 billion in 2016, which works out to a loss of $4.8 per smartphone.

SmartphoneProfitsIn2016

At the same time that the majority of mobile device makers haven’t been able to make a profit, people have become less inclined to upgrade to a new smartphone if it isn’t significantly better than their existing smartphone and the number of first-time smartphone buyers has dropped, so people are more discerning in their purchasing and demanding better specs. Larger screens, larger batteries, the change from LCD to OLED screens, larger amounts of RAM and Flash memory and multi-lens cameras have dramatically increased the cost of manufacturing smartphones in recent years. According to IHS, the cost of the bill of materials for the iPhone has nearly doubled over the last 4 years.

RisingCostsOfiPhoneOverTime

Apple and Samsung has been able to make up that difference by charging higher prices for their high-end models, but many other smartphone makers can’t charge the same kinds of premiums on their devices, so they are squeezed even more than before. The global average selling price of Android phones has risen from $208 in 2016 to $255 in 2018, but those price increases probably haven’t been enough to make up for the rising costs of manufacturing smartphones. In this environment, it is highly unlikely that mobile device manufacturers will welcome the prospect of hardware kill switches, separate chips and larger circuit boards, since they will increase their already high costs.

AverageSellingPriceSmartphones

However, there is another side to this depressing story which should give both the  manufacturers and consumers a modicum of hope. Devices sporting hardware kill switches are not the typical commoditized device, so they won’t face the same cut-throat competition that has driven profits out of the industry ever since Android gained the majority of the smartphone market starting in 2012. There is an almost direct correlation between the increasing market share of Google’s operating system and the loss of profitability in smartphones at companies like HTC, Sony, LG, Motorola/Lenovo, BlackBerry and Nokia/Microsoft.

OSMarketShareForSmartphones

The reason why Android’s rise has made smartphones and tablets so unprofitable is that Google has an economic incentive to keep inviting in more and more competitors into the mobile phone market, because it drives down prices at the low-end of the market and expands the number of people on the planet who can afford a smartphone. The more people using a smartphone, the more data which can be gobbled by Google’s voracious servers and the more personal profiles Google can construct for targeting advertising. Google’s ability to keep growing depends on its ability to convince people in the poorer half of the globe using feature phones that they should instead be using an Android smartphone that feeds their data into Google Web Services.

Makers of mobile devices can avoid this commodity trap by designing devices that offer distinctive features that can command a premium in the market. The reason why Apple can charge such high prices and earn a 39% profit margin on its phones is the fact that the iPhone and iOS can’t be commoditized like the rest of the market. One of the best ways for a mobile device to standout from the crowd and command Apple-style prices is to provide hardware kill switches and market it as device focused on providing privacy and security. Processing power, screen resolution and camera quality which used to drive new phones sales have gotten so good at this point that many consumers are starting to wonder whether there is any reason to keep buying a new phone every couple years. Mobile phones with hardware kill switches offer a compelling reason to buy a new phone for consumers who care about their ability to control what personal data they share with Google, Facebook, Amazon and all the rest of the companies dedicated to what Harvard Business School professor, Shoshana Zuboff, dubs “surveillance capitalism.”

Conventional wisdom says that the “next big thing” that will sell more phones in the future will be features like OLED folding screens, 5G, AR/VR, object recognition based on AI, and more camera lenses, but the next killer feature in the industry might end up being privacy and security. Hardware kill switches won’t be cheap to implement in mobile devices, but OLED folding screens and 5G are also very expensive, and VR goggles are unlikely to ever be more than a niche in the market. The best image processing, object recognition and AR will depend on proprietary AI and neural processors that are out of the reach of most phone makers. They will have to depend on Google’s AI and Qualcomm’s neural processors which will only further commoditize them in the mobile phone market, since their products using Google’s AI will be indistinguishable from their competitors.

One of the ways for the makers of smartphones, tablets and laptops to avoid falling into the commodity trap is to add hardware kill switches and market these devices as respecting people’s right to privacy. Designing devices that require thicker bodies and wider bezels might seem anathema in an industry which is obsessed by thinner bodies and bezelless design, but it could be a path to profitability and it will certainly make a device stand out from all the other devices on the market.

2 thoughts on “Adding kill switches to protect your privacy is not as simple as you might think

  1. Jorge

    Many people could be fine without physical switches if they were reasonably sure they can trust their software. That is, if it was 100% open source.

    Couldn’t that become a reasonable middle ground with less impact in the phone design and specs?

    Like

    Reply
    1. amosbatto Post author

      Yes, free/open source software (FOSS) is another option, but 99% of the population won’t use it unless it comes preinstalled on the hardware and most makers of PCs, tablets and phones won’t preinstall it. I am planning on writing a second article about how Linux can be another way for the electronics industry to avoid the commodity trap, but it is a much harder argument to make.

      If you want to get to 100% FOSS, then you will have to design your phones the same way with 3 chips (CPU/GPU, Wi-Fi/BT, cellular/GNSS), because all the integrated SoC’s require binary blobs in the Linux kernel and U-Boot. The only way to use Wi-Fi/BT and cellular/GNSS with free software drivers is over a serial bus (USB, SDIO, I2C)

      Another issue is that Google, Facebook, etc. still collect a ton of data about you even if you use free software. I only use Linux on my PCs, LineageOS on my phones and OpenWrt on my routers, but these companies still know an awful lot about me.

      Like

      Reply

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s