Hacker News new | past | comments | ask | show | jobs | submit login
Purism's AweSIM – monthly plan for Librem5 including unlimited data (puri.sm)
179 points by krimeo 25 days ago | hide | past | favorite | 120 comments

The premise of essentially proxying customers into a major carrier in aggregate to preserve privacy is an interesting one.

I use such a service for home internet in Ottawa, Canada (https://ncf.ca) and it’s been working great - with much better customer service.

I'd be super uncomfortable to tie my account recoveries and stuff to a SIM technically subscribed to by another entity... But if I wanted a phone for leaking or whistleblowing, it's hard to imagine a better choice of service.

You should be super uncomfortable to tie your account recoveries to any carrier, though. Don't use phone recovery.

Yeah, too bad there are still a lot of services where phone recovery is the only option.

I would worry that since this service would be of such limited appeal, as you mention, that it might make these users more likely targets of spying and counterintelligence operations (I assume you're talking about government leaks and whistleblowing).

Interesting. Similar premium. Their 50/10 costs the same as my 1000/1000.

Then consider yourself lucky. Their 50/10 costs about the same as 30/? Where i live, and 1000/1000 isn't even available.

As an aside, I really hope NCF gets access to Bell Fiber!

From their last major newsletter they are planning cable service rollout eventually, probably on Rogers. It's active in some low-income housing already I think.

The stopper for Bell Fiber FTTH is Bell blocking resale of service on their pure fiber lines to 3rd parties. I don't remember any specific dates but the CRTC is bound to hopefully force their hand one day.

I am too hoping they one day offer it, I love NCF.

Hello fellow NCF user! I love their network and customer services. The price is higher than other 3rd parties but everything else about them is perfect for an ISP. Painless, accessible, simple signup with excellent, stable service.

Who does the proxying? Does it expose all your traffic to yet another entity?

Well I think the idea is that you are simply exposing your identity to a different entity, not another one, since your identity isn't passed down the chain.

Given that it's (probably?) impossible to use cellular internet without handing over your ID to at least one entity, the target audience of this plan is probably one that would prefer that entity to be one for which privacy is a primary concern.

(This is why I always wished Apple would become a cellular provider.)

I live in the US and I've definitely bought sim cards and activated phones without sharing an ID.

I even proceeded to (unknowingly) break the law with one of the phones I bought from target. (apparently you're not supposed to use prepaid phones for balloon tracking.)

Not that it matters, they can still subpoena the place you got the phone from and now they have a video of you.

While one can still buy a prepaid SIM card without ID in the USA (though I don’t expect that to remain the case for long), there are plenty of OPSEC slipups: if you top up your account with a bank card in your own name, the mobile provider will associate your identity with the SIM card. If you leave the phone with that card turned on overnight at your own home, it is trivial for the mobile provider or authorities to link that SIM to your own identity, etc.

In today's world you will be wearing a mask so if you add a ballcap and keep your head down, identification will be difficult.

This is perhaps the first time in generations the outcome of a major negative world event made more privacy socially acceptable.

And keep your electronic devices off.

Target uses your devices radios to track your movements in a store. I wonder if they also use it to correlate cash purchases.

One of many articles about this: https://www.theguardian.com/technology/2016/jan/21/shops-tra...

What? LOL this isn't the 1990's, there's gait detection now.

Okay, so stick a pebble in one shoe.

In the US, you can buy prepaid sim cards with cash and without ID.

I know of a hackerspace where people go buy and activate prepaid sims then toss them in a communal bowl.

Take a sim leave a sim.

There are always ways around this nonsense.

But I believe these are scrutinized pretty heavily. I saw an article Woz wrote and you have to call someone before they are activated - I guess that might be a 6dof thing to identify your habits.

Sorry to be blunt, but you have no idea how "Targeting" works on Advertising/Telephone co.

When Verizon/Att/Tmo/etc sells your information to Advertising companies, they will "infer" your identity. They do not care if phone SIM have your ID associated. That ID is built from traffic.

If they see DNS requests to real state sites, they may put you in a bucket that says "high income", if they see searches (via DNS hijack to when you search by your addressbar like tmo does) for things like fastfood breakfast delivery, up in the "low income" bucket you go. Also, it will always have your Phone number.

Then those Advertising companies "enrich" this data with data from google or others, and can pin point you by email plus all the correlated data. Happy that you have facebook two factor auth to your SMS now?

It shocks me that people in this forum are completely oblivious to Tracking and think that the aborted "think of the children" law that requires you present an ID to buy a phone line has any importance...

So, to conclude, the traffic here is observed by the proxing entity, by the tel co, etc.

Isn't this the same thing as a VPN?

No, it's a financial blind: from the telco's point of view, the only subscriber is Purism. From your point of view, your telco is Purism.

Nevertheless, once you start spending 8 hours/day in the same spot for days on end, it will be pretty easy to link you from tower records to traffic, and then to your real world identity.

Those like me who dislike cell carriers selling our location data are best off using cellular data sparingly and not consistently at fixed locations when there is available wifi.

Combining this with financial blinding and you can likely use LTE at a protest in an oppressive country without much chance you get pinned down there and arrested later.

This: you can keep a Librem 5’s modem’s hardware kill switch flipped to off when you’re staying in the same place for 8 hours.

I think it additionally protects people from identifying you by your phone number without a subpoena.

In the USA, of you want to use all the features, the IRS and many banks _require_ an cell phone registered in your name to prove your ID.

Assumedly, this number will not work for that...

EDIT:Bi previously said that the irs required you to have a phone in your name. That was incorrect. I meant to refer to the full secure online access: You can verify by phone or mail, and they disabled mail option during covid a while ago.


> In the USA, the IRS and many banks _require_ an cell phone registered in your name to prove your ID.

The IRS most certainly does not require a cell phone registered in your name, nor could they.

> The IRS most certainly does not require a cell phone registered in your name

They don't but the alternative 2FA for them was a letter mailed through USPS.

I had to do that back in the day when Google Fi wasn't recognized by the IRS as a mobile phone.

Young people think they are clued into privacy, but it's all the old geezers who don't want to learn to use electronics who create demand for the the paper option. I wonder what will happen after they have died off.

None of the banking I have ever done has involved a phone number other than confirming that the phone I am calling from matches the number I entered in online banking, and receiving 2FA codes to that number.

When I opened the account in person, I needed a photo ID (driver license) and social security card (proof of SSN). Online, I surprisingly did not need the driver license at all, just had to provide SSN and e-sign a thousand forms. Phone number was not required and was not checked beyond confirming it was mine with a text code.

Update: I guess I spoke to soon--just received a notice about the following being added to the ToS for my brokerage account:

> “You also authorize your wireless carrier (AT&T, Sprint, T-Mobile, US Cellular, Verizon, or any other branded wireless operator) to disclose information about your wireless account, such as your mobile number, name, address, email, network status, customer type, customer role, billing type, mobile device identifi ers (IMSI and IMEI) and other sub-scriber status, subscriber method and device details, if available, to support identity verifi cation, fraud avoidance, and other uses in support of trans-actions for the duration of your business relationship with us . This information may also be shared with other companies to support your transactions with us and for identity verifi cation and fraud avoidance purposes . See our Privacy Policy for how we treat your data .”

I use Visible (a Verizon MVNO), which doesn't participate in these systems. Recently I had to verify with the IRS. While I couldn't use my phone to instantly verify, I was still able to be verified by them sending me a postcard. Annoying, but certainly not required.

During covid, they weren't offering the authorization by mail. Not sure of current status.

Can you contrast visible with US mobile? I chose US mobile over straight talk because they allowed tethering…

StraightTalk allows upto 10GB of tethering on non-AT&T sim cards with the "unlimited" plan. On AT&T sim cards with a limited-data plan, they don't care if you tether.

sounds like they want to do the "fraud location check ping on your phone" that seems to be happening on many carriers.

That sounds like it’s more secure.

I hadn't heard of this carrier before and it made me curious what the rest of their privacy was like, and whether this part of a overall policy. I didn't see explicit mention of opting out of the systems you mentioned. Is that stated anywhere officially, or is it just unofficial?

Their privacy stance overall looks just ok, maybe somewhat above average.

It does make me wonder how strong of a privacy stance Purism will take, or will be able to take as a service provider.

Some emphasis added, and some info trimmed (noted with ellipses ...)


... I. COLLECTION OF INFORMATION We collect information when you use our service. This includes information about the calls you make and receive, text messages you send and receive, ___websites you visit, mobile applications you use___, and wireless network and device information, including location, Internet protocol (IP) address and connection speed, mobile telephone number, ___device and advertising identifiers___, browser type, and operating system. Some Visible devices include Verizon-provided system applications that collect information about network and device conditions, which is used to secure and improve our network and services. ...


... * Determine products and services that may interest you and market them to you, including on Visible sites and apps and on others’ sites, services, apps and devices as described in Section V below ...


* Authorized service providers and partners. We share your information with service providers and partners that help us with a variety of things, including development and delivery of our sites, apps and service. ... ... * Aggregated and De-identified Information. We may aggregate or otherwise de-identify information and use it for our own purposes or share it with third parties for their own purposes. ...

... Your Right to Say “Do Not Sell”

The CCPA gives you the right to say no to the sale of personal information.

We do not sell information that personally identifies you such as your name, telephone number, mailing address or email address.. We allow Verizon Media and third-party advertising companies to collect information about your activity on our website and in our app, for example through cookies and similar technologies, mobile ad identifiers, pixels, web beacons and social network plugins. These ad entities use information they collect to help us provide more relevant Visible advertisements and for other advertising purposes. This activity may be considered a sale under the CCPA. Visit the Digital Advertising Alliance's Consumer Choices page to learn more about how you can limit this type of advertising. App users can opt out by using your device settings to “Limit Ad Tracking” (for iOS devices) or “Opt out of Ads Personalization” (on Android devices) ...

(edit: formatting)

I’m not sure why it’s being downvoted, in the UK a phone account in your name is one of the most common forms of ID there is no universal government issued ID, not everyone has a drivers license or a passport and if you are living in a flat share or student accommodations you won’t have utility bills in your name.

> the IRS and many banks _require_ an cell phone registered in your name to prove your ID.

That has not been my experience with the IRS and my banks.

So people with landlines can't pay taxes?

Last time I manually filled taxes this wasn't something I had to do.

$99 a month. I had to read the page twice to check that the phone itself is included. It’s not.

As a few others have pointed out I'm not sure I buy the privacy argument here (although there is very little to go on on the linked page..)

Having your phone radio on at all (even without a SIM, e.g. E911 calls) is inherently privacy violating. If you must have connectivity on the go, any prepaid SIM + always on VPN will do the trick. Use Twilio if you want multiple numbers.

$99/mo is ludicrous, even if this actually works, which I have doubts about given the history of purism.

I asked them to elaborate on the privacy angle, and they answered (https://forums.puri.sm/t/announcing-librem-awesim-a-privacy-...) that a key point is that the SIM is registered in Purism name instead of the end user one. That would shield you from some id based tracking.

Yeah I mean a prepaid SIM + top up with cash is < $30 USD.

It just feels like they're taking advantage of people.

Although now that I think about it I wonder how they do E911? Sounds like a liability

I worked at best buy many years ago and we had to scan IDs when selling prepaid cards.

It wouldn't be hard for someone to resell SIMs (even pre-activated SIMs for a premium) to have less data on you recorded at time of said secondary transaction?

But the reseller still has to have their ID on file so they will constantly get deposed in cases where a sim card they sold was used and now the police are trying to identify the buyer. It would be a huge pain for them and I don't see it actually protecting the buyer much.

The location data alone is enough to personally identify people.

It could still be improved upon, e.g. by swapping sim cards every N days.

Perhaps a writable (auto-updating?) sim card could make this process easier and faster.

I'm not a US citizen so I'm not familiar with mobile plan prices there but T-Mobile Germany (our AT&T) has an unlimited data plan for 83€/month. So that's actually pretty close to the 99$. And seeing as they have the overhead as a relatively small company it seems okay to me.

Also they have their Librem One offering that includes a VPN. So it very much fits that use case. It's just not included.

Just so you have a reference for US prices, I'm with T-Mobile here in the US and pay ~$120 a month for 3 phones iwth unlimited data plans (although my speeds are throttled if I use my phone as a hotspot). Purism is definitely charging a premium for (potential?) privacy. Other MVNOs usually charge around $40-50 per month if you get a single line

we pay anywhere between $64-$80 a month (depending how many lines use over 2GB of data) for 3 lines of service on t-mobile that are unlimited all 3 ways (with the normal deprioritization that probably happens with this as well if going over 50GB a month, which we don't).

basically, I don't buy the significant value in their privacy mode (perhaps it has value to others, but not so much to me). I can see the value in supporting the development of the phone, but its a very significant delta in cost.

We’re paying $12/line/month + $10/GB over 500MB, but the data never expires. I’ve only had to pay for an extra GB a few times in the last few years, so it’s ~$14/month/line.

The sms and voice limits are high enough not to matter.

> unlimited service

"limited to United States"

I hate it when marketers say one thing, but the contract says the exact opposite.

Well it is a US-based company. It's also VAT free :)

Is there anything more to it than a bit of billing indirection ? Hard to see any privacy benefits of that. How is it better than buying a prepaid sim ?

They don't provide enough information on that page to justify the price IMHO.

I don't understand, is this offer worldwide? Difficult to imaging this offer is valid for Belarus.

Or that only in San Marino (judging by the .sm domain)?

Down towards the bottom it seems like it's only presently available in the US, and they're simply using `.sm` as a clever domain name hack/gccTLD (e.g. .io domains, .ly domains, etc)

How are they doing this? I thought the KYC stuff was necessary for anti-terrorism laws. Am I mistaken and they do that for other reasons?

> We register your phone number in our name on your behalf and keep your personal and financial data private and out of the hands of companies who would sell it to others.

Presumably they have the information and will respond to a warrant but won't tell the carrier they're MVNO'ing who you are. This isn't that weird; for "work phones" companies often get a pool of SIMs registered to them which they then pass out to employees, and AT&T or whoever doesn't need to know who's in possession of each one at every moment.

Oh! I didn't know that! I thought work phones also had to comply with KYC at the carrier level. Well, tee eye ell.

The US doesn't have KYC requirements for phones, only for banking.

You can still purchase a cell phone with SIM card for $20 cash, and scratch-off reload cards of prepaid minutes for cash.

No technical details in the technical details section. Talks about privacy and then uses the least privacy-respecting carrier: AT&T? Ok cool, so the customer bill says Librem... when this gets piped to the NSA with the location data, I'm sure they can't handle putting a name to it. When it gets sold to location brokers with current location information, I'm sure it won't have the unique phone number tied to it. Might as well wave and put a target on your head saying "please de-anonymize me".

No clear definition of where deprioritization limits kick in or how it is to be enforced. Who cares though! The Librem 5 ships with a cat3 LTE modem. That is only just LTE on a single carrier, no LTE Advanced, no carrier aggregation. Forget talking about 5G, we don't even have a modem that supports full 4G operating speeds. Stop hyping something you aren't close to.

Now I get it, I'm sounding very harsh but understand that this is a company that's selling a packaged virtue signal (sorta like Virtu used to) and is consistently over-promising and under-delivering. Making phones is hard, making them in the US is next to impossible. I'd rather have a piece of working/shipping Chinesium (Pinephone) for a fifth of the price and use a sim card paid in cash from a prepaid carrier that I can load whatever to it and isn't going to be gone in a year, if I cared to attempt anonymity.

99 USD a month?!

I pay 18.80 GBP a month for this.

You pay 18.80 GBP for

> A phone number registered & operated under Purism

> Help fund additional developmental services offered from Purism


I don’t think anyone’s arguing that everyone wants this, but I think it (including “privacy as a service” as part of point №1) is ⅔ of the value proposition.

So the remaining $74.75 covers not tracking you and supporting opensource hardware.

And open source software.

Which is why there are so few privacy-conscious options in the market. People won't pay for them.

So what?

99 USD in Canada will buy you 50GB of data and unlimited calls to Canadian numbers only. Why are you judging a US phone plan based on how it compares to UK plans?

Comparing a dense urbanized island to the vastness of the US isn't really a fair comparison.

I'm not suggesting that $99 isn't too much, just that to expect price parity when the average subscribers per square mile is vastly different isn't realistic.

It's running on existing T-mobile or ATT networks (MVNO), so they're not competing on building towers or anything. https://www.t-mobile.com/cell-phone-plans claims that tmo will give you unlimited everything for $70/mo for a single line. So what's Purism giving you?

EDIT: rereading it, it looks like the extra cost is giving you some privacy benefits and helping fund them.

I paid $8 USD a month for 62gb a month and 600 minutes of international calling.

(It was in a country of >1billion people)

You pay GBP for service in the US?

Yes technically, my plan includes roaming ;)

Out of interest which provider in the UK ?


"Text, Calls, and Data are unlimited. Peak data users may be compressed to peak average"

What does this mean, exactly? At what point does "compression" kick in, and what does "compression" entail?

Yeah I had exactly the same question. I'm unable to tell from their page. I tried to follow the flow to buy the SIM to see if more details would pop up, but I eventually got stuck in an infinite loop clicking on "Sign Up Now".

If I could do dual-SIM on one account for 99 bucks and get both AT&T and T-Mobile backends, that would be killer. The only thing more killer than that would be swapping one of them for Verizon.

You can do all of that on a recent iPhone.

You're not going to convince anyone interested in a librem to get an iphone

Right, I spaced out for a moment and forgot the topic. Doh.

I think that's an oversimplification. The iPhone was the closest practical alternative, last time I purchased a phone.

I don't see how the iPhone is as good in terms of privacy as Sailfish OS or Android without Google apps.

Sorry I am late replying. I was in the market for a phone, not an OS. I have no interest in learning and maintaining the skillset needed to change the OS on my phone.

I need a phone with robust support and good warranty. At the time I bought my iPhone 10S, it was a good choice, and I could even buy it locally to me. I was unaware of any option that would offer those things, was generally available, and didn't run Android (with Google Apps) or iOS.

iOS is a closed platform, but this is the only obvious negative thing about it, privacy-wise. You can opt out of every single cloud thing that ships with the phone, and most are even opt-in (for example, iCloud and Apple accounts in general). The phone ships with a robust suite of productivity apps, a modern web browser that is kept up to date, and many privacy options. And usually, opting out of something doesn't break some other random other feature on the phone for no reason. (I recently saw a recording of how you cannot have Google search installed on Android and refuse to share your call logs with it. Why? There are no such restrictions on anything on iOS, as far as I have found.)

The UI layer is closed source in Sailfish OS, so not better than iPhone in this case.

For Android, if getting a Lineage OS in phone, the first problem is Lineage OS still does not have automatic update without manually reboot into recovery mode, and need for user invention. Let's be honest I don't bother to update because of requiring human intervention in update until I find the time to do it. Not a good practice but hey...

Secondly, any phone could be dropped support by Lineage OS if the developer of that model just starts using another phone and cannot find another to continue supporting the phone.

The best option for privacy seems to be using GrapheneOS with Pixel phones, but GrapheneOS only supports as long as the support cycle of a pixel phone, so it is 3 years before end-of-life minus the time to develop GrapheneOS ROM for a new pixel phone. If you are going to value your privacy so much then this is the best, but a quite expensive route and not really environmental friendly.

An iPhone can receive update as long as Apple the company is not bankrupted. Well, you get a worse performance after update but at least it is an option to continue to use.

Devices with official LineageOS support will get OTA updates. Newer devices with A/B partitions will even get seamless updates like stock, where the update is applied in the background and the user just needs to reboot to use the new version.

Yes, but official LineageOS can be dropped without notice. And even if optimistically a popular device will not drop support until it's too old, the blob is still not updated and the linux kernel is not usually mainlined. Many exploit on that. And let's not talk about the blobs are not open source. That's why there is a demand on Linux phone which the kernel is mainlined and up-to-date.

Again, ignore the fact that iPhone is closed source, it does provide a infinite software update until it's broken, which is better service than most Android phone, even if considering installing ROM.

While support can be dropped without warning it's unlikely to happen once a phone gets ported to a LOS version. Usually it s just that the phone gets dropped when LOS drops that version. Hence the key thing to watch out is whether the developer is porting the phone to newer versions of LOS when they become available.

P.S. If/When they do and you use LOS be sure to tip LOS and the developer ;)

> Again, ignore the fact that iPhone is closed source

That's a big thing to ignore.

> it does provide a infinite software update until it's broken

No, it provides a long (several year) life cycle, but Apple does EOL devices.

> which is better service than most Android phone

Absolutely agreed.

> even if considering installing ROM.

Less obvious; Apple probably beats many aftermarket ROMs on lifespan (while losing on other points), but it's a lot closer competition.

I have an iphone and it's the other way around.

But then you'd be stuck with an iPhone, not running Linux, unable to develop, run and share free software.

> You can do all of that on a recent iPhone.

Not sure what you mean exactly, I'm talking about the service, not the basic existence of dual-SIM functionality (something I already have).

Not being able to port a number to them is kind of a non-starter for me.

So you're considering a privacy-focused phone, but only if you can bring all of your phone number associated baggage and history with you?

What baggage is associated with a phone number aside from perhaps the occasional nuisance call?

This is probably off-topic but on a very broad level, from a privacy point of view I think it is important to separate 'service provider' (controlling the instance of your data) from 'software' developer / 'hardware' maker (controlling the mechanisms of your data privacy), no matter who and how open-source they are.

I'm not sure this instinct applies much to this situation, but it immediately came to mind. Vertical integration is where user privacy (from service providers) starts to erode.

Ideally, we should have competing but inter-operable service providers on common platforms and protocols which have nothing to do with the service providers.

Vaporware. Indefinitely on preorder, and $2,000:


The normal version (not made in USA) is $750, which is more reasonable. It's not that cheap, but it's still an acceptable tradeoff for getting a full Linux distro on your phone. (Although there is the PinePhone at $149, its performance and hardware/software integration leaves much to be desired.)

I don't get the price. In EU I get that all for ~7$.

Does this include a lease of a phone unit?

pretty sure this'd be illegal in the EU where all simcard holders are required to tie the card to their ID documents by law, and there's a yearly checkup on these data

No such law exists EU wide.

$99 a month?

Sorry guys, “privacy as a service” should not cost $1,200 per person per year. Hard pass.

I think ~$840 of that is for dialtone, data, texts, etc. The other ~$360 is for PaaS and to be a Purism booster. It's up to you how much of is about being a booster and how much is about PaaS.

Perhaps you object more to the $840 than the $360? Did you see the price of the phone?

Edit: s/phone/dialtone/

There might be a counter-argument that being identified and tracked also has a dollar amount associated with it.

It might be the personalized pricing you get, just because they know your zipcode.

I appreciate free software and privacy, and it's cool to have a company that genuinely understands both of those.

But it hurts that Purism uses their monopoly over their niche to upcharge customers so much.

edit: I'm wrong. Didn't know about their financial woes.

> But it hurts that Purism uses their monopoly over their niche to upcharge customers so much.

Monopoly? Purism barely exists as a company.

This is just another desperate attempt to get some cash flow, I don't think they've even managed to ship the gen1 phone to all the backers yet.

> This is just another desperate attempt to get some cash flow, I don't think they've even managed to ship the gen1 phone to all the backers yet.

This is not a desperate attempt, it is another service offering to align with their privacy focused hardware and software products.

They have been very open and honest about any delays in the shipping of the phones. Evergreen batches are nearly a month away. So they haven’t “managed” that yet because the process has not completed yet.

Correct, I have not got mine yet.

I signed on for their LibremOne family plan, and gave them 18 months to pull it together. They were unable to keep a Matrix homeserver operating correctly. I gave up.

I discovered privacytools.io operating services, and recently debian.social. And bought a PinePhone.

I too have issues with the quality of their matrix server. For example server errors out if you try to change a room's notification settings (and the request fails).

I wrote to Purism about that more than a month ago. They are running an old version of Synapse that needs to be restarted periodically so as not to exhibit this bug. Evidently they still have not updated, and they have not even arranged to restart it periodically.

They said Element is asking too much money for consulting on how to keep your Synapse server up, and have no one on staff equipped to do it. So, whatever the status of Librem 5 the phone, LibremOne the service is not a priority.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact