Back to Blog home

Sailfish OS: Security and Data Privacy

Mobile World Congress is back again! Like every single year during the Jolla journey, we are excited to take part in this event. We have had great experiences in the past MWC’s, our main drivers for attending are the current and relevant topics discussed during the congress. One of this year’s core themes is Digital Trust; “Digital trust analyses the growing responsibilities required to create the right balance with consumers, governments and regulators.” It makes us happy that these topics are being discussed, especially since several scandals have recently affected trust in digital solutions.

At Jolla we work constantly towards providing a secure and transparent solution. Our value towards our customer’s privacy is reflected in our values and actions. Back in May of 2018 our CEO Sami Pienimäki wrote a blog post on the GDPR laws passed within the European Union and stated the cornerstones on how Jolla views data privacy. This stand on privacy is not rocket science – the core idea is to respect our customers’ privacy and allow them to be in control of their data.

 Jolla’s Stand on Privacy

  1. We collect only a minimum amount of information, only what is needed to run our services.
  2. We do not monetize your data, or give your data to third parties without your express consent: we only use it to provide our services to you.
  3. We do not collect any data without your consent.
  4. And last but not least: we care are about privacy on all levels

To support our Stand on Privacy we recently attended the Computers, Privacy & Data Protection (CPDP) 2019 conference in Brussels. CPDP is a “world-leading multidisciplinary conference that offers the cutting edge in legal, regulatory, academic and technological development in privacy and data protection.”  The event took place right after the celebration of International Data Privacy Day on the 28th of January. During the event, Jolla was invited to attend a panel focused on privacy and design in mobile development.

Here are a few insights from Vesa-Matti Hartikainen, Program Manager at Jolla, who was the speaker at the panel:

“Jolla was invited to attend the panel titled “Implementing Privacy by Design into mobile development, obstacles and opportunities. A developer perspective on data protection by design” at CPDP2019 conference. As I co-ordinated the work of Jolla’s GDPR project I was chosen to represent our company.

In the panel there were representatives from academia, other companies and data protection authorities. During the panel an interesting question came up: “What else (than GDPR) is necessary to finally get these solutions (Privacy by Design) into broad deployment?” The answer I gave came from my experience while developing Sailfish OS. It is very difficult to compete against “free” when the competitor OS is essentially free for the device vendors. At the same time the OS vendor gets its investment back by having their apps and services being prominently present in the device, which allows them to profile the users, collect data and in the end mostly monetise from the ads on the app and from the ads on their other services. GDPR has already had some impact on the situation as it severely limits what organisations are able to do with the data and exposes what data they are collecting. It is valuable to have regulations in place and having better visibility on what information is collected from the users. The fines and controls are slowly impacting the big players. GDPR has shown some promise here in Europe, but it would be very good for privacy if other major markets should follow the lead.

After the panel I had several interesting discussions with conference delegates and it’s nice to see that privacy is a big concern here and actions are taken to protect peoples’ privacy. This concern was shown not only through the discussion but also by the reports presented during the event. A clear example is the report “Every Step you take: How deceptive design let’s Google track users 24/7”  presented by the Norwegian Consumer Council and funded by the Norwegian Government. This report analyses  how Google gets permissions to track the location using different technologies and through deceptive design practices.

Data privacy has always been in the core of Sailfish OS and in the way Jolla operates, and we believe this is one of the main reasons why our corporate customers and community believe in us. In our latest release, Sailfish 3, security has been a special focus and it incorporates several features to improve device security and keeping the user data and communications private. The security related features we’ve been developing into Sailfish 3 include among other things: encrypted user data and communication, new security architecture, remote lock and wipe, fingerprint support, VPN and specifically for corporate users: Mobile Device Management.”

As Vesa-Matti already mentions above, it is important to discuss about privacy and security. Awareness is growing, and governments are taking action into protecting the privacy and security of their citizens and businesses. As from our trench, we continue working on providing privacy for our customers and constantly improving the security in our solutions. We hope to have good discussions in Mobile World Congress 2019.

If you are interested in our solution you can still book a meeting with us through partners@jolla.com. If you are part of the community in Barcelona we hope to see you in our Community Meet Up hosted with Planet Computers on Sunday 24th at 5pm, in restaurant Bodega La Puntual.

Mariana Perez

Mariana Perez

Marketing Assistant at Jolla. Wildly interested in technology and startups. Excited to take part in Jolla team!

67 Comments

  1. Avatar

    “remote lock and wipe, fingerprint support”

    As we all know fingerprint support is still missing for Xperia XA2 (but I hope it will follow this year).

    But what about “remote lock and wipe”? Is this already implemented and how does it work? Or is it just a business solution and requires MDM? I guess every user might be interested in locking and perhaps wiping a Sailfish device that is lost…

    • Avatar

      That is actually true, it is a business solution and does require MDM, but we definitely take your comment into consideration.

  2. Avatar

    great to see users privacy is taken seriously at Jolla 🙂

    • Avatar

      Great to meet a woman at Jolla: Mariana!

    • Avatar

      We have done that since the very beginning! It’s in our souls 😉

  3. Avatar

    Biometrics like fingerprints are easy, but don’t make our device safer. A code still is a good way to unlock the device.
    I am glad hearing that Jolla cares about our privacy, that the company does not sell our data. Yet Android apps do and it would be nice to be able to switch off access to location and contacts for each app. Privacy by design!
    It would also be nice to have more privacy friendly search engines as default, such as Qwant, Duckduckgo, eventually Startpage.
    I don’t know why, but it seems that Google still is a favourite in the accounts list.
    Being independent from Google is hard, and in order to fight the surveillance industry, Jolla should maintain a better business model. And get funding (from the EU?). Paying for updates therefore is a good idea, but updates should be worth paying also! Please, Jolla, try to find out what ordinary users want and make your system accessible and available to many more people.

    • Avatar

      “Yet Android apps do and it would be nice to be able to switch off access to location and contacts for each app. Privacy by design!”

      Are you sure Android actually does this? If you for example switch off an access to location for an app, does this really happen? I mean, Android is partly closed source and no one knows what actually happens under the hood. I’m not an expert on these things, but I wouldn’t thrust Android to honor users’ wishes too much. Atleast Google will receive locations eventhough Android says an app wouldn’t receive it (..or am I too paranoid?) 🙂

      • Avatar

        Never used Android than on a Jolla. I want nothing Googlish. Android apps and also iOS apps often contain trackers, nearly always Google is amoung them. So we are tracked through apps. In iOS it is possible to switch off location and access to contacts for each app so that is at least something. I don’t know if Android offers the same. When installing an Android app on my XperiaX, they show me a list of functions that I have to swallow unless I cannot install them. iOS does not show such a list, but has those switches for location and contacts and some other. Of course I cannot check if this indeed blocks the access. At the end we always have to have trust. It is impossible to controll all the millions of apps from outside, even if they were open source.

      • Avatar

        Nitpicking:
        – *Android* (the OS) is nearly fully *opensource* (bar some blobs in the driver/firmware department).
        – the closed source elements are the *Google Play Service*.

        On Jolla Sailfish OS : when you install an Android compatibility layer (though my experience is limited to Jolla 1 and XperiaX’s 4.4 compatibility layer), you only get the opensource part.

        *BUT* a lot of applications require the closed source services in order to run (e.g.: to display maps, etc.), and you’ll be asked to install them.

        There *are* opensource alternative to that (namely : microG, which give you the possibility to select other service providers or work off-line, for thing like locations, maps, etc.)

        If you block an app’s access to locations, that won’t prevent Google Services from slurping as much information as they can get away with.
        I don’t have the reference at hand but there were recent comparison between phone running Google software and iOS regarding that (I think Brian Lunduke did a vlog presenting that).

        • Avatar

          Ah, ok, thanks for correcting me! 🙂

    • Avatar

      Thank you Kea for your comment!
      It is indeed extremely important practice to try and be as cautious as possible and it never is too much. It is a good idea to have more privacy friendly search engines available as default. I will definitely let the team know.

  4. Avatar

    To emphasize the users’ privacy even more, Jolla should introduce / improve the following features in Sailfish OS: full ownCloud/Nextcloud integration (instead of only Dropbox and OneDrive), freely selectable and extensible search engines, more VPN protocols.

    The mentioned app privileges would be fine, as well as a reliable autostart setting for Android apps (at the moment, Android apps start randomly in the background, ignoring the autostart setting).

    Last but not least: if we had more and better native apps, we would need fewer Android apps. This is especially true for the browser: it’s ridiculous we need Android apps to have a useable web browser in Sailfish OS!

    • Avatar

      I use Brave browser with Qwant search engine. Works fine. You are right, Jolla has to offer us more and better possibilities.

    • Avatar

      +1 for native out of the box support for alternative and/or self-installable solution like ownCloud / NextCloud

    • Avatar

      On an event i was talking with Sami why not implement Nextcloud on Sailfish. On same time offer an adapted Raspbian Image (Debian on Raspberry Pi) with a script to configurate an dyndns and the nextcloud-configuration for Saiflish-Clients.
      To make it in this way, more people may be interested to boy an sailfish-device and make his first steps to more privacy

    • Avatar

      thanks for your comment. We are always doing our best in our small team to improve the features you mentioned. And adding NextCloud is definitely on the list too. It won’t be long before we have them integrated.

      • Avatar

        I hope this will not only cover Nextcloud as cloud service… An implementation of Nextcloud Talk would also be great.

  5. Avatar

    The elephant in the room here is that Jolla’s infrastructure is very insecure, when it comes to privacy safeguards. Android has app permissions, per-app file segregation, and the possibility to revoke permissions from apps. Sailfish has… nothing?

    • Avatar

      As our Android app support is now moving to a newer version of Android (8.1), it is now possible to revoke permission based on each function. Also on the older Android support which still safely runs on many devices out there, you definitely have control over the functions that those apps use, just in a different way.

      • Avatar

        I’m not speaking about Aliendalvik, I am speaking about native apps. They all run with the same user and the classical Unix permission model. Android, instead, sandboxes each app individually.

  6. Avatar

    That’s so great to read! I’m absolutely thrilled about this focus on privacy and security. May I also share with you some ideas on this topic? It would be great if you could team up with regional partners to ensure the growth of a stable, privacy- and security-related ecosystem. From what I’ve learned, SSH (the company) is up there in the north with you. I can almost see the press release about your cooperation before my eyes. Also, whats certainly needed is some cloud service that respects their users’ privacy. I faintly remember a service from F-Secure (discontinued AFAIK), but there are certainly others to fill the gap.
    All of these would make wonderful press releases for MWC. There’s proof they do.

    • Avatar

      I remember that too. It was a promise to coöperate.

    • Avatar

      Nextclowd and Stack (Transip) could be candidates, since F-Secure became American.

    • Avatar

      Thanks Ossi for your suggestions! Duly noted.

  7. Avatar

    Big up to Jolla for keeping up regular posts.

  8. Avatar

    This is all very good news!

  9. Avatar

    To state it first, i am a really big fan of Sailfish OS, and would not skip this system for another, also because there is no real alternative left then Sailfish OS. But November 2017 we were promised many things, we have already seen improvements in design and performance, the support for more and different devices. But what i am missing is a real roadmap, what does some UI polishing or performance improvements bring, if the OS does not real manage normal things (network/roaming problems) there are so less native apps, some of them (browser | privacy related) are really old and not update to a newer base, the whole base of the OS is based on an old kernel with known privacy issues. How can you then promise the User privacy? Why struggling from one update to another with a small team, rather then forming an alliance for a free phone OS. Sony wants to get away from Android, Huawei is even secretly developing its phone OS, Samsung still develops Tizen OS which has the same base then Sailfish OS. Why all these seperated efforts to get away from Android rather instead of agreeing on one common OS and putting all the available work force, investment in it. This would create a real alliance against Android and Google. But only relying on the by the way great Team of Jolla :), will not bring us forward, but we will be a nutshell on the rough ocean. We read about the chinese wanting to put 250 million into Sailfish OS. So if this is really true, with this much money, new developpers could be hired and the problems of great Sailfish OS could be solved, to finally correspond the communication of Jolla. I really hope for that, but can just support this by using the OS 🙂

    • Avatar

      In the meantime, before Jolla is taking over the world – and before the days of full disk encryption and app permission management – it’s the little things that count:

      Like adding a privacy-respecting search engine to the browser, or posting OSM instead of Google Maps links in blog posts about data privacy (I mean, seriously?).

      These things don’t take a lot of work, but show us that you care.

      I’m glad Jolla is repeatedly taking a stand for privacy, though. As we can see from the comments, the community gives educated feedback and will hold them accountable for their word.

    • Avatar

      If the Chinese are investing that much, can Jolla still maintain safety and security? Are Huawei and other Chinese brands really safe? Some have had security issues and we all know that China is not yet a democratic state. I would prefer funding from the EU, but that will take a long time. What about Nokia?

    • Avatar

      “Huawei is even secretly developing its phone OS”

      unless something major has happened to the way Jolla operate i can easily state that the day Huawei releases a device with non Android software it will be my final day with Jolla

  10. Avatar

    > We collect only a minimum amount of information, only what is needed to run our services.

    Please explain why you need my date of birth for that.

    • Avatar

      @lma I would guess the reason is that the age of the person you do business with is important. If you know that the person who accepts the terms of contract is a 7 year old, under most (if not all) legislations the treaty will not be legally binding, at least not all parts of it. So as long as no court rules that people must present an ID card when doing online registrations, the best effort of a company trying to ask you for your age will be enough.

      • Avatar

        They could also ask: are you 18 years and older or something like that. Are you under age or an adult. Some people give false birthday dates. It depends on the legality of the reques if that is permitted.

        • Avatar

          Some give false birth dates, some give false names. As I said, as long as jurisdiction considers it “good enogh” and doesn’t require an ID card via video chat, that’s OK. As someone who studied law I would still strongly adise against only asking “Are you 18+” or “Are you an adult under your legislation”. Over the course of time, laws may change and the things you offer to your customers may change.

  11. Avatar

    This is very good, that Jolla is going completly different way, than Apple or Google. No iCloud, no Google services, no extra layer on top of OS which force the user to use the services…

    That was the main argument for me to use Maemo, Meego, SailfishOS….

  12. Avatar

    several months of using XA2 and getting really annoyed at how quickly the battery still drains after the recent update

    Im STILL putting people on hold or mute or both because of the stupid problem with the proximity sensor, I’ve come close to wanting to smash the phone in frustration!!!!!!!!!!!!!!!!

    I dont give one single cr@p about all the “fluffy” things Jolla does or plans to do, i just need a stable device that acts as PHONE before anything else

    I currently would NEVER recommend XA2 with SF03 to a single person unless they were a rabid jolla fanboy

    seriously considering jumping to a fairphone 2 as i believe i can install SF02 which i think is a better version of SF

    #superpissed

    • Avatar

      I was also pissed.
      But then a week ago I just went, and reinstalled Android on my Xperia X. I would say it was a fun three years on Sailfish, but mostly, it wasn’t.

      I all started well, with a Jolla 1, which I bought from another user’s backup stock. But the almost Blackberry like integration of profiles/message apps quickly went away, as Facebook and Google stopped supporting the APIs which Telepathy framework used. I know, these are not (mainly) Jolla’s faults – although Telepathy should’ve gotten some love from them.

      Also, I almost bought a Turing phone because I wanted better hardware, but was late – for the better, in retrospect. Meanwhile, aquaintance of mine happened to fall into the tablet trap. Then the near backrupcy of Jolla came in. Storm clouds were gathering, and Jolla’s communication was moslty non-existent: delayed notices of delays, till the end, right to the point where it was obvious it won’t happen.

      I bought an Xperia X in the very beginning of 2018, to install the ~3 month old, 50$ priced software, that was a ray of hope. It was delivered late of course, but I work as a programmer, and given their history, this delay certainly didn’t cought me off-guard. New hardware was in my hands (although with a severly crippled, beta-ish hardware port), new OS release in the corner. But Android was stuck at 4.4? No problem, Jolla said, they’ll change it. Nobody said that it will be in the official support year, but I was willing to take a risk of paying another 20-30$ a year later, if cornered. But after, the communication became even worse than non-existing: Jolla mostly failed to deliver what was promised, and they reasoned as: the missing parts was never explicitly promised, only you understood that way. Word games for you.

      Fast forward a year:
      Jolla did a severly disappointing major 3.0 release (delayed of course), with yet another rationalizing after-the-fact: “we didn’t said 3.0 will include all the stuff you are waiting for.” Hurray for the light ambience, that is, like a week’s work for a senior dev – let’s give it two weeks, out of graciousness. And months of delay to make it available for user creation? Seriously?
      Replying for meeting invitations? Yes, it was needed years ago, just like, i don’t know, a normal mail app, or a browser?
      QtWebEngine based browser for example? Which reminds me, maybe a Qt update is needed to make use of it. Ah, which also failed to arrive?
      Yeah gallery now groups screenshots separately, that helps: like 0.5 percent of my pictures is screenshot, good luck for handing the giant mess of all your other photos.
      Bluetooth headsets stuck on SBC codec? On a phone that originally support LDAC? Even Android Open Source Program support aptX now, or maybe LDAC too?
      Blockchain went south of course, only dead silence about it. Feature phone support as well? Not that it matters for me, just remembering.
      But then the last one – Xperia X is unlikely to ever get an Android emulator update. Yeah, it wasn’t told like this, and don’t get started on the word games again.

      So a year after I spent ~250$ on a phone, plus 50$ on the software, please spend another 300$ on another phone, plus 30$ on our software again. The latter will cripple the hardware of course (like the X’s port did), so it will likely take another year to get the lost featues back. And spend this money, just so you get what was clevery suggested (not promised exactly?) you will purchase with your previous payment. And then maybe repeating it next year?
      NO, THANKS!

      I loved Sailfish: my choice of desktop distro is OpenSUSE, so rpm/zypper was a big plus; I like Qt, since Symbian Anna/Belle, through Blackberry OS 10, heck, my day job requires it; I still believe MeeGo was like 5 years ahead of its competition. The list goes on. Also, I can understand some of the difficulty of your project as a programmer.
      BUT!
      To get me, who was so passionate about Sailfish’s so many aspects, to feel mostly frustration and disappointment: Jolla, you screwed up, big time.

      Your sailors are deserting, and they are right!

      I wish you a comeback, but for that you’ll seriously need to reform yourselves. I’ll only follow as an outsider from now on…

      Krisztián

    • Avatar

      You are not the only one: my XperiaX is out of order because the sim reader and microcard reader don’t work. Can’t make calls and all my data gone. I was advised to do factory setting, because links to browser did not work in Sailfish 3. In 2 it works but with result above. So I am pissed too. And can you believe it, I still like Sailfish!

      • Avatar

        No chance!

        Imagine showing that to someone who’s never heard of Jolla & Sailfish, they would NEVER go anywhere near Jolla!

        “Hey, check out my funky phone you’ve never heard of! Oh! If you want the proximity sensor to work don’t expect an update to fix it, instead why don’t you try pissing around with some commands by yourself…… ah go on…..it’ll be fun!”

        Bottom line, this ship’s taking on water and some of us are determined NOT to go down with it!

        • Avatar

          Dear BraapBraap,
          I took a look what’s going here. I am very sorry for your bad luck with SFOS 3 In XA2. I’m very convinient with my XA2 with Android. So I’ll stay there sofar. I with you more lucky in near future. The Jump to XA2 seems to be more difficult that it was with X last year.

          • Avatar

            with should be wish… I wish you more lucky…

      • Avatar

        Togetherjolla gave answers that did not help and that is not the first time. What future had a phone that is only a toy for geeks?

  13. Avatar

    Jolla is not really serious about security. Bootloader security? not existent. Full Disk Encryption (FDE)? not existent. Secure key storage in hardware? at least not mentioned anywhere.

    Unless they get support by Sony (and what are the odds they do?) or some other phone manufacturer this cannot even be changed. Would I recommend using such a device to anyone? no.

    I would really love to see an officially supported SFOS phone where all the security features are implemented and verifiable since being open source …

    • Avatar

      Thing is, at the moment Jolla have no any isolation features for native apps. They all run as the same user and can access each other’s files, can access phonebook, your sms, etc. That’s pretty horrible from privacy point of view and security too. What helps is that most native apps are opensource and are made by opensource devs in a good faith. If Android or iOS had similar permission model, they would be considered pwned on arrival.

      • Avatar

        I think why Jolla might still be the company to go with in terms of data protection is because of their (perceivedly) good intention.
        However, I have issues in approving the statement in this article that from software development perspective data protection is by design built in. Like butler said, especially native apps lack a reasonable security layer. When it comes to security also up-to-dateness is a key factor. The outdated browser is clearly lacking that.
        And it always feels that there is more talking about improvements rather than implementing them.

  14. Avatar

    I wished Jolla could coöperate with Nokia.

    • Avatar

      Thiw sill neve happen. Because the old Nokia is dead (Thanks to M$ and Steven Elop). And new Nokia is HMD Global what has nothing, absolutely nothing to do with the old good Nokia

    • Avatar

      not sure why you want the dead and fake NOKIA to work with Jolla? think Xiaomi with Sailfish is better:)

  15. Avatar

    where is your feature phone with sailfish?

    • Avatar

      That was a concept phone we showed at MWC last year, which could potentially become a product if a device vendor was interested. There are on-going negotiations on that front. Let’s see what the future brings.

      • Avatar

        This would give Sailfish a boost. I still hope that you can find a manufacturer/vendor. Than Sailfish will be available to non-geeks also.

  16. Avatar

    Hi Jolla crew !

    Please try to not break your streak of regular communication.
    Could you try publishing something this week?
    Even if no big announcement nor release, but simply some “news from the front”, what’s currently happening, what’s currently being worked on, etc.

    • Avatar

      Hi! We have blog posts in the works. We will keep you updated as soon as they’re ready to be published. We appreciate for your enthusiasm!

      • Avatar

        Official announcement of open beta of 3.0.2 Oulanka after its appearance in the threads of Together Jolla Com, I presume ?

  17. Avatar

    1. Can I get my favourite Jolla alarm ringtone back please? Longer list, but nothing to please my ear.
    2. Calendar app without search option. It makes such a beautiful app hampered.
    3. GDPR… well it is forced upon all of us, so of course your developers must comply.
    4. On the + side, MMS is working on my J.C.

  18. Avatar

    Hi Jolla crew.

    I just wanted to drop by for sayin’ hello and a thank you of your latest update on SFOS3. Honestly I had to go back on googol phone for awhile but now I am happily using and installing (on mobile network) t
    few of my must have apps and 99% of them works, sadly few says that they meed gapps. Aanyhow, thank you for this amaxing platform, I love SFOS3. Yes, I am a noob Sailfisher and proud or it. LOL! Few things I would like to have are better sync to M$ One drive and perhaps Mega. Native 112 app and banking apps. Oh, amazing web browser would be so very nice too.

  19. Avatar

    Sorry of my typo’s but who really cares?

  20. Avatar

    Hmmm, I am a noob Sailfisher and I have been seeing these tablet/refund etc. posts around but at this point I want to ask/reason(?) Two questions: is it good for sll that Jolla is developing SFOS or is it better for all that they just quit? I have been so fkin amazed of some people’s posts because crowd funding is risky and who ewer foes not understand or accept it are very simple and ignorant people. I am apologizing if my opinion hurts someone but this is how the world works. So, some people took the risk, some people couldn’t handle the risk so that’s why some people are still whining. I have my opinion on that and someone else has another opinion and that is very cool

  21. Avatar

    Please, don’t forget you owe us money.. You can be absolutely sure there will be people like me who will never forget
    #tabletrefunds

Submit a Comment