Here is the reply I sent today.
Thanks for today’s conversation, it was very useful. Here are the answers to the questions, please let me know if they need more work.
The reviewers very much appreciate the concept of F3 and providing
FLOSS alternatives to commercial software. We would ask that revise
your original problem statement to emphasize the needs of HRDs,
journalist, and activists that rely on software that can be developed
in a secure, portable, and surveillance-free environment.
As suggested during our call, here is a concrete example to illustrate how F3 would have helped in the recent past, based on my first hand experience while working as a developer with the Freedom of the Press Foundation on the SecureDrop project.
In 2017 I began working on developing SecureDrop, attending weekly meetings and landing patches as a volunteer contributor. I also travelled around Europe to meet activists and journalists which allowed me to better understand their need and adapt SecureDrop accordingly. I focused on internationalization and localization because the human right defenders and journalist I met were often not fluent in English.
Over time I established a working relationship with a journalist who specializes in investigations involving state secrets. Together we built a threat model based on his past publications, current investigations and his usage of technical tools. It confirmed that they were targeted by intelligence services and that all their communications as well as the people surrounding them were monitored.
To improve the protection of their communications with sources, a new SecureDrop hardware was installed for their exclusive usage, as well as a dedicated Qubes OS laptop. everything in the setup was using off-the-shelves components, including a vanilla SecureDrop distribution. The architecture in place was entirely specific to their needs but no software component was modified.
As can be expected when someone uses a software such as SecureDrop on a daily basis, feature requests emerged from our discussions. One of them was to enable daily notifications to be sent, informing the journalist that messages were waiting to be picked up. Doing so in a way that did not leak information was delicate and it took weeks for the algorithm to be designed. The associated tests were carefully crafted to ensure future modifications did not introduce regressions that would weaken this protection. It all happened on GitHub and in public because it was generally useful.
Another feature request was specific to this journalist and unfit for inclusion in the standard SecureDrop. Because of my familiarity with the SecureDrop codebase, I had the technical ability to make a custom development. But I also became conscious that by engaging in this development I would expose the journalist I was trying to protect if the state actor monitoring them became aware of my work. I decided to implement the feature on an airgap machine to make sure it was not monitored. Although I was able to download the content of the git repositories to prepare the environment, I was not able to download the existing issues or pull requests or use the CI of SecureDrop itself or its dependencies. Not only did it make my work significantly more difficult, the release that I produced was also less tested than it should have been and its quality was lower than the one produced using the online GitHub environment.
If F3 had existed at the time, I would have had a convenient way to implement this feature offline with the same quality level than the standard SecureDrop distribution. That would have allowed me to better protect this journalist by having a fully functional copy of the SecureDrop development environment as well as its dependencies to develop this specific feature with the same level of quality that is expected when facing a threat from a state actor.
In addition we urge you to revisit your budget and factor in the true costs of development beyond the hourly cost of your labor.
As mentioned during our call, the proposed budget includes in the state taxes which are about 50% of the total amount. This leaves me with a net income that is a decent salary by French standards.