Surveillance protection during delivery

How do I know that no government installed a Trojan on the phone while it was in the delivery chain passing country borders? Same on airports when they “check my phone”? Thanks

If you are a targeted journalist, don’t use things you own but that have been away from you (so don’t buy on the internet unless you are perfectly sure nobody can know the order came from you). And don’t use /e/ since it’s not government proof.

There is currently a /e/ “seal” on the box but it’s worth what it’s worth.

Thanks, I thought of something like purism does with their boot check on their laptops. Do you know if that is available for the Fairphone or any other phone the e foundation supports?

If you buy a Fairphone 3 on, the device will come with /e/ and a locked bootloader.

Yes, this will protect against “evil maid” type attacks, for the cases in which somebody has your phone for a while (software attackes, assuming everything works as expected and they can’t actually insert other listening devices or corrupt parts of the hardware itself to snitch on you).

It will not protect the phone while originally delivered if the booloader can be unlocked and relocked (both features one would want in principle the owner to have access to, for a phone that’s actually owned by the owner not the manufacturer, Google, Apple, etc.). This can be mitigated if bootloader unlock code is sent via an independent channel (not the same parcel!) to the owner or if there is some delay in sending it or if there is otherwise some trail if the device was unlocked or not.

Thank you for the explanation. So lets say I trust the workplace at /e/ and the Fairphone 3 leaves the work bench without any unwanted software installed, even if the bootloader is locked during delivery I have no chance to know whether or not someone fiddled with the unit by unlocking/relocking the bootloader? I mean anyone can go the Fairphone website and look up the unlock code right? Or does /e/ offer a way to receive the “bootloader unlock code is sent via an independent channel (not the same parcel!)”?