The PrivacyBeast X230 is one year old – Time for some changes

One year ago, The PrivacyBeast X230 was in the process of obtaining QubesOS certification.

Although Insurgo‘s webpage was ready beforehand, traffic started flowing when QubesOS published its official announcement(1). QubesOS certified the PrivacyBeast X230 on July 18th 2019(2) and business immediately took off.

Insurgo provides a secure laptop ready to use and tamper evident during transit while enforcing good practices upon reception through re-ownership of hardware components, as to maintain a trustable root of trust. Of course, for the more technically advanced user, it is certainly possible to embark on the journey of finding the perfect X230, change the parts himself, buy a compatible HOTP USB Security dongle, upgrade the X230 firmware, neuter/deactivate ME out of it, build the firmware from source, reprogram its firmware with Heads, flash it with proper equipment and seal measurements with separately bought HOTP USB Security dongle.

Our customers originally bought the PrivacyBeast X230 for 1581$CAD, even though some critics said that it was too expensive. Our customers understood the whys of accessible security, tamper evidence at reception of hardware and the hows of the re-ownership wizard and onboarding procedures(3).

We were followed but never equaled. Now we want to push things further.

Today, we are better equipped to offer more accuracy on our prices because we better understand operating expenses and our business in general. Let’s start with some context.

Insurgo‘s standards for transparency are high. On our website, the PrivacyBeast X230 product page originally showed the price of all its parts for our customers to understand the different steps and costs involved in sourcing quality hardware (4). The price breakdown on the product page still shows a “Reprogramming Fee” of 500$CAD today. This fee was and is still added to the cost of sourcing a grade A quality X230 i7 laptop from North America. The hardware was more scarce than we thought when we began to hit volume orders. This resulted in higher delays for refurbishing and sourcing.

Insurgo changed its X230 local sourcing to China, permitting to significantly reduce the costs linked to sourcing Grade A refurbished hardware to the least possible.

The price for the PrivacyBeast X230 dropped from 1581$CAD to 1300$CAD at the beginning of 2020(5).

At this time, Insurgo decided to provide self funding of R&D projects and presented its plan at FOSDEM2020(6) after having experienced NlNet fund channel for the Accessible Security project(7) which aims at bringing various R&D projects (coreboot, Whonix, QubesOS, fwupd, Heads…) under one common ongoing grant-funded work; and this unusual work arrangement made it hard for Insurgo to manage.

Switching sourcing of refurbished hardware to China was a double-edged sword: it provided Grade A laptops at such a low price that it permitted us to reduce the price directly; but it locked us to a remote source no local refurbisher could compete with.

Simultaneously, an increase in orders opened up new opportunities and permitted us to introduce the OpenCollective’s Insurgo Initiative(8) which is now accumulating funds available to pay for required Open Source project development; in turn made possible by Insurgo giving 25% of its net profit from each laptop sold to the fund.

All the while, lots of new expenses were happening simultaneously: legal, accounting (Inc), payroll, plugin development, hosting, external consultancy; which all happened before we finished the first year of operation and prior to knowing the real costs of running such a unique startup… How to make/keep our business profitable is paramount.

What have we learned from all of this?

• Sourcing should be as local as possible

There is no point having refurbished laptops coming from China. Much less in the midst of a pandemic. If there is a defect on a laptop, reshipping hardware is undesired, unreliable and costly; while legal bounding and accountability levels are not as enforcable as locally.

• Running an enterprise has a lot of hidden costs

Including paying reprogrammers when the volume of orders augment, which then reduces the profit since the price was pre-set in a transparent way. Initially, I (Thierry) was the only one person producing the PrivacyBeast X230 and the company was a sole proprietorship. As the company scaled and the work needed to be divided and delegated, it became evident that the single reprogramming fee should have been separated into various service fees from the start.

• Quality has a cost

If you do not want to sacrifice the quality of your builds (quality of sourced products: battery, casing, keyboard, SSD drives, IPS panel, wifi cards…) nor the safety of it (tamper evident seal, neutering+deactivation of Intel ME, research and development, maintenance of software, customer support) then you cannot reduce your costs without having to pay them in time, which should also be moneyable.

So, if you can’t further reduce your operating costs nor the quality of your work, what can you do? You must increase the sale price.

What will change

• Sourcing will become local (Second attempt!)

We will do everything as locally as possible and we will invest the required resources to build a proof of concept enabling us to reach this goal. We have a couple of refurbishers in sight for the North American side, to whom we can provide the most expensive parts of the hardware (i7 motherboards, IPS panels, etc) sourced from where they are made, which is a formula which makes sense. We will then expand sourcing to remote local refurbishers and reprogrammers.

This requires local refurbishers to already be established refurbishers; having the sourcing, space required to stock parts, expertise for shipping and handling to actually produce and provide grade A refurbished hardware that meets our quality requirements.

What we can do to help is to share what we’ve learned about the field of sourcing; we can source to refurbishers the higher priced parts at a much lower cost. To do so, we have to be able to provide deals and volume orders to local refurbishers with agreements on sale prices and shipping. Providing such sourcing to remote refurbishers would permit us to guarantee selling price within profit margin, decentralize and maintain Insurgo’s mission and long term vision of getting away from x86 completely.

• Reprogramming will become decentralized

The goal is to recreate Insurgo in all countries where there is demand; so that customers don’t have to pay additional fees and to allow the business to scale along with demand. Customers shouldn’t have to pay import taxes nor duties.

Plus, those international shipping are the most probable point of interception (international shipping increases the probability of interception), even though mechanisms are in place to make any interception detectable, they are still undesirable for both parties. Being able to ship locally is the solution for security to become more accessible.

A lot of other things will become public soon, including additional products and services… But that is for another blog post. Stay tuned!

References:

(1) https://web.archive.org/web/20190721185803/https://insurgo.ca/produit/qubesos-certified-privacybeast_x230-reasonably-secured-laptop/

(2) https://www.qubes-os.org/news/2019/07/18/insurgo-privacybeast-qubes-certification/

(3) https://archive.org/details/oemuserreownership

(4) https://web.archive.org/web/20200101050206/https://insurgo.ca/produit/qubesos-certified-privacybeast_x230-reasonably-secured-laptop/

(5) https://web.archive.org/web/20200226075940/https://insurgo.ca/produit/qubesos-certified-privacybeast_x230-reasonably-secured-laptop/

(6) https://fosdem.org/2020/schedule/event/firmware_hodorateatria/

(7) https://nlnet.nl/project/AccessibleSecurity/

(8) https://opencollective.com/insurgo