Purism Librem 5 Review: Mobile Sovereignty Logic and the Surveillance Unhack

You slide the Bluetooth toggle to “off” and feel a small flicker of control. The icon greys out. The phone obeys. Except it doesn’t — not really. The chip is still powered, still listening for “Find My Device,” still doing exactly what the closed-source operating system tells it to, which is something you are not permitted to see. You flip Airplane Mode on at the airport and assume you’ve gone dark. The cellular radio is still drawing current behind the UI. Every “off” switch on your phone is a suggestion to software written by the company that profits from you never quite being off.

The short version: The Purism Librem 5 is a $1,299 Linux smartphone with three physical kill switches that cut power, at the circuit level, to WiFi/Bluetooth, the cellular modem, and the camera/microphone. Because they’re hardware switches, no firmware, update, or zero-day can override them — when the switch is off, current physically cannot flow, a fact you could verify with a multimeter. The trade-offs are steep and real: 4–6 hours of battery against 12+ on flagships, a small F-Droid app catalogue with no WhatsApp or Uber, and a need to be comfortable with Linux. It’s built for journalists, activists, and security researchers who need provable privacy. For most privacy-minded people, GrapheneOS on a Pixel is the smarter, cheaper balance — and an honest review says so up front.

Why your phone’s “off” button doesn’t actually turn things off

Here’s the uncomfortable mechanism underneath every smartphone you’ve owned. The toggles in your settings don’t control the hardware directly. They send a request to the operating system, and the operating system — closed-source, owned by Apple or Google — decides whether and how to honour it.

Apple and Google control the baseband, the firmware running on your phone’s radio chips. You have no way to audit what those chips transmit. Background processes can wake the microphone or location sensors even with permissions “disabled,” because permissions are a software promise, not a physical barrier. Meanwhile, law enforcement deploys IMSI catchers — Stingray devices — at airports and protests to harvest the unique identifiers your cellular chip broadcasts, and your phone can’t stop them, because that chip operates independently of the main OS you think you’re controlling. In 2024, security researchers reported that major phones leak metadata even in Airplane Mode.

This is the surveillance-by-default design. You don’t have a phone with privacy settings — you have a tracking device with a settings screen designed to make you feel like you’re in charge of it.

What is the Librem 5, and how do hardware kill switches work?

Now the reframe that the entire phone is built on. Every privacy feature on a mainstream phone is enforced by software — and software can always be updated, misuseed, or quietly overridden. The Librem 5 asks a different question: what if the off switch weren’t software at all?

The Librem 5 carries three physical toggle switches on its side, each one a circuit-level disconnect rather than a setting:

• WiFi/Bluetooth switch: cuts power to the WiFi and Bluetooth chips. Off means zero power and zero transmission.
• Cellular/modem switch: disconnects the cellular baseband. No signal, no cell-tower tracking, no exposure to IMSI catchers.
• Camera/microphone switch: kills power to both sensors, so neither harmful software nor a remote command can wake them.

When a switch is off, there is no power flowing to the chip, and no firmware can override an open circuit. This gives you something a permissions dialog never can: physical certainty — verifiable with a multimeter — that the device cannot transmit, record, or report your location. Not a corporation’s assurance. A property of the wiring. The breakthrough isn’t a better privacy setting; it’s removing software from the trust equation entirely, because a switch that interrupts current cannot be patched, misuseed, or persuaded to lie.

What’s under the hood? PureOS and baseband isolation

The Librem 5 runs PureOS, a Debian-based Linux distribution, on a Qualcomm Snapdragon processor — and crucially, it isolates the cellular modem on a separate M.2 card that cannot reach the main system RAM. This “baseband isolation” stops the modem’s proprietary firmware from snooping on your apps or encryption keys, closing a hole that exists by design on conventional phones.

Two more hardware choices matter. The battery is user-replaceable, and physically pulling it instantly purges the encryption keys held in RAM — useful at a border crossing where you want session data wiped without forensic traces. And all hardware schematics are published, with firmware open-source (the modem still moving toward fully open). You can audit the device yourself or pay someone to, because transparency is the security feature: closed hardware can hide a backdoor indefinitely.

The honesty owed here is about cost. Battery life runs 4–6 hours of active use against 12+ on flagships. Heavy multitasking is slower. And the app ecosystem leans on F-Droid rather than Google Play, meaning fewer apps and older versions. These aren’t footnotes; they’re the daily reality of carrying this phone.

Does the Librem 5 actually prevent tracking?

This is where overselling would be easy and dishonest, so here’s the precise boundary. With kill switches engaged, the Librem 5 genuinely defeats a specific, serious class of incident.

It protects against:

• Remote microphone activation — the switch physically removes power.
• Cellular location tracking — modem off means invisible to cell towers and IMSI catchers.
• Background data transmission — WiFi and cellular both off means nothing leaves the device.
• Baseband firmware abuses — modem isolation blocks firmware from reaching main memory.

It does not protect against:

• Physical theft — your phone plus your key still exposes your data.
• Network-level surveillance — once connected, your ISP and network operators see your traffic leave (encryption helps, but the metadata is visible).
• Being physically followed — kill switches stop electronic tracking, not a tail.
• Malicious apps — an app you install can exfiltrate data while connected, though Flatpak sandboxing on Linux isolates apps better than Android does.

The real win is narrow and valuable: an adversary running a Stingray at an airport, a hacked router, or a rogue cell tower cannot identify or track a phone whose radios are physically dead. The kill switches don’t make you invisible to everything — they make you invisible to the electronic dragnet, which for a journalist or activist is precisely the risk signal that matters.

PureOS vs Android: the operating system trade-off

PureOS isn’t a hardened Android — it’s a full Linux operating system on a phone, with a real file system, a package manager, and software pulled from repositories you choose to trust.

The advantages are genuine. You can read the source of the OS and most installed software. App isolation runs through Flatpak sandboxing. There’s no telemetry and no forced updates — you decide when to patch. And desktop convergence means plugging into a monitor and keyboard gives you a Linux desktop.

The disadvantages are just as genuine, and they decide this purchase for most people. The app catalogue is small: WhatsApp, Instagram, and Uber have no Linux versions. You need to be comfortable with Linux, because when something breaks you may be troubleshooting from a command line. And development moves slower than commercial OSes, so security patches can lag. For a privacy-first user these are acceptable costs. For someone who needs the full Play Store, the Librem 5 is simply the wrong tool.

Is the Librem 5 worth $1,299?

At $1,299 against $1,000–$1,500 flagships, the real premium is roughly $300–$500 — and you’re buying hardware kill switches and an open OS, not raw performance. Whether that’s worth it depends entirely on who you are.

• Investigative journalist in a hostile country: worth every cent; the kill switches are a survival tool.
• Privacy-conscious professional: worth it only if you can live with the app and battery limits.
• Average user who just wants more privacy: GrapheneOS on a Pixel is cheaper (~$500 plus phone) with far better app compatibility — fewer hardware guarantees, but a better fit.

This is not a consumer product, and Purism doesn’t really pretend it is. It’s a specialist instrument for people who have consciously chosen provable control over convenience.

How to actually run it as a privacy device

The first step is the easy one: flip everything off and turn things on only when you need them.

Highest-privacy default: keep all three kill switches off unless actively using the device, enable the GUFW firewall to gate outgoing connections, install apps from F-Droid rather than Google Play, use Signal for messaging, and Tor Browser for the web.

Travelling or at risk: keep cellular and WiFi off in transit, enable them only for a specific call or a trusted network, power the phone off completely before crossing borders to purge RAM keys, and store sensitive files on a removable microSD card rather than internal storage.

Daily life: plan around the battery with charging breaks, and if you depend on banking or social apps, carry a second “convenience” phone — treat the Librem as your secure device and the other as your disposable one.

Librem 5 vs the alternatives: the honest comparison

| Device | Hardware kill switches | Open-source OS | App ecosystem | Battery | Price | Best for | |—|—|—|—|—|—|—| | Librem 5 | Yes (3 switches) | Yes (PureOS/Linux) | Limited (F-Droid) | 4–6 hrs | $1,299 | Maximum provable privacy | | Pixel 8 + GrapheneOS | No | Yes (Android-based) | Strong (F-Droid + Play Store) | 10+ hrs | $500–$800 | Privacy + app compatibility | | iPhone + iCloud+ Private Relay | No | No (iOS closed) | Excellent (App Store) | 12+ hrs | $800–$1,200 | Privacy settings + mainstream apps | | Samsung Galaxy + hardening | No | No (Android closed) | Excellent (Play Store) | 10+ hrs | $600–$1,200 | Convenience with some controls |

The Librem 5 is the only phone here with hardware kill switches. GrapheneOS beats stock Android on privacy but still leans on software controls; iPhone offers strong settings atop a closed OS. The choice comes down to whether you need absolute hardware control or app convenience — and most people, honestly, need the latter.

The limits: what the kill switches can’t fix

The Librem 5 is not unhackable, and pretending otherwise would betray the whole point of provable privacy. The real vulnerabilities:

• Zero-days in PureOS: an unknown Linux-kernel flaw could compromise the OS before a patch ships.
• Supply-chain tampering: a phone modified before it reaches you could carry malicious hardware.
• User error: forget to flip a switch or install a bad app, and the protection evaporates.
• Modem firmware: the isolated cellular modem still runs proprietary Qualcomm firmware you cannot audit.

Kill switches shrink your risk surface dramatically. They don’t erase it. This is a major step toward control, not a guarantee of immunity — and the difference is exactly the kind of honesty Purism’s whole pitch depends on.

Why a physical switch beats a setting

The core argument reduces to one trust question. Software privacy controls are enforced by the same companies that profit from your data. Apple says iOS is private; Google says Android respects you. You cannot verify either claim — the code is closed, the modem firmware is proprietary, and you are left trusting a corporation’s word.

A physical kill switch deletes the trust requirement. No company, no update, no firmware can override physics. Switch off, circuit open, current cannot flow, no data transmitted — checkable by anyone with a multimeter. That matters because privacy isn’t a feature; it’s a precondition for freedom. A hardware kill switch is the line between privacy as a setting someone else controls and privacy as a right you hold.

Frequently asked questions

Do the hardware kill switches really work, or is it marketing?
They work, because they’re not software. Each switch physically interrupts power to the relevant chip, so when it’s off the circuit is open and current cannot flow — a state you can confirm with a multimeter. No firmware or update can override an open circuit, which is the entire reason a hardware switch beats a settings toggle.

Is the Librem 5 good as an everyday phone?
For most people, no — and that’s the honest answer. Battery life is 4–6 hours, performance lags flagships on heavy multitasking, and mainstream apps like WhatsApp, Instagram, and Uber aren’t available on its Linux app store. It shines as a dedicated secure device, ideally paired with a second “convenience” phone for daily apps.

Librem 5 or GrapheneOS on a Pixel — which should I get?
If you need provable, hardware-level disconnection for high-risk work, the Librem 5 is the only option with physical kill switches. If you want strong privacy with real app compatibility, better battery, and lower cost, GrapheneOS on a Pixel (~$500–$800) is the smarter balance for the average privacy-conscious user.

What does removing the battery actually do for security?
Pulling the user-replaceable battery cuts power instantly and purges the encryption keys held in RAM. That wipes session data without leaving forensic traces — useful before a border crossing or in any situation where you want to ensure nothing recoverable remains in active memory.

The verdict: privacy as a physical fact, not a promise

Most of mobile privacy is a story you’re told by the companies that benefit from you believing it. Settings that are really requests. Off switches that don’t disconnect. A baseband you’re not allowed to inspect. The Librem 5’s answer is almost stubbornly simple: stop trusting the story and cut the wire.

It won’t be your daily driver, and Purism is honest enough not to claim it should be. The battery is short, the apps are few, and Linux will occasionally ask something of you. But for the journalist at a hostile border, the activist near an IMSI catcher, the researcher who needs to prove the radio is dead — this is the only phone that turns “off” back into a physical fact instead of a corporate promise. If that’s your risk signal model, buy it for the certainty. If it isn’t, take the honest path to a hardened Pixel and keep your money. Either way, you stop mistaking a settings screen for control. You start owning the circuit.