> And we should be able to check that they really work.
How? Seriously, if you don't trust a hardware switch to work as advertised, then you probably don't trust software correctly to report the state of the hardware; so what would you trust? (I wish that I could say that I think you're being paranoid, but I don't; I just wonder what a zero- or minimal-trust proof of disconnected hardware would look like—short, presumably, of something like a visible air gap that could only be implemented at considerable expense to the portability of modern electronics.)
Do what Edward Snowden does: physically remove the microphone circuitry from your phone, then plug in earbuds if you ever need a microphone to talk on the phone, etc.
I'm guessing he probably didn't buy the new iPhone 7...
Now there's an interesting thought. How much access do the new headphones have to the rest of the device - they're not just a simple analog connection any more. Do they have DMA?
Physics. Their not being an unnoticed second camera/microphones/etc.
If you main concern is that your computer will be used to spy on your physical life, then having verified switches can give you confidence from first principles that it it has no way of observing you (modulo secondary sensors that you did not notice.)
> having verified switches can give you confidence from first principles that it it has no way of observing you
Right, but this is what I meant to ask: how does one verify a switch that has been manufactured by someone else? I suppose that an electrical engineer could check the schematics, but how do you verify that the actual hardware in your device matches the schematics?
Switches are very simple devices. If the switch mechanism is not enclosed, it is easy to look one and see that the input leads are separated by the output leads by an air gap. Of course, a sufficiently motivated attacker could still work around this (by eg, by finding a side channel, or having the plastic of the switch be somewhat conductive). However, these attacks are far more difficult, and far less plausibly deniable.
> Switches are very simple devices. If the switch mechanism is not enclosed, ...
Sarcasm, I hope? I spent an hour this weekend replacing some micro switches in some decrepit robots. These are about 5mm^3, which is pretty tiny, but huge on the scale of a modern phone. They are basically hunks of plastic with a button on one side and six or so leads coming out the other side. No, you can't open them up and see the air gap without destroying them. And yes, they are small enough to easily contain a full CPU, some flash memory, and a few sensors, even though they only really need a few sliding metal and plastic bits.
Sorry if I wasn't being clear. My point is that it is possibly to have switches that are easily verifiable. Most switches that exists are not because there is no motivation to make them so.
How? Seriously, if you don't trust a hardware switch to work as advertised, then you probably don't trust software correctly to report the state of the hardware; so what would you trust? (I wish that I could say that I think you're being paranoid, but I don't; I just wonder what a zero- or minimal-trust proof of disconnected hardware would look like—short, presumably, of something like a visible air gap that could only be implemented at considerable expense to the portability of modern electronics.)