The best way to tell if something is trustworthy is if you’ve actually seen the proof and the proof is reproduceable. If there is no proof, then trust is a decision based on belief.
For example, let’s say you ask your boyfriend what he’s doing on Friday night. He says, “I’m going to a baseball game with my dad. Want to come?” You say, “Ok, sure.” and then Friday comes and you actually go to a baseball game with him and his dad. In that scenario, how trustworthy was his first answer to your question? It was 100% trustworthy, because you were actually there. That’s proof that what he said was true. You don’t have to believe him because he proved it to you, and as those instances of proof become more common, you’re probably going to be more likely to believe the things he says in the future.
Now let’s say that you said, “What are you doing Friday night?” and he said, “Don’t worry about it” or “None of your business” or didn’t respond at all. How trustworthy is that? Not very trustworthy, right? Of course, what’s even worse is if they tell you a lie and then you realize later that it was a lie. That’s a huge violation of trust!
Tech products and services can do the same things to either destroy your trust or build it up. It’s probably smarter to invest in the ones that build up your trust.
Where is the proof?
Let’s say you ask Facebook, “What are you doing with all of my private messages?” They’ll say, “Don’t worry about it.” Well, ok, now they’ll say something about “your private messages are private” (see: About personal messages on Messenger, Facebook and Instagram | Facebook Help Center). Problem solved, right? Well, not really… that’s still not proof. Anybody can type stuff into a web page. That doesn’t mean it’s true. Facebook’s job is to collect data and sell advertisements to its users. They can tell you that your messages on WhatsApp are “end to end encrypted”, but where is the proof? Anybody can add those words into their app design. How do you prove that? Who controls both ends? Well, Facebook controls both ends, not you, so you’ll probably never see any proof.
It would be one thing if the tech company has built up a lot of trust over the years, but Facebook gets caught lying to the public pretty frequently.
Apple does the same thing with their products while also loudly advertising their privacy and security features. The problem is, if you ask Apple for proof about how their systems work you’ll be met with a “Trust me, bro” style response. Well, okay, actually they have web pages full of technical terms and even some diagrams, but again, anyone can type made-up stuff into a web page. Apple likes to try to cover up unsafe work conditions with surveilance/intimidation techniques so do you really think those kind of business practices make a company trustworthy?
How does proof work with open-source software?
Open-source tech software and hardware is much more transparent and honest with what the products do… because they actually publish all of the information about how it works for anybody to read and audit. Usually if you go to the website of a product claiming to be open-source, there will be a link somewhere that goes to the repository where all of the code exists and can be downloaded.
If it’s really open-source, you should be able to compile the program and install it on your own devices and it would work as you would expect. Many systems have server and client components. The client component is the program you install on your phone or PC that you normally use day to day while the server component is what the client software will connect to through the internet.
It’s important to keep an eye out for tech products that might claim “open-source”, but really only the client app is open source, while the server software is proprietary. In those cases, the company could be doing anything they want with your data on the server side and you wouldn’t know it. An example of this is the Telegram messaging service who’s client app is open-source, but the server is not, yet they still claim to be open with “source code free for everyone” on their website which is obviously a lie or a half-truth if you want to be generous.
Signal is another popular messaging app/service that also claims to be open-source and it is much more so than Telegram, Whatsapp, iMessage, RCS text messaging, etc… but there are some half-truths and red flags here too. Signal does publish their source code on Github for anyone to audit and download, but there are numerous dependencies on closed-source components. So basically, an open-source product with closed-source components is a closed-source product since those secret modules could be doing anything and you wouldn’t be able to verify or prove what they’re doing. Signal added closed-source components to the server in 2021 as well, you can see it here: GitHub – signalapp/Signal-Server if you try to open the “spam-filter @ c9a4cb2” module listed there… you won’t be allowed to.
But they could be running completely different software on their server, right?
Yes, that’s another good question that you should always consider. Signal is a good example of bad behavior in this scenario. Signal requires all users to connect only to Signal’s centralized servers. That means the Signal Foundation has full control over the server software, what it does, and how it processes all of the data that goes through it. Sure they publish most of their server software code for anyone to audit, but they could absolutely be actually using completely different software code on the server without you knowing because you don’t have access to the server. You have to believe that they’re running the same software. Sometimes it’s hard to believe that they are because they have gone for almost a year without publishing the server source code at times.
That’s sort of like your boyfriend not responding to your calls or messages for a year and then coming back and expecting you to trust him again right away.
You can probably trust yourself though
So how can open-source software prove to you that it’s trustworthy? Well, the best way is to get you to actually be there and see for yourself. So the most trustworthy software is the stuff that you can completely rebuild on your own hardware in your own network and it will work as expected. You may not want to do all of the work involved to actually do that yourself, but the fact that the developers allow you to do it if or when you do want to do it is a huge green flag for trustworthiness.
For example, I learned to make my own SMTP/IMAP server to use with the Delta Chat secure messaging client. (See: How to make your own Delta Chat Email Server and compete with WhatsApp/Signal/Telegram) All of the software products involved are completely open-source and primarily based on open-standards; some of which have been in development for many decades. You can download, inspect, and audit all of the Delta Chat client code here.
Below is a screenshot of what a message looks like when it passes through my server via Delta Chat.
I would need the public encryption key from the person who sent that message in order to decrypt it and read the actual message. Meanwhile, it’s just a bunch of useless characters without being able to decrypt it. I can also see the DKIM authorization key as well as the date/time of the message and obviously the domain name of the server that it came from.
But how can I trust that? You could have just made those screenshots in Photoshop.
Correct… You can’t trust this, because it’s just a bunch of text on a web page with a screenshot that could have been faked. It’s not proof to you because you didn’t do it. It is proof to me because I did do it. I was there.
Going back to the original analogy where you went to a baseball game with your boyfriend… you were there, it was true, but did you tell your mom that you were going to a baseball game on Friday? She didn’t go, so she didn’t see the proof. She has to believe that what you said was true. If you want the truth, you have to show up.
Me learning how to make my own messaging server is similar to the level of trust you would get if someone were to teach you how to catch fish and grow potatoes. After you learn how to do it, you can 100% trust that the person who gave you that information in the first place was telling you the truth because now you’re doing it on your own and making your own food. You’re actually there witnessing the proof because you learned how to do it and are now doing it for yourself.
Further Reading
- Why Open Source Software is Secure, Reliable, and Better than Proprietary Software: By Paula Hunter
- You Don’t Trust Open-Source Software? 6 Reasons Why You Should
- Open source considered more secure than proprietary software | TechRadar
- Open source and security: why transparency now equals strength – ScienceDirect
- Stevenson University – How to Identify Reliable Information
- How to make your own Delta Chat Email Server and compete with WhatsApp/Signal/Telegram