The Question of Trust
About once a week or so, I see a post in the privacy community that says something along the lines of “If Product X is open source, how do we know The-Company-Behind-Product-X hasn’t just modified the public code to look good while secretly running something else on their servers?” The short answer is: we don’t.
You Always Trust Someone Somewhere. Always. Period.
My dad is one of those “I walked uphill in the snow both ways to school” types. To his defense, this is isn’t always a bad thing. His attitude did teach me a lot about self-reliance, taking initiative and control of my own future, and self-improvement. It was a good thing. But I remember one time where I was completely broke through no fault of my own. I don’t believe in playing the victim. Almost always you got yourself into a situation and you should take responsibility for that. But sometimes things happen that are genuinely out of your control and you truly are the victim. It’s rare (on an individual level) but it happens. I had three sources of income at the time and all three failed to pay me for reasons that – in all three cases – were legitimately out of my hands. I’ll never forget my dad telling me that it was my fault, that I should never trust anyone for anything and there had to have been SOMETHING I could’ve or should’ve done differently. To this day, over a decade later, I insist my dad was full of crap in this instance.
The fact is, you ALWAYS put SOME measure of trust in SOMEONE SOMEWHERE. Always. Period. Without question. You trust that your boss is going to pay you when you show up for work. You trust the other drivers to stay in their lanes when you drive (for the most part). You trust the food you get at the grocery store to be safe. You trust the construction of your home. You are ALWAYS trusting SOMEONE at SOME POINT. Even if you demand to be paid up front, you’re trusting that the check won’t bounce. Or that the economy won’t suddenly spiral into a recession with hyper inflation. Or that your bank won’t spontaneously close your account. Or that they won’t give you counterfeit bills. You are ALWAYS trusting SOMEONE SOMEWHERE. End of story. Period.
Trust and Due Diligence
The privacy community is a paranoid one. Sometimes that’s good, and sometimes that’s bad. A little paranoia is a good thing in a world where data breaches aren’t disclosed, apps and services lie about what they’re really doing, and companies are aggressively going out of their way to track you. But too much paranoia is bad. Uncontrolled paranoia can lead to problems like anxiety, depression, suicidal thoughts, and legitimate mental health concerns. (If you suspect you might be spiraling or have spiraled into that territory, please seek help. You are not alone.)
The point is that it’s about balance. Trust should not be blindly given in almost any context. You wouldn’t hire a random person off the street to babysit your kids, you wouldn’t pick a bank you’ve never heard of to manage your money, and you shouldn’t pick services you haven’t researched to safeguard your sensitive information, metadata, and communications. You should absolutely do your research. Is the company/app/service well respected? Do they have a track record of putting their money where their mouth is? They may be open source, but have they been audited? Has anyone expressed any legitimate concerns about their practices?
The key word there was “legitimate.” Lots of people dislike ProtonMail because it costs significantly more money than Tutanota, but their list of complaints ends there. While that may be a deciding factor for you, it doesn’t make ProtonMail any less trustworthy or reliable. As you research a product or service in the privacy community, you will find no shortage of people who have minor complaints about a product. “They’re based in the United States.” “They use X programming language instead of Y.” “They could be more secure if they did ABC.” It’s the privacy equivalent of someone who prefers vinyl over CD. They’re not technically wrong, but you risk getting lost in the weeds. If you’re so obsessed with finding the perfect turntable, cables, speakers, signal processing, and so forth you risk never actually listening to the music.
There is something to be said for individual levels of trust and threat modeling. I use Signal as my primary messenger of choice. I do this because I have a VoIP number that I use only for Signal and nothing else. Anyone who searches my Signal number will find very little information about it or me. I can safely hand that phone number out like candy without fear of sacrificing my privacy. Not everyone has access to a VoIP number though, and thus they may only be able to use Signal by using their real phone number, and that may be a risk they don’t want to take. That’s not to say that Signal isn’t trustworthy. It has repeatedly stood up to scrutiny, auditing, data leaks, and has shown itself to be a reliable, secure messenger. But because of its limitations, it’s not right for everyone. Others may choose to use something like Wire or Wickr because they don’t rely on phone numbers. Your specific threat model determines what’s right for you, and picking one service over another doesn’t necessarily mean you don’t trust it. I don’t use Matrix myself, but I still recommend it on my site.
At the end of the day however, you have to trust something somewhere along the line. The goal of this site is not to remove trust. That’s impossible. The goal is to teach you how to evaluate things for yourself and decide the right level of trust. If your goal is simply to communicate securely (and cheaply) with family in another country, Signal is great. Even something like WhatsApp or Telegram is technically acceptable. But if your goal is to protect a whistle-blower who’s revealing top-secret information to you, a journalist, then you need a higher standard of trust.