Why prefer open source when it doesn't necessarily mean secure?

being proven in some way to be secure and/or private. proving it could entail auditing the software, looking at the design and technologies used etc

3 Likes

ok and can i see if the app is audited and proven that is secure and private?

Steve Ballmer, is that you?

2 Likes

Being open sourced is not equal to being trustworthy but it’s a prerequisite to that.

4 Likes

I fully agree with that, but would like to add a precision (in my personal opinion): non-free software can also be trustworthy.

Notably, it depends on how far you push the open source requirement. For example, Proton’s software is all open source, except their server software. Does this make them untrustworthy? No.

Additionally, it’s possible for non-free applications to be audited, and to be trustworthy. Usually though, there isn’t a reason for a free application to be private, but not open source. The servers make sense, as without them being non-free, it wouldn’t be as easy to make money from them.

Paid applications can be non-free and still trustworthy. Most paid applications are non-free, since, as stated previously, it’s not as easy to make money from paid applications that are open source.

Tl;dr: my philosophy is: you should always use open source software when possible, for both privacy and freedom. But, you should always make sure this software is trustworthy first. And, if you need non-free software for something, you should, provided it’s trustworthy, not write it off due to it not being open source.

3 Likes

Wow, this is a debate that’s been raging inside me ever since I first came across open source software back in 2001 or so.

I was about to create a thread about this but it seemed better I just reply to this thread instead.

My big question comes in regards to the money that a closed source user is giving to the closed source app developer: Doesn’t this money payment give the closed source app developer more incentive to not share personal user data and maintain user privacy as best as they can?

I think that:

  1. Open vs closed source
  2. Paid vs Free applications

Are independent variables. FOSS software can be free or paid, and Proprietary software can be free or paid. It seems like you are conflating these two factors in a way that they can’t/shouldn’t be.

Doesn’t this money payment give the closed source app developer more incentive to not share personal user data and maintain user privacy as best as they can?

Setting aside the fact that probably most closed source apps are free (either freemium, ad based, vc backed, or monetizing your data), It doesn’t have to be an either or scenario. An unscrupulous or oblivious developer can charge you, and still violate your privacy or monetize your data. For instance big companies (like Google, your ISP, your mobile carrier, or Amazon) or a single independent developer making some small mobile app, or a VC backed company trying to squeeze every last dollar out of their software).

I think you are on the right track, thinking about choosing software where the developers incentives are aligned with your own/what is best for users (and paying for the software you use is a great way to do this), and thinking about the sustainability of the business model, But I’d encourage you to disentangle those considerations from whether software is open or closed source (or somewhere in between (source available)).

But even only considering cost-free open source software, I think that because the code is publicly available and because there is some level of community scrutiny and in some cases professional scrutiny (and a community that is very touchy about privacy abuses and anti-features) FOSS projects that abuse user data typically get weeded out if they have even a modest userbase. Because a FOSS project that violates user trust will most likely just be forked or abandoned. Its not something we can or should count on but I think we can count on it more than we can count on closed source software with no oversight. As others have said, I see FOSS (or at least Source Available) software as (almost) a pre-requisite for trust, but not a guarantee.

2 Likes

That’s only the case for products/services whose primary selling point is privacy itself and had the bad luck of actually growing an user-base primarily inside the privacy community. In that case, privacy mishaps will damage the company’s reputation and may drive clients away.

For all the rest, users simply don’t care about privacy. So why chose one source of revenue when you can have two? Or three? Or four?
Why should your phone operator/ISP be content with the subscription fees you pay them? Why can’t they sell your semi-anonymyzed data to advertisers? Why can’t they also sell your full raw data to spy agencies?
Same goes for your car. Why should Toyota (or any other) be content with a one-off profit from selling you a car, when they can racket you into paying for yearly revisions in exchange for not losing your warranty? Then selling your driving-style data for insurers who can use that info to assess your risk? Then selling the contents of your messages to advertisers? Then selling your real-time location and audio recordings to the government?

The answer is: there’s absolutely no reason for them not to do any of that, because users just don’t care, so there’s absolutely no consequences whatsoever. And also, some game theory: since they all do it, what CAN you do about it? Oh, you’re not going to buy Toyota anymore? Good luck finding any vehicle that won’t sell you out. Or phone provider. Or smart tv. Or smart phone. Or door camera.

But not software. Because with open source, people can actually verify what it’s doing. That’s why even evil companies, like Google, who have open-source products, like Android, must hide their evil spyware in closed-source components, like Google Play Services. It’s one thing for Apple to spy on you covertly with its closed-source products, and another completely different thing to do it openly. Not even Google has the balls to do it in the open.

And finally, for open-source projects: even though they have an incentive to sell you out, they can’t (and most of them are actually unwilling to). And that’s why pure open-source projects usually struggle financially, scramble to get donations (all of them), try to find sponsors (like Mozilla), give up and sell out (like Simple suite) or just go under and abandon their projects.