> As such, they need to prove we can trust them before we accept this at face value. They have not done so.
This is ultimately a trust relationship with your vendor. There is nothing they can do but be trustworthy.
Don't say, "open sourcing." Open sourcing code doesn't assert much of anything about the binaries you have running. sourceless propagating binary behavior is 30 year old technology.
You see, there's no way for users to know what data is being collected and sent today, or what they might change and decide to collect tomorrow.
What if government wants access to this data? What if some hacker gets access to the data or their methods of collecting it (MitM)?
As such, they need to prove we can trust them before we accept this at face value. They have not done so.