Hacker News new | past | comments | ask | show | jobs | submit login

Progress that is highly welcome, to be sure. But what about Trust?

In a world of continuous data breaches, exfiltrations, malicious Three-Letter Agencies, incompetent and decades-behind-the-curve legislators, trust is a paramount factor. Trust that a given communication system's first allegiance is to the interlocutors(A), trust that my data won't be subjected to surveillance capitalism, trust that it won't be stripped mined for reflecting advertising right back at me for useless shit I don't want, trust that I can speak my mind without needing to continuously look over my shoulder with one eye pealed for powercenter goons sicked on me by partisan logic.

If you want me to trust your system, show me the complete source code, show me the disinterested third-party security reviews, show me what can happen at the ends, show me that it's not compromised by secrecy laws, along the full chain of custody.

A problem for our age, one step at a time ..

A) See? Even this assumption is a cardinal mistake!

Edit: Trust, but verify. Trust needs to be earned.




> If you want me to trust your system, show me the complete source code

I think this is a bit extreme and not really plausible for something like messenger at its scale.


>If you want me to trust your system, show me the complete source code

Sounds like you set yourself up to never trust anything.

I mean, do you fly on airplanes without having inspected the flight code? Or do you put your money in a bank without having inspected the accounting code?


I don't think it's necessary for everyone to fully review the complete source code themselves. But having it available for applications at a serious enough scale, would allow the community at large to proof the vendor's claims about secure encryption. And at Facebook scale I would be satisfied that I'd hear about it if the encryption turned out to be a lie.


Airlines and banks do have to have to prove compliance with formal standards via audit to operate. These audits often require revealing some code to regulators under NDA. So our trust in them stands on sturdy ground compared to the offerings from the big tech companies.

I don't need to see the code for it to fail my audit though:

- Phone number attached to real identity is required

- Metadata is not e2e

- Contact list is not e2e


Even if you did, how would you know that the airline or bank is running a binary generated from that code? Would you also need to check the compiler? How do you know which compiler was used?


These examples do not work. If a plane fails, everyone would know it immediately. If money disappears from my account, at least I would know it immediately. The problem with privacy is that if it's broken, I wouldn't know it. So we have to spend all our life in blind trust, and it's insufferable


> But what about Trust

I finally took off my pink-tinted glasses when I noticed they restored old deleted messages once they released the new Messenger, the one we have today which replaced old facebook chat feature.

Probably it was for my "convenience" but what I know /s.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: