[liberationtech] FB-like "Twitter-connect" soon. How can we avoid all this tracking?

Fri May 25 12:07:57 PDT 2012

On 2012.05.25 18.54, Sarah A. Downey wrote:
> Thanks for the thoughtful reply; it makes sense.  I could provide you
> with an objective, third-party review, like this one
> <http://download.cnet.com/8301-2007_4-57373684-12/do-not-track-plus-add-on-stops-the-tracking-paparazzi/>
> from CNET, but it doesn't seem like it would make a difference if you
> can't see the source.  You make a good point about providing a license
> to independent auditors.  If you or anyone else reading this are
> interested in seeing the DNT+ source with those use limitations, just
> email our CTO, Andy Sudbury, at Andrew at GetAbine.com.

Yeah, just an independent review isn't sufficient because a site like
CNET doesn't have the time or the technical ability, quite frankly, to
understand the problem space or determine whether or not you're doing
the right thing.  Also, without source access, even if they had the time
and the expertise, they couldn't tell.  Furthermore, a one-time review
isn't sufficient, because every time the code changes, without
visibility, we can't tell what changed.

I seriously applaud your willingness to have outside auditors look at
your code under conditions which would make the review meaningful --
it's sadly shockingly rare for closed source products.  That said,
because you're a for-profit company, you're much less likely to get help
from the community for free -- if my work as a reviewer is going to help
someone make a profit, it's hard for me to justify volunteering my time
here instead of on an equivalent open project.  That's not to say that
this doesn't happen, of course, it's just (much) more rare.

The alternative, of course, is to engage an external security team to
review your source code, and to have them publish all vulnerabilities
they find as well as an assessment of your internal privacy practices,
development practices, etc.  Full disclosure: the company I work for,
Stach & Liu, does exactly this for our clients, but I'm not saying this
because I want more work -- I don't know of another model that gets the
community what they need to trust a piece of closed source, for-profit
software in a reliable manner.

Sadly, this doesn't come cheap, and that means that, as the market for
privacy/circumvention/etc., software is relatively small, few businesses
can justify the cost.  Also, this can still leave questions on the part
of the community -- it takes the situation from "the company that owns
the software is saying you should trust it" to "that company and someone
they hired to say it's trustworthy say you should trust it"; the
guarantee comes down to the reputation of the external testing company
and the transparency of the review process.

My (strong) preference is still for open source software for anything
which is privacy or security critical, in part because it works around
this issue, and in part because it gives the community more options as
far as modifications, emergency bug fixes, etc., but I'm also not going
to say that if a company has a piece of closed source code and they're
really trying to do the right thing when it comes to making it
trustable, we as a community should turn our backs on them.

E.

-- 
Ideas are my favorite toys.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: OpenPGP digital signature
URL: <http://mailman.stanford.edu/pipermail/liberationtech/attachments/20120525/f988769e/attachment.asc>