by I’ve seen more and more people moving to self-hosted solutions and other services offering more privacy options. I don’tblame people for doing so because I’m doing the same thing. With more and more companies harvesting their data for“legitimate interest” (see also “Why I don’t have ads on the side”) it’s concerning to me the amount of data that we are sharing with companies the size of small countries.
Since people are concerned about privacy, it’s legitimate that when people check a tool, they ask if it is safe. It doesn’tmake sense to go to all this work to set up a new tool, analyze it, and then end up in the same place (or worse).
So I see this question all over the place. “Is it safe?” It’s a fair question and something that makes sense to ask, but I also know the answer in all areas where I see this question: “The code is available, so look at it and analyze it for yourself.”
I get angry with this answer, so let’s examine why people answer this and why it’s a horrible way to answer.
Before I continue, there are many oversimplifications in this article. Going through technical things in detail is unimportant, so I try to use examples to explain certain complex things.
Why they answer like this?
Because, technically, it’s true. If the code is available online via open source or other initiatives, it’s possible to look at it. Also, for some people, it is a way of saying, even without noticing it, “I know how to code,” and that’s something that many people (me included) are proud of. It’s a complex skill to learn and maintain, so you should be proud of it. But this doesn’t help anyone, right?
The person has the same information as before and is now frustrated because they feel that they are not a part of the “club” and are not smart enough to understand the code.
Why it’s wrong.
Any service or platform is (with minor exceptions) a series of dozens to thousands of files, each with hundreds to thousands of rows. Analyzing this information is hard since each person may organize things differently. Just ask someone who does this for a living, and they will tell you that analyzing a codebase is hard, especially one that is established and has years’ worth of baggage and mistakes. So, asking some, even if they are experts, is hard.
It’s even harder when you don’t speak the “language”. Programming languages share many similarities, but each has its syntax, and it could be hard to read. For example, if you’re American and I give you a Portuguese book, you know that the phrases end with a period and that there are verbs in the text, but knowing if a phrase makes sense is hard to analyze if you don’t speak the language. If you’re Portuguese like me, it’s easier but not straightforward.
Finally, there’s something called “dependencies”. Dependencies are pieces of code and logic written by someone else. Think of it as the payment terminal at your favorite restaurant. When you use it to process a payment you’re not concerned on how it works. It just works. You “delegate” the security validations to the company/service that provides the service. The same happens in code. Developers import external code to the solution and use it a “black box”, sometimes (if I’m being generous) not knowing if the code is safe or not. No one analyses all the code’s dependencies. In some cases, it’s quite impossible even for huge companies, let alone small or single developer companies like mine. So you trust people and trust that “someone else” checked the code. Like someone else read those terms and conditions that we didn’t read as well, but that’s another discussion.
So, asking someone, even an expert, to analyze code as a solution is profoundly flawed, but asking for someone who is not trained or “doesn’t speak the language” is simply wrong.
What’s a better answer.
If you don’t know, don’t say anything. That’s a given. If you know something, share your knowledge with the people and things you found. It has two advantages. For example, if you spend 5 minutes looking at the tool and find something “doesn’t smell right,” then say it and justify it. People can then read and make up their minds. Also, people can build upon your investigation, find something else, and share it. Building this knowledge base will help answer the question in the first place and, above all, help people learn in the process.
Say it if you’re an expert and have checked the code. Then, even if someone says, “Just read the code,” you can do the public service by doing it and saying you didn’t find anything. People don’t do this because they are scared to look bad if someone sees something, but this happens daily. We check, don’t find anything, and then someone finds something (like the xz backdoor for those who followed this excellent/scary case over time).
Final Thoughts
This was supposed to be a “quick” take, so I’m sorry for the wordy response, but it’s important for me to be able to explain things so that people can understand. If you disagree, that’s fine! My objective is not to convince anyone but to show a different perspective.
You can follow me on Mastodon (new account), Twitter (I’m getting out, but there are still a few people who are worth following) or LinkedIn. Or email works fine as well 🙂
Photo by Callum Shaw on Unsplash
