We have to trust you

Many times I read articles where high executives of companies swear that the information that passes through cloud services is never handed out to governmental agencies. They use technical terms as end-to-end encryption or whatever mechanism with a fancy name we come with.

The thing is that as long as information travels through one of their servers, using the provided clients on your side, anything could happen: they could read it, store it or do whatever they want with it. There is no way that we can verify that they effectively use end-to-end encryption, or check that the client on our devices works as it is claimed. Think that the client could keep a record of your communication and transfer it at some time using some clever techniques to not raise any suspicions on the activity.

Image from 1-fix.com

I know it sounds like science fiction, but it is feasible. This is independently of whether the software is open source or not. Even when you use open source software, there is no way to guarantee that the software you are running matches the source code you see posted publicly. You would have to at least compile everything from scratch and deploy it to your environment. This is something that very rarely happens. Most of the time, especially with smartphones, you will have to install proprietary software (so-called blobs) to make your device run.

The message I want to bring is that you should not buy any claims of ‘we don’t read your messages’ coming from a recognised CEO. What it should be clear in your mind is that we have no other choice than to trust in the claims of the guy. Whether he is being honest or not, we would probably never know.

Some articles about what I mean: