Particularly since Edward Snowden made his shocking NSA revelations almost two years ago (that we are all being spied on all the time by shadowy and unaccountable government spy agencies), there is a growing awareness of security and privacy issues among the general public, and consequently a growing interest in ways to protect against all-pervasive government and commercial (Google et al. are among the worst offenders when it comes to compromising privacy) surveillance and exploitation of our data.
This has led to a rash of products being released which are aimed at cashing in on this surge of interest. Unfortunately, many of these products provide very little in the way of real security, offering an illusion (for a price) of privacy and security that is either totally misplaced at worse, or impossible to verify at best. Even the most well-meaning and honest company can be compelled by its government to decrypt data and spy on its customers if it has the means to do so.
So how can we know that software and services are genuinely secure and private? Well, unfortunately there are no 100 percent guarantees in this life, but the two greatest assurances that your data is private, and that your software is doing what you expect it to (and only what you expect it to) are end-to-end encryption, and open source (or at least source available).
Any security or privacy product that does not use end-to-end encryption and is not open source should be viewed with the utmost suspicion, and our general advice is to avoid avoid avoid!!! (See our notes on exceptions and edge-cases below, however.)
Many ‘encrypted’ services (such as Dropbox, Gmail etc.) will encrypt you data so that it cannot (at least in theory) be accessed by outside hackers. However, because it is these services that are doing the encrypting and decrypting (i.e. they hold the encryption keys), they can (and do) monitor the contents of this data (this is Google’s core business model after all), and can (and do) hand unencrypted data over to governments’ when required to do so.
The solution to this is end-to-end encryption, where data is encrypted by you on your own device and where you (and only you) hold the encryption keys (unless you choose to share them).
In this scenario a service provider cannot inspect your data (and possibly hand it over to authorities or use it to deliver targeted advertising), because it does not hold the encryption keys, it simply cannot access it.
This however still leaves a problem that is present in many ‘end-to-end encryption’ products currently on the market… how do you know that only you have they encryption keys (and a copy is not being secretly sent off to a third party), or that the encryption used is as strong as is claimed (or even worse, has been deliberately tampered with?)
Worries such as these may sound overly paranoid and delusional, but time and again the facts show that the NSA and its ilk routinely go to almost any lengths in their quest to hoover up all data, and it stands to reason that users of encrypted products will be of particular interest to them.
The answer is…
The best guarantee that we have that a product is doing exactly what is says it is doing (and nothing more) is for it to be open source (or at least source-available). This means that the code is openly available for anyone to inspect for weaknesses or malicious code, and is therefore the best guarantee that we have that a program can be trusted.
Unfortunately this solution is not a perfect one, as many programs are extremely complex, and the number of qualified researchers with the time and inclination to fully audit them (usually for free) is very limited. The result is that the vast majority of open source software has never actually been audited (and it has, then this is likely very perfunctory).
Nevertheless, the fact that the code can be audited provides the best guarantee we can generally have about its integrity.
Our advice to anyone when considering a product aimed at protecting their data is to ask: does it use end-to-end encryption, and is it open source? If so then it probably merits further attention, if not then walk way!
Exceptions and edge-cases
In reality, of course, things are not always so clear-cut. We will discuss some concrete examples of such cases, in the hope of both showing how the exceptions prove the rule, and to illustrate the sort of considerations that need to be made when thinking about security software.
Many VPN providers offer closed-source dedicated OpenVPN clients which can offer a number advantages over the basic open source OpenVPN software (although just about every provider also supports use of open source clients).
Although we generally recommend against using closed source software, the nature of VPN technology makes this a rather moot issue, as a VPN provider can always see all data that passes through its system anyway (should it choose to). As we must trust a provider with our data anyway, it seems rather pointless to worry about whether the software it uses is open source (we discuss this subject in further detail here).
Good anti-virus and anti-malware software is essential, but continually maintaining and updating such software so that it can effectively protect us against the ever-growing barrage of new threats requires time, expertise and resources that only a commercial enterprise can really provide.
It is therefore an understandable (if unfortunate) fact that almost all anti-virus software is proprietary (closed source). Open source software in the form of ClamWin (Windows) and ClamXav (Mac) does exist, but is not as effective at protecting your computer as commercial alternatives.
Fortunately, the anti-virus software that comes with Windows and OSX (which are themselves closed source, but that is a rabbit hole we won’t go down here) is now pretty good, but if you feel that you need extra protection then the security benefits of commercial software may reasonably outweigh any concerns about not being able to see what their code is doing.
This secure Swiss based webmail service (see review here), illustrates another point nicely. It uses closed source software (boo!), but a team of well-known and respected cryptographers have volunteered (for no payment) to oversee the project and audit the code for backdoors and other nastinesses.
We would much prefer that all the code was open source, but a strong argument can be made that because it has been independently audited by respectable experts in the field, it is more trustworthy than open source software that has never been audited at all…
Open source software using end-to-end encryption should be your go-to criteria when considering security and privacy programs, as they provide by far the best guarantees available that you data is safe.
Although other consideration can come into play, they should be treated with the utmost caution, and the alternatives given a great deal of thought before any level of trust is placed in them. Here at BestVPN our policy is to only review software that is open source and uses end-to-end encryption, unless there are very strong mitigating or overriding factors that might lead us to consider it.