On 2012.05.25 18.54, Sarah A. Downey wrote: > Thanks for the thoughtful reply; it makes sense. I could provide you > with an objective, third-party review, like this one > <http://download.cnet.com/8301-2007_4-57373684-12/do-not-track-plus-add-on-stops-the-tracking-paparazzi/> > from CNET, but it doesn't seem like it would make a difference if you > can't see the source. You make a good point about providing a license > to independent auditors. If you or anyone else reading this are > interested in seeing the DNT+ source with those use limitations, just > email our CTO, Andy Sudbury, at and...@getabine.com.
Yeah, just an independent review isn't sufficient because a site like CNET doesn't have the time or the technical ability, quite frankly, to understand the problem space or determine whether or not you're doing the right thing. Also, without source access, even if they had the time and the expertise, they couldn't tell. Furthermore, a one-time review isn't sufficient, because every time the code changes, without visibility, we can't tell what changed. I seriously applaud your willingness to have outside auditors look at your code under conditions which would make the review meaningful -- it's sadly shockingly rare for closed source products. That said, because you're a for-profit company, you're much less likely to get help from the community for free -- if my work as a reviewer is going to help someone make a profit, it's hard for me to justify volunteering my time here instead of on an equivalent open project. That's not to say that this doesn't happen, of course, it's just (much) more rare. The alternative, of course, is to engage an external security team to review your source code, and to have them publish all vulnerabilities they find as well as an assessment of your internal privacy practices, development practices, etc. Full disclosure: the company I work for, Stach & Liu, does exactly this for our clients, but I'm not saying this because I want more work -- I don't know of another model that gets the community what they need to trust a piece of closed source, for-profit software in a reliable manner. Sadly, this doesn't come cheap, and that means that, as the market for privacy/circumvention/etc., software is relatively small, few businesses can justify the cost. Also, this can still leave questions on the part of the community -- it takes the situation from "the company that owns the software is saying you should trust it" to "that company and someone they hired to say it's trustworthy say you should trust it"; the guarantee comes down to the reputation of the external testing company and the transparency of the review process. My (strong) preference is still for open source software for anything which is privacy or security critical, in part because it works around this issue, and in part because it gives the community more options as far as modifications, emergency bug fixes, etc., but I'm also not going to say that if a company has a piece of closed source code and they're really trying to do the right thing when it comes to making it trustable, we as a community should turn our backs on them. E. -- Ideas are my favorite toys.
signature.asc
Description: OpenPGP digital signature
_______________________________________________ liberationtech mailing list liberationtech@lists.stanford.edu Should you need to change your subscription options, please go to: https://mailman.stanford.edu/mailman/listinfo/liberationtech If you would like to receive a daily digest, click "yes" (once you click above) next to "would you like to receive list mail batched in a daily digest?" You will need the user name and password you receive from the list moderator in monthly reminders. You may ask for a reminder here: https://mailman.stanford.edu/mailman/listinfo/liberationtech Should you need immediate assistance, please contact the list moderator. Please don't forget to follow us on http://twitter.com/#!/Liberationtech