How to Assess Whether a Software Program is Privacy-Friendly

Is the software you are using privacy-friendly? Before I begin to share the experience of my personal experiment on quitting GAFAM and propose software alternatives, which are more respectful with privacy, I would like to list some guidelines that can help you assess a software program or an application is privacy-friendly. There are 4 main criteria:

• Source code availability
• Minimum default security
• Architecture
• Funding model

Source code availability

The availability of the source code is an essential issue in determining the security of a software program. In fact, the only possible way to know what any computer application does and whether it actually performs what its creators claim, is to examine its source code. If the source code is not available (which is the case of the vast majority of proprietary software), we, as users, have no way of knowing what the application we entrust our personal data to is doing. For instance: many applications such as WhatsApp or Facebook try to reassure their users that their personal data are irreversibly deleted from their servers once their customers decide to unsubscribe. Nevertheless, without analysing the source code, it is not possible to know for sure whether this really happens or whether the data is simply hidden. Fortunately, there has always been a movement of individuals and organizations that develop open source software, that is, making its source code public. Nowadays, most proprietary software have an open source or a free software alternative.

Minimum default security

The minimum default security refers to all security measures that are present in the software and enabled by default. By “security” I mean all those technical measures that aim to defend the access, the transfer, and the storage of user’s data. The security to consider when evaluating a software program will always be the minimum security set by default. By this I mean that it is almost useless that a software offers the option to set very high security levels if these are not enabled by default, because most users will use the pre-set configuration.

A good way to assess the security of a software program could be asking us a series of questions before using it: what data do I need to reveal to the software in order to use it (e.g. name, surname, telephone number, email address, location, etc.)? Who will have access to this data? How and for how long will this data be stored? What permissions does the software require to run on my desktop/laptop/tablet/smartphone? If the software is used to communicate with other people, who will have access to my conversations? For how long? Can they be intercepted? Are cryptographic methods used to protect my personal data, my conversations or other sensitive activities carried out with the software by saving this information on a device or transferring it between different devices? Trying to answer questions like these will give us an idea about the minimum default security of the software we want to use.

Software architecture

The software architecture, defines the structure, operation and interaction between its different parts. For example, communication software can be developed with a centralized client-server architecture, a federated or a peer-to-peer architecture. A centralized architecture with clients interacting with each other through a single server gives the service provider (i.e. the owner of the server) disproportionate power. This power can be used to monitor our activity (e.g. our communication activity with third parties) but possibly even to block it in an arbitrary and unilateral way. In return, even if a decentralized architecture does not solve the problem by itself (e.g. if many users may access through few nodes), it tends to distribute power more horizontally.

Funding model

The funding model of the company or organization providing a particular software is another very important element to consider when evaluating a computer program or application. We live in the age of data extractivism, and if there are companies like Google that offer their products and services “for free”, it is only in exchange for the huge profits they can make from our data. In return, even if it is not a guarantee, if a certain organization lives through the sale of a certain product/service or through the voluntary financial help of its users, it is probable that it does not have, as its primary objective, to generate profit through the exploitation of our data.

Through these 4 guidelines we can get an idea of how much a certain software or service is privacy-friendly and so respectful with our privacy. Why this is so important for our privacy but also for democracy is explained here. In upcoming articles I will review different software from different categories and give alternatives of more privacy-respectful software and services than those offered by GAFAM.