7 min read Blog

The Question of Trust

The Question of Trust
Photo by Cytonn Photography / Unsplash

Skepticism gets a bad rap.

Skepticism is defined by Wikipedia as "a questioning attitude or doubt toward knowledge claims that are seen as mere belief or dogma." In other words, it's about questioning things that have no evidence or may seem outdated. Maybe there's a reason things are that way, maybe there is evidence you aren't aware of, but it's worth asking questions lest we stay stuck in doing the same ineffective thing over and over.

The problems with skepticism come in when people start asking questions "for the sake of it." This is where we start to come up against the "conspiracy theorists" and people who move goalposts, never satisfied by any amount of evidence and refusing overwhelming, solid evidence.

So where's the line? At what point is it safe to trust the evidence - or even lack thereof - and at what point are we being paranoid?

Seeds of Doubt

If you hang out regularly in privacy communities, it doesn't take long before you start seeing people ask "what if a company isn't being honest?" We expect that out of companies like Facebook, Amazon, and Google who's lack of transparency is a feature and not a bug designed to ensure they can continue to exploit us without oversight or accountability.

But sometimes people ask this even about privacy-focused services, particularly services like VPNs or messengers. "What if they're running a different code on their servers that secretly puts my data at risk?"

To be clear, this is definitely a question worth asking. It doesn't take a lot of digging to surface a history of honeypots like the ANOM operation or Crypto AG scandal, but there's also no shortage of suspected vulnerabilities - intentional or otherwise - in good-faith open source projects, like the infamous (but unconfirmed) claim that the NSA tried to weaken RSA encryption, the recent xz utils backdoor attempt, and just last year's compromise of Notepad++.

So with that in mind, how can we exercise a healthy level of skepticism without spiraling into paranoia? How can we know who to trust?

You Always Trust Someone Somewhere

Let's start by addressing the elephant in the room: "zero trust" in the most extreme sense is impossible. A lot of the more hardcore enthusiasts argue that you should never trust anyone anywhere. According to them, everything should be self-hosted locally, with heavily-locked down networks and all open-source projects.

I wonder how many of those people are fluent in code and analyze every line. Even for those hardcore extremists, it's virtually impossible that they didn't miss something.

For the ultra-paranoid, many YouTubers like to spread FUD about secret backdoors hardcoded into chips that pass your data via undetectable side channels (with no evidence for their claims, it should be noted).

But consider this: when you go to work, do you always demand to be paid in advance or do you show up and trust your boss to pay you? When you drive, how do "verify" that others will stay in their lanes? How do you guarantee that the walls won't collapse in your home or that your food is safe to eat?

In every scenario I can think of, trust is necessary at some point. None of us can promise something is 100% free of risk or create a completely, truly "trustless" environment. Instead, we practice "mitigation" more often than not to reduce risk and fallout from a "catastrophic failure."

The key part of healthy skepticism is accepting this fact. There is a certain amount of trust that is simply unavoidable. Refusing to accept that leads to spiraling paranoia because there's always some new point in the chain where a theoretical compromise could happen.

"I thought using loops was cheating, so I programmed my own using samples. I then thought using samples was cheating, so I recoded real drums. I then thought that programming it was cheating, so I learned to play drums for real. I then thought that using bought drums was cheating, so I learned to make my own. I then thought using premade skins was cheating, so I killed a goat and skinned it. I then thought that that was cheating too, so I grew my own goat from a baby goat. I also think that is cheating, but I'm not sure where to go from here. I haven't made any music lately, what with the goat farming and all."

Due Diligence

All that said, we're not powerless. I'm not advocating that we just give up and accept things without scrutiny.

First off, part of skepticism is knowing how to properly evaluate a claim. I wrote about this extensively in my recent "Critical Thinking 101" blog. If you haven't read it, now is probably a good time since that's a critical part of deciding whether or not you trust a service.

Critical Thinking 101
In college I took a Philosophy 101 class, mostly just to fulfill the credit requirements. Ironically, this ended up being one of the most insightful and important classes I ever took, as about half the class was an emphasis on critical thinking, specifically in the context of “how to evaluate
The New OilNathan Bartram

As I said earlier, skepticism becomes a problem when it becomes more about being contrarian than genuinely seeking answers. There's absolutely nothing wrong with asking questions like "how can I trust Signal?" or "what if the provider is running different code on their servers?"

Skepticism goes too far when people have unrealistically high expectations and start cherry picking evidence or arguments. There's a healthy balance between "trusting nobody ever" and "blind naivety."

Contrary to popular claims, Jesus did in fact encourage us to judge people:

You will recognize them by their fruits. Are grapes gathered from thornbushes, or figs from thistles? (Matthew 7:16, ESV)

What this means is that we're supposed to judge people based on their behavior: generally speaking crappy people do crappy things and vice versa. We can apply this same logic as part of our criteria to judge the projects we're considering trusting: do they have a history of acknowledging when researchers find flaws and fixing it? Are they transparent about their limitations? These kinds of behaviors indicate a company who's making a good-faith effort to deliver what they believe to be the best possible product vs a company who's trying put lipstick on a pig to pump up value for an IPO or acquisition.

is this post bringing you value?

The New Oil is supported by our audience. If you're getting value out of our work, please consider supporting us.

Support Us!

Trust Varies

So how do you know when you've done enough due diligence? How do you know when you've gone too far?

In the privacy space, we preach threat modeling to death, but threat modeling isn't a practice limited only to privacy or security. We do "risk assessments" in nearly every area of our lives. Is it worth driving in the rain - with the risk of getting wet or losing control of your vehicle - to get to wherever you want to go? Would it be better to wait until the rain passes or lightens up? Are there things you can do to minimize risk, like taking an umbrella and ensuring your tires have plenty of tread?

We can apply the basic ideas behind threat modeling to our "trust" practices, too. I personally have two computers: Windows 11 and Qubes. I largely use Windows for gaming and editing videos and Qubes for more sensitive communications or research. Since most of my videos will become public at some point and games are just games, I don't really have to place a lot of trust in Windows. I still do things to try to reduce the amount of telemetry and remove the AI, but at the end of the day the stakes are quite low if I mess up: maybe you see an early incomplete draft of a blog post or video, or you know that I'm a very casual Civilization player. The horror. It's just another version of threat modeling: how bad are the consequences if I fail? Not very bad.

Not every tool we use has to be able to withstand a physical compromise from the NSA, especially if there's nothing really worth protecting there. Sure, it's the principle of the matter, but pick your battles.

Putting It Into Action

Here's some actionable takeaways to help you find the balance of being cautious without being paranoid:

  • Remember that nothing is perfect. There is rarely - if ever - a "perfect tool." This goes for security ("nothing is unhackable") but also for the advice listed here. Nothing can ever prove that a product or service is completely trustworthy. Eventually you'll just have to decide that there reasons you should trust something outweigh the reasons you shouldn't.
  • Open source helps. Open source software is not a guarantee that something is safe or private but it does show a dedication to transparency from the service and especially in the case of larger projects it could mean that lots of knowledgeable eyes have had the chance to look for any particularly alarming behavior in the code (potentially).
  • Look for audits. Audits are expensive, so not having an audit isn't necessarily a sign of an irresponsible company, especially if they're smaller. But for companies who can afford them (and publicly release them), audits are a sign that the company takes security seriously and wants to know if they can do better. Be aware that audits are only a snapshot of the code at a specific point in time. Future updates might introduce new vulnerabilities by mistake.
  • Corporate attitudes. Much like audits, how a company approaches security speaks volumes about how trustworthy they are. Do they have a bug bounty program? Do they have a history of working with researchers to fix discovered flaws? Do they have a good track record and reputation in the community? Even things like not being open source or not doing audits aren't smoking guns that a company isn't trustworthy if the company shows commitments in other ways.
  • Reviews (from experts). I'm not talking about reviews like "how fast is this VPN?" I'm talking about experts in the field saying "here's my expert opinion on why this product is trustworthy." Do reputable experts recommend this service? Why? If experts dismiss or warn against the product, why?

Final Important Note

It would be wonderful if we could truly achieve zero trust. Sadly that's unlikely to happen, certainly any time soon. In the meantime we'll have to learn how to place our trust accordingly.

Again, nothing can guarantee a 100% success rate. I really want to drill that idea home. Even the most reputable, well meaning services have had vulnerabilities at times, sometimes serious ones. Annie Duke's Thinking in Bets warns us against "resulting," which is when you make a decision that has a bad outcome and thus conclude that you made the wrong choice, even if it actually was the right choice given all the information available to you at the time. Be careful not to fall for this. Make the best choice you can with the information available to you at the time and accept that life is not without risk.

Tech changes fast, so be sure to check out our website for all the latest recommendations, tools, services, and more.

The New Oil