There's a pervasive notion among enthusiasts in the privacy community about open source software (OSS) being the "right" or only way to have privacy. Open source software is frequently pushed to the front of every "top ten" listicle or blog post and closed source applications are often tossed aside and marked untrustworthy because the code can't be audited by the public for anything that could be malicious towards our privacy (or security or our general best interest).

There's a lot of benefits beyond privacy for supporting OSS, but this article is going to focus on what open and closed source software is, the benefits OSS provides, and take an objective look the open vs closed source debate.

First, let's lay some foundation.

What does open source and closed source mean?

Every application, program, or piece of software you interact with on a daily basis was written in some type of programming language and compiled into a neat little package to be installed and used. Sometimes these applications are written by a single person while others have hundreds of people examining, writing, and revising the code. Regardless of how many people are working on it, it's all written in one of the dozens of available programming languages.

Open source software is software that allows anyone to review, study, and/or modify the inner workings. Github is one of the largest archives of open source projects on the web and you're free to peruse through them until your heart's content.

Closed source software means that there is no public place to look through the software's code. Whether that decision is intentional or not, this is generally the default choice for a variety of reasons.

While it's common for software to be either entirely open source or entirely closed source, it's not unheard of to have a mixture of the two. For example, the Vivaldi web browser open sources 97% of it's code but keeps the remaining 3% related to its user interface hidden.

Now that we know the difference between open and closed software, let's revisit the initial paragraph. The tenured portion of the privacy community often has an "open source or bust" mentality and the supporting logic does make sense on the surface. If we can read the code and see what it's doing, we can ensure there's nothing malicious or invasive going on behind our backs.

But, if we take a step back, we'll see that it's slightly more nuanced than that.

Who's checking this stuff?

The beauty of open source software is the ability to see the inner workings of an application and gain understanding about what it's doing. This is one of the main drivers behind the recommendation and use of OSS by privacy community.

Github currently has over 128 million public repositories and millions of developers across the globe giving everyone the chance to look behind the scenes and build off of their work. But the question becomes, who's sifting through the hundreds, thousands, or millions of lines of code in all of these projects to make sure there's nothing fishy?

The small, one or two man hobby projects you come across on Github that have been seen by 2,000 people most likely have never been reviewed by another developer and never will. And even if is has, you're trusting the reviewer is qualified to do so, that they understand what's happening in someone else's code at all stages, and that they didn't overlook anything.

The reality is that only large and/or popular projects are reviewed consistently, or at all, by qualified developers. Even so, Heartbleed is a prime example of a catastrophic vulnerability existing unnoticed in one of the most important open source projects on the internet for 2 years before being addressed.

Open source isn't all roses

As we just saw with Heartbleed and what we'll see in the next few high profile examples, open source doesn't necessarily mean anything is more secure, private, or consumer friendly compared to their closed source counterpart. Two of the following three examples could have just as easily been reported in a closed source application because of how the software behaved, not directly questioned from reviewing the code.

ImageGlass

At the beginning of 2022, a popular (3 million+ downloads as of writing) open source image viewer integrated a service, spider.com, into their application. What this service does is allow someone, anyone, to route their internet traffic through your personal network unknowingly. Because the developer added this to his application, you could, for example, very easily become a member of a botnet without your knowledge.

The developer added this for financial reasons, stating they don't make enough money from donations/voluntary monetary support. From start to finished, spider was a part of the application for, roughly, two weeks before being removed.

Kiwi browser

In April 2021, Kiwi browser was confronted for intercepting searches from Yahoo and Bing, passing them through Kiwi's servers, and redirecting them to Yahoo and Microsoft. This means anything your searched for first went to Kiwi's servers where data could be saved, stored, and viewed by the developer(s) before moving on to Bing or Yahoo. Similar to the developer of ImageGlass, money was the main driver behind the decision to include this in the browser. As of this writing, this has not been removed.

Brave browser

Brave is an open source, privacy focused browser based on Chromium with almost 20 million daily active users. In a 2020 study by Trinity College in Dublin, Ireland, Brave was deemed the most private browser out of the box, thanks to some of its default privacy settings and sending the least amount of data back home compared to the other five major browsers tested.

While Brave has been enjoying a steady rise, they aren't without their controversies. In 2020, a user on Twitter pointed out that Brave was automatically suggesting and adding their own personal affiliate codes to certain cryto related domains with user consent. For example, if you were to type in "binance.com" and hit enter, Brave would automatically suggest and select "binance.com/en?ref=00000000" by default instead (replaced actual referral number with 0s).

It turns out that this was, and still is currently, hard coded into the browser. Brave quickly "fixed" the issue by changing the “Show Brave suggested sites in autocomplete suggestions” setting default to “off”.

Open source and reproducible builds

We've talked about what open source is and the ability to review code, but there's one more piece to the OSS puzzle that isn't talked about as much but is the real difference between open and closed source applications: Reproducible builds.

Something having a reproducible build means you can download the code and build a fully usable application from the downloaded code yourself. This is different, and far more uncommon, than downloading an .exe or .apk file from Github, the developer's website, or the app store. In those cases, the application has already been fully built and packaged for us and we aren't able to reproduce that same build ourselves.

When we aren't able to build the application directly from the downloaded code, we're trusting the application that we're installing from the app store or website is the running the exact same code we see on Github. Similar to a closed source application, we can't be 100% sure either way what is actually powering it since we can't create it ourselves. Without reproducible builds, both closed and open source software ultimately requires trust.

In both scenarios though, the overwhelming majority of developers aren't out to intentionally take advantage of anyone with tainted software.

An example

Even when focusing on privacy, a closed source application may be a perfectly good option for the majority of people.

For example, 1Password is an incredibly popular and polished password manager available on every modern device on the market. In addition to the standard password generation and syncing, they offer features not available on the leading open source services, such as Bitwarden.

They've also paid for seven third party audits from reputable companies on various aspects of their software in the last two years to validate the integrity of their claims and address issues. And, for the technically inclined, they offer up an extensive whitepaper talking about their security design in detail.

Does all of this mean 1Password the best password manager on the market? Absolutely not. If you're wanting to self host your password manager, 1Password offers nothing of the sort, but Bitwarden does. 1Password is also paid software with no free option beyond a trial while Bitwarden functions on an entirely free account.

Even though 1Password offers a feature rich service, contracted more than half a dozen audits, and offer a comparable privacy policy to Bitwarden, they're immediately disqualified from most recommendations because they don't allow the public to read their code.

There's no discernible difference - in regards to privacy - between the two password managers even though one is entirely open source and one isn't. If you can't download the code and reproduce the build yourself, you trusting nothing has been inserted that could be deemed harmful on both sides.

Closing

In a 2017 audit, 96% of 1100 scanned commercial applications showed that they contained open source components, with an average 257 components per application. The public nature of open source projects has allowed the community to find and fix bugs, improve usability, share ideas, and push not only technology, but the world forward as a whole in the digital age.

I personally advocate for open source software and encourage everyone to support their favorite projects when they can to continue to pave a better path to the future.

In 2022, almost everything has a viable, open source alternative and are regularly better than their proprietary counterparts for privacy. Microsoft Office has OnlyOffice, Google Chrome has Firefox, Blender rivals Adobe's video suite, and there are multiple Linux distributions go toe to toe with Windows and Mac when it comes to features and user experience and are unmatched in their privacy.

Even with all of the amazing OSS out there, blindly committing to only open source typically isn't the right move. We should be asking questions, considering our true needs, reading the service's privacy policy about the information collected and how it's used (learn how to read them here), and assessing our threat model when making decisions. Sometimes, we're missing out on the best tools for the job for no reason.