[kkyryl]

my point exactly. I was just discussing this with a friend – there's really no way for us to prove that we don't keep or don't sell the data we get access to (aside from clearer tos/policies).

and it's even scarier with iCloud for example – they don't have oAuth and people need to enter their passwords to scan/clean. (they do have "app-specific" passwords though but looks like people have hard time figuring those out.)

[raesene2]

Well there is, but it's not cheap. You get a trusted third party to Audit you and publish the result of their Audit, something similar to a SAS70.

It's not a perfect solution but it's an option to consider

[kkyryl]

fair point – this is something we consider doing before expanding to b2b market. but:

my day job is in ecommerce (I work as a product manager at FastSpring) and I used to work on CleanMyMac at MacPaw – had to work with trust in both. it's somewhat unexpected but people who are buying software for themselves usually don't care about PCI compliance, audits, and other artifacts of "institutional validation". they care about a "norton secured" badge, proper language, recommendation from a person they know, a review at the website they read, "that green thing with the lock in my browser".. we're now at the phase where we are trying to find the right combination.

just to be clear – it's very different from project to project and depends on the audience. what I'm saying is that we're making decisions emotionally mostly based on our prior experience and rely on internal "thermometer" to tell us if what we're seeing is trustworhty.

[cjCamel]

When dealing with sites where high trust is required I think people would much rather see an independent audit or compliance with a (legit) security accreditation than a Norton badge, however, most of the time this is not offered, so we make do with the crappy badge, a recommendation, or gut instinct.

Having said that, I deal with independent audits in my job, and they're not all that reassuring.

[3D4y0]

Pardon my ignorance or perhaps its just that I've become jaded, but outside of circumstances with dire/sever consequence such as laws, regulations, etc how does an independent audit (legit accreditation or not) verify what happens after the audit is done and the auditors long gone?

How does an independent audit detect out of band taps (swapping binaries, re purposing archives/backups, mirroring, etc) on infrastructure the auditor wasn't monitoring before the audit? logs? but more importantly amortized or not the customer eventually pays for all this activity that at the end of the day is more fluff than substance (in terms of what the customer can actually verify) In the end doesn't all this come down to just another form marketing?

Please note, that I recognize that there are many scenarios where an independent audit would add value. I just don't think it adds anything that social validation doesn't already add when considered from the perspective of a consumer to whom the infrastructure behind the service is unavoidably opaque.