| It's ridiculous that we're at this point where using a handful of software applications means keeping up to date with the social life and financial situation of the developer, reading changelogs, etc. And you only can spare both the time and cognitive load to do this for at most a dozen or two applications, if you really care. The rest, you just have to trust that enough other people are watching carefully. But the average person isn't going to keep up with even one application. They only bought their computer so they could browse the web and check emails, not so they could learn the details of how it works. Likewise, most of us don't buy a car in order to spend a lot of time learning about exactly how a combustion engine works. We don't have the time. Granted, this board is laden with engineers who will make the time to understand how their tools work, but we simply cannot expect this kind of effort from most people. So, like we have to trust lower-level components to be scrutinized elsewhere, and trust we will be alerted in case of critical issues, the general population must trust the "nerds" to get things right and keep them safe. This means that typically, the best attack surfaces will be small, widely-distributed, low-level software stacks whose developers can easily be compromised. Not just software either, but hardware. It does seem like this is ultimately a battle we are going to lose without regulatory legislation in domains that require mass-deployment of software that can potentially breach Constitutional rights. In order to be federally qualified as "privacy-friendly", you have to meet certain guidelines both on a hardware and software level. This would include automatic transmission or collection of certain kinds of data without very express permission. |