Playing devil’s advocate: what should the rest of the world do when using proprietary technology from the USA, given that NSA likes to have their nose in everything?
The software industry needs to adapt to the challenges of a fully digitized world and at the moment things are a bit behind. The first and most important part is to have reproducible builds and core signing, so in cases where the source is available, people should be able to easily trace what’s in the software they’re using and who contributed. I think this is a technical challenge and some software ecosystems are trying to solve it (Go, Rust etc.). The next thing that I would like to see happening is more commercial software licenses that allow making a living from selling software but that give access to the source. I prefer a world where I pay for software and developers can make a living, and at the same time be able to check that the promises that the developer makes are held.
How would code-signing help if NSA arm-twists you into introducing a backdoor in your code? Even for open-source, it is difficult for average-Joe to trace and figure out contributions (its like saying the automobile engine has blueprints available, so everyone should be able to figure out what's wrong). :-)
You know NSA is an American Agency, and America is not China - there is a free enterprise. The only way they can "arm-twist" you is by rules and regulations that every company has to follow. In other words - NSA cannot force you to break the law.
"The FBI wanted to work out an arrangement in which the developer would secretly feed its operatives information about Telegram’s inner workings—things like new features and other components of the service’s architecture that they might want to know about. The arrangement would be strictly confidential, and they were willing to pay."
source: https://thebaffler.com/salvos/the-crypto-keepers-levine
Bribing the software engineers of an independent private business behind the owner's back, and/or showing up without announcement at private residences of major stake-holders is "arm-twisting" for all intents and purposes. Admittedly it's more subtle than the typical approach the Russian or Chinese governments would follow, yet the essence is the same. In rare cases, where bribery and coercion fail, there is the institution of FISA courts in the US and the lack of control over secret services in other countries.
The potential of a private business to say "okay we do it for money" is exactly the risk at hand and the reason for more than a handful of "accidental" security breaches in the recent past.
This is an ok thing for some Americans to believe in, but at least Google encrypted all its traffic between data centers specifically to avoid NSA eavesdropping. And many people in the rest of the world don’t think US respects the rule of law as it advertizes.
Well Arabia and Russia are starting to force data being processed and stored in their territory by blocking foreign comm-tech. But i don't think that is a solution, that is just digital nationalism driven by fear of espionage and demand for the power of mass surveillance.
What "the world" should do is lobby against nation-states and mega-corps having their noses in everything, because it is a central building block of totalitarianism. Even if the state doesn't go all out authoritarian, it opens back doors that leave people vulnerable to abuse by bad actors.
The rest of the world can (and should) avoid US software if they want do. Playing devil's advocate here doesn't make a lot of sense because no US regime has ever been anything close to CCP.
The US government can just walk in and say zoom.us has to feed all the data into MYSTIC for national security reasons. The CCPs ability to pressure some developers into adding bad code which might enable them to hack zoom infrastructure is laughable in comparison. Yes in theory they could attack some high value target that way, but only the hosting nation can exfiltrate mass surveillance without an alarm going off. Which is why zoom.cn is hosted in china.