They probably aren't lying. And if they were, it would be trivially possible to demonstrate that the app doesn't send data to a third-party server in general use. And it would be discovered pretty quickly.
There is no way—even with open source software—to prove that and app isn't sending data to a third party. Unless you are going to build all of your hardware from raw materials, and build your own software by hand, using a bootstrapped compiler that you wrote yourself. In machine code.
Given the above, it's obvious that there has to be a level of trust involved at some point in the process. The majority of people using open-source software aren't building it themselves, and so the trust issue would still be there if the software was open. Who's to say they wouldn't provide a binary that shipped your data off, without including that code in the open release?
IOW, your predictable shallow response adds precisely zero value to the discussion about how to ensure privacy in software.
In most cases I'm much more concerned about companies being incompetent than malicious.
I trust them not to include a mail-stealing backdoor (which would likely be noticed quickly), but I don't trust them to secure my mail on their servers.
You fairly trivially prove this with a network analyzer like Wireshark - just check to make sure mail requests are directly coming from and going to your mail server.
This conversation reminds me of Reflections on Trusting Trust, an interesting short paper originally given as a Turing Award acceptance speech: http://cm.bell-labs.com/who/ken/trust.html.
There is no way—even with open source software—to prove that and app isn't sending data to a third party. Unless you are going to build all of your hardware from raw materials, and build your own software by hand, using a bootstrapped compiler that you wrote yourself. In machine code.
Given the above, it's obvious that there has to be a level of trust involved at some point in the process. The majority of people using open-source software aren't building it themselves, and so the trust issue would still be there if the software was open. Who's to say they wouldn't provide a binary that shipped your data off, without including that code in the open release?
IOW, your predictable shallow response adds precisely zero value to the discussion about how to ensure privacy in software.