Privacy can't be assured without the source code being public

Ranjith Raj

To study any program to know it works, access to source code is a precondition. While we enjoy many features of popular apps, it is intrinsic that to verify the privacy claims of these apps is by exploring their source code, for which public access is a precondition. We never know what's being tracked, and what's being not tracked if it is proprietary software where source code is not available.

Users have to be cautious about the dangers of proprietary software seeping into the 'privacy market' with vicious claims of not collecting the user's personal and sensitive data, but their actions say otherwise. With growing resistance against surveillance capitalism, corporations instead of offering them actual privacy alternatives, they are jumping into aggressive marketing sprees to deceive people, in various forms, like dubious & unsubstantiated claims or half-lies.

Starting with dubious claims of making source code publicly available, but indeed never doing what's publicly announced. Let's look at the famous case of Aarogya Setu app which has more than 160 million downloads.

Aarogya Setu is a contract-tracing app released by Govt. of India in partnership with Private parties.  The app didn't solve the problems that the govt. claims it can (it's design technically can't achieve the stated purpose), and the government's mega-campaign to force feed it to citizens by making it mandatory (to an extent services are denied for not installing it) is a live example of how the state gaslights its own citizens to push them into a dystopia built on the fabric of surveillance capitalism.

To avoid the criticism coming from strong resistance movement against force-feeding, led by hacktivists demanding to make the source code public, the CEO of NITI Aayog performed a fake PR stunt to deceive people that source code is made public, but indeed hacktivists have exposed the fakery by finding out that the android version source code released is different from the app in Google Playstore; and from the release it's turned out to be a dead repository on the very first week with no pull requests merged.

(https://www.firstpost.com/tech/news-analysis/aarogya-setu-not-open-source-in-real-sense-claim-cybersecurity-activists-say-server-code-must-be-made-public-8480011.html)

Let's assume someday soon with increasing pressure from hackitivists, the govt. might make the source code of the client-side software publicly available, still the problem won't be solved. The server-side code of Aarogya Setu is not yet released, and no one exactly knows if it will be released ever. Aarogya Setu is not alone in following such model or pioneer of this trend.

Here we come to look at next-level of same problem, in which 'Only client-side code is public, but never the server-side code' : Welcome to the world of 'proprietary platforms'

To understand this model, we can consider NewPipe & Invidious, which are best examples of clients with publicly available source code to access the proprietary platform Youtube. It's good that at least in-app tracking can be avoided by switching to these apps, in unavoidable conditions where we don't have an option to skip platforms like YouTube.

Here comes the Unicorns like Telegram & VC-funded DuckDuckGo trying to seep into 'privacy market' by piggy-backing on user's everyday struggle to protect them from surveillance dystopia we are living in. It should be seen as malicious attempts by these corporations to dilute the widely growing movements against the surveillance capitalism and to curb the trend to switching to Free Software alternatives, and deceive people by making them believe in illusionary sense of privacy offered by these services, by their 'creative' marketing campaigns.

Shady networks of monopoly-backed 'privacy organisations'  NGO/NPO-Industrial Complex) and media outlets play key role in increasing the credibility of these proprietary apps by funding them (or promoting their fund campaigns), and promoting these proprietary applications in their circles in the garb of privacy alternatives.

The widely growing privacy awareness is an outcome of struggle of hacktivists in people's movements across the globe and can't be allowed to be appropriated by the same surveillance capitalism mafia which benefits from doing aggressive surveillance on general public.

Proprietary Software and Surveillance Capitalism mafia - aka Digital Monopolies are co-opting the movement and iconography of the same people it marginalised and oppressed (before they were seen as profitable) in order to de-fang free software movement and preserve their own hegemony. We can't allow this. It's our responsibility as hacktivists to educate the larger sections of society about everything these monopolies do under their criminal business models to hinder the progress of our society.

(Ranjith Raj is an Executive Committee Member of Swecha and a General Council Member of Free Software Movement of India. He is currently a researcher at International Institute of Information Technology Hyderabad)