I agree that it isn’t as easily verifiable that it is privacy-respecting without the source code but that’s a couple steps from saying that it is “a falsehood” to say it is.
What made me wonder about it is that this is very specific wording that indicates that they proactively know the author is lying, when it would be very easy to instead say something along the lines of what you said, that it is too hard to verify without access to the source code.
I agree that the language used wasn’t perfect, but… If a claim is not verifiable, it can only be taken on faith. Same as all the existing apps in the category that this one aims to replace. Is there a better word we can use to describe this sort of situation?
I can’t think of one specific word to swap out for “falsehood,” it would be better to just replace the whole phrase. Various things have been bounced around here in the discussion. I’d go with something like “without the source code, unfortunately that can’t be verified.” This is a better phrase all around. It describes the actual problem. And it isn’t unnecessarily accusatory.
I think that isn’t it, because it would be easy to say something like “we can’t verify the claim that it is privacy respecting so we should assume otherwise.” Which is a totally reasonable position to take.
I think it is important to be specific, clear, and to have evidence if one wants to call somebody a liar, though.
Or maybe it is something else, it could be interesting if they have some other definition of “privacy respecting” that precludes closed source apps, for example. That is, to “respect privacy” could be understood to actually be to provide users with verifiable evidence that their private info isn’t compromised. I think this isn’t the conventional definition definition of privacy respecting but I’m definitely ready to be pulled on-side if anybody starts pushing it.
Not really, not anymore. Many apps are now using certificate pinning to make it impossible for the user to to modify the trust store. This means that unless it is open source, it is very difficult for people to verify, even when they know very well what they are doing.
Yes you could, although the bar is still a lot higher than if it's open source. You will have to fully re-test all possible paths in the app every time a new release is made if it's closed source. If it's open, you just need to look at the git log.
Plus if there is one legitimate network call, then this strategy is out since you can't know what that request contains. OP using in-app purchases, so I'm willing to be there's at least one network call in there.
If there is no network access permission at all, then I think we agree, that's a reasonable guarantee.
