Whether the source code is available and how software is licensed does not inherently affect its security in any way. Open-source software has the potential to be more secure than proprietary software, but there is absolutely no guarantee this is the case. When you evaluate software, you should look at the reputation and security of each tool on an individual basis.
Open-source software can be audited by third-parties, and is often more transparent about potential vulnerabilities than proprietary counterparts. It also allows you to review the code and disable any suspicious functionality you find yourself. However, unless you do so, there is no guarantee that code has ever been evaluated, especially with smaller software projects. The open development process has also sometimes been exploited to introduce new vulnerabilities into even large projects.
Don’t take the previous question to mean that proprietary software is better! Again, whether the source code is available and how software is licensed does not inherently affect its security in any way.
Proprietary software is less transparent than open-source software, but that doesn’t imply that it’s not secure either. Major proprietary software projects can be audited internally and by third-party agencies, and independent security researchers can still find vulnerabilities with techniques like reverse engineering.
To avoid biased decisions, it’s vital that you evaluate the privacy and security standards of the software you use.
Sort of. We talk about “shifting trust” a lot when discussing solutions like VPNs (which shift the trust you place in your ISP to the VPN provider). While this protects your browsing data from your ISP specifically, the VPN provider you choose still has access to your browsing data: Your data isn’t completely secured from all parties. You should still use other techniques—like end-to-end encryption—to protect your data completely. Merely distrusting one provider to trust another is not securing your data.
Focusing solely on the privacy policies and marketing of a tool or provider can blind you to its weaknesses. When you’re looking for a more private solution, you should determine what the underlying problem is and find technical solutions to that problem. For example, you may want to avoid Google Drive, which gives Google access to all of your data. The underlying problem in this case is lack of E2EE, so you should make sure that the provider you switch to actually implements E2EE, or use a tool (like Cryptomator) which provides E2EE on any cloud provider. Switching to a “privacy-focused” provider (that doesn’t implement E2EE) doesn’t solve your problem: it just shifts trust from Google to that provider.
The privacy policies and business practices of providers you choose are still very important, but should be considered secondary to technical guarantees of your privacy: You shouldn’t shift trust to another provider when trusting a provider isn’t a requirement at all.
We often see people describing privacy threat models that are overly complex. Often, these solutions include problems like many different email accounts or complicated setups with lots of moving parts and conditions. The replies are usually answers to “What is the best way to do X?”
Finding the “best” solution for yourself doesn’t necessarily mean you are after an infallible solution with dozens of conditions—these solutions are often difficult to work with realistically.
For more information, read our page on common misconceptions!