A piece of software will always be more trustworthy when it is free and open source than when it is closed source. A web browser interacts with so many servers that it would be very difficult to screen for all of the possible ways it could leak information to third parties if it were malicious. A FOSS browser has no such concerns since the code can be checked for malicious behavior. Any telemetry in FOSS can be either disabled in the software settings or stripped through forks (LibreWolf, Mull, Ungoogled Chromium).
With multiple cross-platform FOSS browsers already on the market, being FOSS is a baseline expectation for any new web browser that I hope Orion will eventually meet.
> A piece of software will always be more trustworthy when it is free and open source than when it is closed source
Agreed.
I argued something different though, and that is that a zero-telemetry browser is more trustworthy (from a privacy perspective) than an open-source browser that has telemetry by default.
The simple reason for this is that literally anyone can test and verify zero-telemetry claim by installing a free web proxy and monitoring connections.
Proving trustworthiness for a browser with telemetry, even if client is OSS, is much harder.
> A web browser interacts with so many servers
A zero-telemetry browser, especially one blocking ads and trackers by default like Orion, does not.
Just one such rogue connection found by anyone on the web would be enough to destroy zero-telemetry browser's entire reputation and credibility.
> A FOSS browser has no such concerns since the code can be checked for malicious behavior.
That is somewhat an illusion. For example server side code that is receiving and processing browser telemetry (including personal information such as IP addresses), is not open source and can not be checked for any major OSS browser, as far as I know. Even if it was FOSS, the user would have no way of knowing that is the code that is actually running on the servers.
With a zero-telemetry browser there is no such concern. This is why zero-telemetry is a much more powerful claim if trust and privacy are of concern.
Ultimately, what defines trustworthines overall is the business model of the browser, because that is what defines incentives of the browser vendor. As an average user, would you rather trust a browser with a business model where users pay for the product, or a browser depending on the world's largest ad and tracking network for revenue?
Most browsers depend directly or indirectly on ads/tracking business models for revenue. Orion is again a rare breed in this regard, as it only generates revenue off of the users directly paying for it.
> A zero-telemetry browser, especially one blocking ads and trackers by default like Orion, does not.
With or without telemetry, any web browser interacts with the numerous servers that host the content on the pages users load. A malicious closed source browser could alter its behavior in any number of ways while resisting detection.
It can change the timing or content of requests to and responses from specific domains. It can manipulate content displayed to the user. It can alter the behavior of scripts. Importantly, it can do any of these things in extremely targeted situations, such as when the user's environment meets certain conditions.
FOSS browsers don't have this concern because the source code can be verified to ensure that the browser doesn't manipulate its behavior in any situation.
> As an average user, would you rather trust a browser with a business model where users pay for the product, or a browser depending on the world's largest ad and tracking network for revenue?
The maintainers of the telemetry-free LibreWolf, Mull, and Ungoogled Chromium browsers don't depend on search engine revenue. An average user wouldn't see any problem with these forks, and an informed user would recognize their FOSS nature as an additional benefit that Orion could also gain should it become FOSS in the future.
Correct, and this is why trustworthiness is a matter of the business model, which is what defines incentives.
For many browsers today, users are not the same as customers, and this is problematic from a standpoint of trust and alignment of incentives, regardless of whether they are FOSS or not.
> A piece of software will always be more trustworthy when it is free and open source than when it is closed source.
Totally disagree. Unless you are reviewing the software yourself (like not), you’re just hoping that somebody else reviewed it and they are competent, and that any vulns are reported and fixed.
That’s a lot of trust ok a system that may or may not work as intended.
> Unless you are reviewing the software yourself (like not)
If you're assuming this about me, then you're wrong. I frequently review source code for FOSS I use, especially the parts that I submit issues and pull requests for.
I also know that others are reviewing the source code, since they are submitting issues (that reference portions of the code) and pull requests, too.
> Might as well be closed source at that point.
No, if a piece of software ever behaved suspiciously, the software being FOSS would enable someone to inspect the code and determine the root cause of that behavior. This examination would be made much more difficult if the software were closed source.
With multiple cross-platform FOSS browsers already on the market, being FOSS is a baseline expectation for any new web browser that I hope Orion will eventually meet.