# Tiny Bytes: Provable Privacy

**Published by:** [ldnovak](https://paragraph.com/@ldnovak/)
**Published on:** 2022-08-04
**URL:** https://paragraph.com/@ldnovak/tiny-bytes-provable-privacy

## Content

Hey, I wanted to think a bit about proving privacy. You can tell me your product maintains my privacy, but how I can I KNOW that your claims are true. If a VPN service says it won’t log any data and give you anonymity, how can one prove this? If your app says you won’t collect personal data, how can you prove this?AuditingWhat inspired this post was a letter written by Rep Anna Eshoo and Senator Wyden to the FTC to manage privacy claims made by VPN. The letter asks the FTC to add government oversight to validate privacy claims made by VPN companies. https://eshoo.house.gov/media/press-releases/rep-eshoo-and-senator-wyden-urge-ftc-address-deceptive-data-practices-vpn Auditing is used all the time for security. You need to audit your handling of sensitive health data. Security audits are the industry standard for validating a smart contract. Code is checked for bugs and vulnerabilities. NIST has competitions where everyone tries to break crypto schemes. The algorithms and libraries that no one finds holes in are the ones that people say are safe. It seems like lots of people looking for issues and no one finding an issue is the best way to know something is secure. Then, when the best practices are known, validating that people are using the best practices. I’d imagine that the same is/will be true for privacy. A quick search shows that there’s lots of services for getting privacy audits of your stack. Part of the requirements for crypto algorithms is their ability to preserve privacy. From my (limited understanding) it feels that a lot of these privacy standards aren’t crazy. Especially with the rise of big data collection and analysis, there’s a lot of sophisticated ways that privacy could be broken. It’s not just about preventing Alice from reading my messages, it’s also about letting her see some analysis of the messages (e.g., see what was said but not when or to whom it was sent). This becomes a lot harder. We are working on ways to make this happen and audit the process. I just wish these kind of primitives and standards have been worked out.Not AuditingI wonder what are other ways to prove privacy without auditing. Part of that may just have to be feel. There’s things you can know the app is bad. However, writing this down this is still a form of auditing. Someone makes a claim and people test if it is true. I am curious on giving people a better feel of privacy. If I talk to a friend in my home, I know that it’s a conversation with just us. No one else is listening to track me or sell me products. Someone could put a bug in my house or hack one of my devices, but I don’t think I’m worth that effort. Could we give people that kind of feel online. On this site with this browser on this device you should expect this information to be known. I think this would be really cool if it was intuitive. Good night y’all, Lucas

## Publication Information

- [ldnovak](https://paragraph.com/@ldnovak/): Publication homepage
- [All Posts](https://paragraph.com/@ldnovak/): More posts from this publication
- [RSS Feed](https://api.paragraph.com/blogs/rss/@ldnovak): Subscribe to updates