At his talk at Linux.conf.au in Brisbane last week, Mark Pesce talked about trust and openness.

If you can’t examine the source code, how can you really trust it?  This is an issue beyond maintainability, beyond the right to fork; this is the essential element that will prevent paranoia.  ‘Transparency is the new objectivity’, and unless any particular program is completely transparent, it is inherently suspect." @mpesce http://blog.futurestreetconsulting.com/

I agree wholehartedly that openness creates transparency and transparency creates trust. But trust is a complex thing. I'd like to tease this point a bit about how it relates to online services and open code.

The first step in my interaction with any online services (such as Facebook) is long pages of Terms and Conditions. My choices are to read them in detail, understand the implications of joining and then join or not-join. There is no "I agree but with these changes button". This process is not a negotiation. It is a binary state: I agree and I can connect with my friends using Facebook, or I don't agree and I don't connect with my friends using Facebook.

Of course, since I  dont have time or energy to read it, I am trusting it. I may have just signed away my entire life savings. I agree and join because I want to connect, immediately.

People (including me) do this because it is easy and the benefits are immediate and substantial. Mark made this point Mark: "The more immediacy you need, the less resilience you get.".

The risks and the disbenefits are invisble.

Mark suggests that we can only trust systems where the source code is open. I think it is more complex than that. We can only trust systems where the source code is open; where we can understand the code and where we know that it is the source code that is running the system we are using.

Just being open is insuffficient, there is a lot of additional trust that goes along with this.

I am not a programmer,  so I can't understand any open code. So in order to trust a service, I now have to find someone I can trust who does understand the code, as well as someone who can confirm that the code they are looking at is actually the code running the service, and that the system is secure enough for me to trust it to my satisfaction.

I could do this, because I know people who I trust who could do this for me, and I could understand their reports. But I am not most of my friends. I am not my nephew who, even when advised by grownups he should trust (ie his Aunty Lisa), still leaves his contact details available to his 400 friends on Facebook.

So openness is the first step to trust. We then have to trust that there are people who will interpret the code, who will report back to us on what it is doing with our information, what the implications of that are and what there is I can do about it.

And all I want to do is connect with my friends.