Frequently Asked Questions

I've been using XYZ App for years and so I trust them. Isn't that enough assurance?

First, you don't have anything to lose by asking for more transparency and proof of Privacy Policy. If you had a choice between an email service you loved and that same email service plus full, provable transparency on how your email is handled, which would you choose? Users have nothing to lose when the products they use and trust their private data with become more transparent.

Second, even if you had complete blind faith in the services you use now, do you know what would happen in an ownership change? What if the service was bought out, or had to sell due to financial struggles? Openly Operated apps let you place trust in the provable transparency of a service, instead of who happens to be running the show at the time.

Third, as a company grows and has different employees, contractors, interns, and partnerships over time, its vulnerability to insider threat increases. Openly Operated apps mitigate these issues by requiring full audit trails and being transparent about who can access what.

Read about all the user benefits of Openly Operated certified apps here.

Why aren't there more Openly Operated products now?

The simple answer is that Openly Operated is still very new (established April 2019), so developers and businesses require time to understand its concepts and learn how to build within a fully auditable framework. As users demand real, verifiable transparency in the apps and services they use every day, the supply of Openly Operated products will naturally increase. You can help accelerate adoption by sharing this site with your friends and family to let them know that trust through transparency is possible on the internet.

XYZ App has millions of users and my friends use it - that means it's safe, right?

Don't confuse popularity with safety — they're totally unrelated. If anything, popular services are larger targets for hackers or have more potential for internal threats. Consider the fact that breaches or internal leaks at large companies are quite frequent. The Openly Operated certification hopes to turn the tide on these hacks by making everything open and comprehensively audited.

Can a decentralized or blockchain app be Openly Operated?

Yes, but not all decentralized/blockchain apps are Openly Operated. These apps must still meet Openly Operated requirements and go through the certification process, and must be especially wary of the likelihood and ease of 51% attacks (for Proof-Of-Work systems) and governance issues, such as: Are the developers anonymous? Who controls the blockchain rules, and can that control be shifted? Is it trivial for a botnet to take control and extract private user data? Are there intentional backdoors? Is all code publicly viewable, not obfuscated, and documented?

How is Openly Operated better than regular audits?

There are at least three reasons Openly Operated audits are superior:

  1. Comprehensive - When a company claims its product is "audited" and stamps a fancy logo on it, how do we know if it can be trusted? Software audits range in depth and quality, and often times, they're incomplete (only auditing a small portion of the product). This would be like if you hired someone to evaluate the security of your home, and they told you your home was "audited and secure", despite only having checked the locks on one of the windows upstairs, instead of checking all the doors and windows. Partial and incomplete audits create a false sense of security for users.
  2. Open and Verifiable - Openly Operated shows the public full evidence of all the verifications completed, and how it was done. The public is given access to the Audit Kit, so they're able to also perform verifications themselves — this also creates a strong incentive for auditors to be honest, as compared to closed audits.
  3. Audit Trail - As outlined in User Benefits, there are a myriad of ways companies can be dishonest and mislead users. Openly Operated companies must leave a tamper-proof audit trail for all major infrastructure and administrative actions to prevent any abusive operator behavior.

For full details on what makes Openly Operated superior, see each of the Requirements.

How is Openly Operated better than a Privacy Policy?

Openly Operated provides public, verifiable proof of claims made in Privacy Policies. Currently, Privacy Policies provided by most websites and apps are useless, because they're promises without any actual proof, much less any proof that the public can see. It's easy for a company to simply lie through their teeth and promise they'll never share your data with third parties, or access your data without your permission.

Even if users had complete blind faith in the Privacy Policy that a company provides, many of these Privacy Policies have language so vague that it would allow a wide range of third party sharing and data abuse.

Privacy and user data handling is important, but without any actual proof of claims in Privacy Policies, the only thing they provide is a false sense of security. Openly Operated provides the necessary structure and public, verifiable proof for user privacy and security assurances.

What does it cost to be Openly Operated?

Our mission is to increase trust through transparency for as many products, apps, and services as possible, so we're giving away the Openly Operated requirements, standards, and example for free. Anyone can build and fulfill the Openly Operated requirements for free and make their product fully transparent to the public.

In order to be certified as Openly Operated, the company or business needs to complete the audit process, which requires having auditors sign off on the company's claims. This auditor can be sourced through us or a third party auditor to verify their Openly Operated requirements and claims — and this part may incur some cost, paid directly to the auditor.

How is Openly Operated financially sustained?

To achieve the goal of "trust through transparency" for all apps and services, we're happy to give away the specifications, examples, reports, tools, and other materials for Openly Operated — all for free.

To fund our operations, we run the first Openly Operated VPN service, Confirmed VPN, which has also helped us flesh out the details of how to build a product that anyone can verify, as well as prove that Openly Operated actually works in a live consumer app. We chose to build this because users send all their data through VPNs, so it's critical that the VPN is fully and verifiably transparent. If you'd like support Openly Operated while boosting your internet's security and privacy, please consider signing up for a free trial.

Why hasn't Openly Operated been done before?

In general, a clear standard for transparency on the internet has never been established and adopted en masse. While we can't be sure of why not, we have a few guesses:

  1. Prioritization of a different threat model online — the threat of an eavesdropping attacker or explicitly external threats — rather than the threat of the company or person at the other end of the connection.
  2. Companies adopting "move fast and break things" and "lean startup" mentalities, which attempts to maximize growth in the short term at the expense of security and privacy in the medium-to-long term. The fear that a competitor will beat them to the market causes reckless, unaudited development that makes users (and their private data) the guinea pigs.
  3. Not enough users asking for transparency, because they don't understand there's a difference between protecting themselves from hackers and protecting themselves against the operators/owners of the apps and services they use — and that both are extremely important.
  4. There's been a recent drastic increase in the amount of data collected by online services, and the technology to audit and limit the usage of personal data simply has not caught up yet.

We think it's the right time to educate everyday consumers about the dangers of giving their data to any online service that isn't transparent and publicly audited. And with data breaches and massive privacy violations on the rise, it's time for companies to stop focusing on launching products as fast as possible, and instead beat competitors by focusing on launching as safely as possible in order to build a trustworthy brand for the long run.

Why should I trust this website?

You're right to be suspicious of things you encounter on the internet. In fact, the lack of a system to determine if you can trust online services is why we created this website and certification.

Openly Operated aims to solve this problem with a comprehensive set of requirements and process that creates transparency and proof of claims for apps and services. This website, of course, is itself Openly Operated, fulfilling the requirements and fully audited. You can also read about who we are.

Don't just blindly trust us. Read the proof yourself, and please contact us with any feedback or questions — we'd love to know how we or Openly Operated can be even more transparent.

Why should everything be Openly Operated?

Today, almost every app and service lacks full, verifiable transparency. Here's why every product should be Openly Operated:

  • Future-Proofing - The recipe app you have on your phone that you use for making dinner may not seem dangerous, but what if one day it asks you for access to your calendar so it can schedule your purchases? Should you allow it access to your entire schedule of meetings, personal events, even vacation details? As apps get "smarter", they also increase reliance on your data — even an app as innocent as a recipe app can cause massive privacy violations.
  • Deterrent Effect - Even if most products are legitimate, for for-profit companies, there's always the temptation to sell user data, whether that's mailing lists, IP addresses, or something else. Openly Operated forces companies to operated with full transparency as the default, preventing companies from even considering committing bad-faith actions in exchange for profit.
  • Why Not? - The question the user should be asking is "Why isn't everything Openly Operated?", rather than "Why should everything be Openly Operated?" See the list of User Benefits for more reasons why everything you use should be fully transparent.

How can I verify the identity of the auditors that produce the audit reports?

Each audit report is signed using PGP by the auditor, and comes with its PGP Signature. PGP stands for "Pretty Good Privacy", and it's an industry-standard method to allow people to digitally encrypt and/or sign documents to prove authenticity. Learn more about it here.

Learn More

User Benefits A deeper look into the many benefits for users, with examples and references.

For Companies See why companies and businesses also benefit from being Openly Operated.

How To The requirements for Openly Operated products, and how to get started.

About Us Read about the values, mission, origin, and creators of Openly Operated.

Reports See live examples of Openly Operated products and their audit reports.

Get Involved Discuss Openly Operated, transparency, the future of the web, and any related topics.