Yesterday I attended the Neocypherpunk Summit in Berlin with hundreds of people from various backgrounds who all care about the human right to privacy.

The term “cypherpunk” used to refer to extremely technical lone wolves who dedicated their lives to privacy. Thankfully, it has now evolved into a movement where anyone who cares about privacy is welcome, no matter their background. In one day I heard talks from human rights organisations, activists, engineers, academics, and philosophers.

People care about privacy to differing degrees and for various reasons. Some people need to protect their safety, some want to chat with their loved ones in a safe space, while others simply don’t want their data to enrich a tech oligarch who they don’t trust.

Privacy doesn’t mean isolating yourself from society, it is about the right to choose what information you share with whom. Yesterday was the opposite of isolation, with hundreds of people making friends, sharing ideas, and feeling inspired.

Whatever your reason, if you feel a bit uncomfortable about where your data flows behind your back, feel free to message me and we can come up with something small you can do today. It’s usually as simple as replacing one of your apps with another that has the same features, but is more secure. It feels empowering!

At Breaks & Ciphers I’m building a secure open-source tasks app. Our day-to-day tasks are some of the most valuable data points to creeps, so I think we should protect them.

I intend to use this as a testbed for what the state of the art is in building, testing, and deploying applications when security and privacy are uncompromising goals.

This may have some measures that seem extreme for a tasks app, but the underlying purpose of this project is to push open-source security and privacy forward. I hope to find where these are most difficult to achieve for maintainers, and publish research and tools to fill these gaps.

Some of the early security design investigations I’m doing are:

• Using Rust + FFI vs app development languages like Kotlin/Swift
• Using cross-platform frameworks vs per-platform development
• Peer-to-peer sync / backup options
• Where to use formal verification

As references, I’ll be comparing other apps that are known for their security:

• Signal
• GrapheneOS's built-in applications (SMS, PDF viewer, etc.)
• Bitwarden
• Apps recommended by Privacy Guides

Let me know if there’s a different app you consider to be the gold standard in secure development!

It’s currently too hard for users and developers to figure out which open-source software is secure and trustworthy.

The most prominent assessment tool I’ve found is OpenSSF Scorecard, which assesses projects for security risks through a series of automated checks, assigning each project a score out of 10.

Unfortunately, it hasn’t proliferated enough yet. Most users have never encountered Scorecard, so it doesn't affect their choices. And if it doesn’t directly affect weekly downloads or clout, most maintainers aren’t incentivised enough to adopt it. Scorecard also isn’t a fully comprehensive security assessment.

Whether it’s Scorecard or something else, I do believe automated assessments have strong potential. At Breaks & Ciphers I’ve been considering some features that could result in a successful movement:

• Fact-checking: a trustworthy assessment can’t currently be achieved solely through static checks or AI (hallucinations, prompt injections). There need to be incentives designed to encourage fact-checking or approval of automated results, similar to X’s Community Notes feature.
• Stages instead of scores: a scoring system may be too daunting for maintainers if their projects start out with very low scores. One alternative I like is a stage-by-stage framework, where projects work their way up through several security and trust model stages over time. I saw the effectiveness of this approach in the L2BEAT initiative, and there is a similar Walletbeat initiative in beta. Perhaps we need a Softwarebeat.
• Inform the user: the security and trust status of the project needs to be shown clearly in GitHub, app stores, and package providers. Otherwise users and developers won’t hear about it, and maintainers won’t care about it. Even if we can’t get GitHub or Google Play onboard at the beginning, we could demonstrate the effectiveness by achieving integration in smaller platforms, such as the Obtainium APK installer.

I want to live in a world where the software we use is highly secure, including security against mass surveillance by advertising agencies and intelligence agencies. I don’t believe this will happen if the software we use daily continues to be owned by companies whose primary incentive is to maximise shareholder value. I believe this is achievable through open-source software, now more than ever before, because today’s engineers can build good software on much tighter resources.

There was once an implicit deal between society and big tech: we give you our data, you provide us with great free products, good jobs, and positive economic impact. Whether through greed or other reasons, big tech has betrayed this deal. Products become worse for our health to maximise profits (slot machine algorithms, AI slop, TikTok-like videos). Job cuts are encouraged in favour of centralised AI. Wealth doesn’t trickle down effectively, and the divide seems to be accelerating.

On the surveillance side, whistleblowers and leaks over the years have demonstrated how some states are willing to violate the privacy of innocent people across the globe via software exploits and backdoors. The current geopolitical climate leads me to believe we may see further steps backward in this area. As a citizen of a neutral country, Ireland, I think it's completely reasonable to demand the ability to verify that the technology I use does not contain backdoors or vulnerabilities accessible by foreign states.

At Breaks & Ciphers, we will do consistent work toward regaining our security and privacy. We will analyse trust models deeply to provide recommendations on which software to use, along with how we can improve these trust models over time. We’ll make contributions and security improvements to open-source projects. We’ll produce new open-source projects when necessary.

While the need for Breaks & Ciphers comes from quite a sad state of the digital world, I don’t see the road forward as a lonely, dark path. I see it as a hopeful path where the thousands of engineers, researchers, journalists, activists, lawyers, communities and organisations who have fought for people’s digital sovereignty can win. And we’re going to have tonnes of fun and fulfillment along the way.

For examples of software to be optimistic about, think of Signal, GrapheneOS, Tor.

But I’m not recommending these yet, you’ll need to wait for the research!