May 10th, 2026
This is a quick write-up of a talk I gave recently.
I am writing this to share with some people who missed the talk.
The talk was about heuristics I use to choose software.
Please note: it's pretty esoteric, and might sound radical to some degree. But it is an experiment to criticise technology, not to confuse with rejecting usage of technology --- I am a technophile.
It all started 10 years ago. I started to question technologies because I was not happy about how technologies influenced my everyday life and the way it forced me to do business.
I first deleted Facebook and deprecated Gmail and then later deleted my LinkedIn account, ditched my smartphone and sold my Macbook.
This was not a straight forward path with a guide to follow. I went through many phases and I have used various criteria --- some I have kept, some I have ditched.
At the beginning I thought that using "privacy-friendly" products only was a good strategy, then I looked at Open Source as a criterion, and later moved a little bit further and focused on only using technologies whose source code is freely distributed (Free Software).
However and that is the focus of the talk today:
while I see free distribution of source code as a necessity to avoid vendor lock-in, or any asymmetry of power between users and providers, I deem that this criterion is not enough.
For example, Signal Messenger's source code is freely distributed (licensed under AGPL).
Yet, Signal Messenger is a walled-garden:
No one else other than the organisation behind Signal can host an instance of Signal, essentially locking users in.
So in this talk (or blog post here) I would like to clarify why free distribution of source code --- which is a sine qua non to avoid vendor lock-in, --- is not enough to effectively avoid vendor lock-in.
To explain so, I talk about software or distributions whose source code is freely distributing, yet which I don't use because usage of those technologies draw users into a situation of asymmetry of power, or vendor lock-in.
Before I outlined the heuristics --- during the talk, --- I gave a short definition of what it means for source code to be freely distributed or Free Software, not just because some of the audience was not familiar with the matter, but also because some companies claim that their software is Open Source or Free Software but do not meet the definitions of either.
The definition (by the FSF) --- essentially there are four aspects:
Freedom to run: that is the possibility to use the software as you wish; there must be no restrictions on that end. The Open Source definition also stipulates that rule. However I often see some projects defining their software as Open Source when they actually restrict usage, for example by preventing commercial usage or certain industries to run their software.
Freedom to study: that is to study the source code; again, some people call software they distribute Open Source when their software does not meet that condition. For example ProtonMail open-sourced part of the WebApps while the back-end is not,[1] and advertise the whole of ProtonMail as Open Source while it is not.
Freedom to redistribute: there must be no restrictions to distribute copies of that software, or its source code.
Freedom to redistribute modified copies: there must be no restrictions to re-distribute modified copies, even commercially, always.
Now onto the heuristic.
Most mainstream software can be hosted by a single company: GitHub by Microsoft, Notion by Notion Inc, Google for Work by Alphabet Inc. etc --- but it does not have to be this.
You can use software that any companies can host --- so there is no vendor lock-in. If you are not happy with a provider, you can carry on using the same software --- and switch provider. The test, to check if you can do, is to ask whether you could self-host the software. Not because you'd want to self-host, but because if you can self-host it also means that another company can self-host and so then that is a protection against asymmetry of power: vendors cannot lock you in.
Free distribution of source code is a necessary condition to self-host but not a panacea.
Signal is an example of a software whose source code is freely distributed that can't be self-hosted.
The self-hosting-test is my first heuristic. Again, that does not mean I self-host. I usually find instances of services I can use: instances of PrivateBin, Forgejo (alternative to GitHub), Etherpad (shared document), Jitsi (VoIP), Nextcloud, Vaultwarden[2], Croodle (surveys) and more.
Some software send telemetry to third-party: data about what you do on your devices.
A couple of examples are Firefox and Thunderbird.
The source code of both software is freely distributed, yet these software send data back their parent organisation.
The good news is that because the code is copyrighted under a license that encourage users to study, modify and redistribute the code, it is possible for programmers to remove parts of the code that records what you do and sends it away and redistribute version of the software that don't track what users do and send data to third-party.
So I use forks (modified copies) of Firefox and Thunderbird whose telemetry has been removed (the forks are abrowser and Icedove).
The keyword is fully here.
How does that work?
Software are made of other pieces of code, programs, libraries, software and so.
Sometimes, programmers publish the source code of a technology, or define the technology their distribute as Open Source or Free software, yet the technology they distribute carries non-free blobs; that means that binary (non-free) files are included amongst the source code files-- or if we are talking about Linux distributions, it means that non-free packages or programs are included in that specific distribution.
Ubuntu and Debian GNU/Linux are examples.
Both distributions call themselves Free and Open Source, yet they include proprietary programs and proprietary blobs --- so they are not fully free.
That is a question I ask myself when I look at a software or a distribution: is it fully free? Or does it carry binaries blobs or packages?
That is why I use a fork of Ubuntu where proprietary packages and blobs have been removed, Trisquel GNU/Linux. GNU Guix is another option.[3]
First: what's a walled-garden?
A walled-garden is a digital space where its controller decides who can join and who cannot join.
For example, the iPhone, iOS and the App Store are walled-gardens.
As a developer, you cannot distribute your application without approval from the controller and the controller can remove or block your access overnight.
Apple is not the only company to run walled-gardens.
Windows operating system is taking that path too; it used to be that developers needed no approval from Microsoft to release software on Microsoft's operating system, but now they do, and this creates a walled-garden situation.
Recently, both the maintainers of VeraCrypt and WireGuard got locked out from the accounts that allowed them to sign drivers, thus could no longer distribute updates of their software on Windows.
That said, the walled-garden issue does not only pertain to proprietary software (Windows, Apple etc).
Some Free Software are also walled-gardens; for example Signal Messenger (as mentioned earlier).
Why?
No one other than the organisation behind Signal can run an instance of Signal.
No one can join Signal network with their own independently-ran server.
It is a technical choice which the founder of Signal elected on the ground of security.
I argue that walled-gardens cannot be secure for two reasons: first because there is an asymmetry of power and no mechanisms to keep the hubris of purveyors in check[4]. They fail the self-host test thus lock user in. Second, from an epistemic perspective, that is the last point.
A couple of questions I ask myself when I consider using a technology is:
What knowledge do usage of a technology prompt me to develop?
Meaning: is usage of that technology making me dumber, or instead fostering my abilities thus empowering me to develop new knowledge?
That's a last point which I have not discussed during the talk which is part of my heuristics. I'll discuss this further in an essay to be published.[4]
[1] ProtonMail's homepage stipulates that the service is Open Source "All Proton services are open source". They are not. The CTO himself corroborated that ProtonMail is not fully Open Source
[2] a fork from Bitwarden since Bitwarden carries binaries --- see its repository.
[3] you can find the list of distribution which are fully free on the FSF's website.
[4] you can sign up there to receive an email when Klara Franz Verlag publishes the essay.