Yes? A/B testing flags, auto-updates, server-side re-routing, etc are just some mechanisms from the top of my head that can do that.

The ways to avoid it is by having locked and cryptographically verified software and connections.

▲

izacus 3 hours ago | parent [-]

That's not evidence, that's conjecture again. Is there evidence that this kind of client push is actually used to extract data in these projects?

▲

nextaccountic 3 hours ago | parent | next [-]

That's evidence for the mechanism, as asked

The evidence that it's being actively used in the US is in the secret proceedings of a secret court. I kid you not, look up FISA warrant

▲

Imustaskforhelp 3 hours ago | parent | prev [-]

Not sure if that counts as proper evidence, but I have seen some logs[0] albeit with encryption but from my understanding, they control the encryption keys or atleast certainly have the ability to change (if they get hacked themselves for example)

Would you like to see a proper evidence of the logging policy? I feel like I can try finding that again if you/HN community would be interested to see that.

Edit: also worth pointing out that keeping logs with time might be a form of meta-data, which depending on your threat-vector (journalism etc.) can be very sensitive info.

[0]: my another comment here: https://news.ycombinator.com/item?id=47624960

	▲	izacus 2 hours ago \| parent [-]
		I'd like to see any kind of evidence that there's any substance of in these accusations of services not actually being private - not just theoretical theorycrafting about mechanisms. And how does that compare to other services we have available and people actually use.