To provide some insight into the mind of someone who does care about their privacy:
When I see an app or product that touts some security claim, I check around their website to see what they offer to back that claim up. I do not file support tickets asking for clarification unless I really really want the product.
People like me probably note that the product mentions end to end encryption and simply move on if there is no more information provided to explain this.
My thinking behind this is: When vendors are proud of their security they flaunt it. When they don't flaunt it, you should be concerned about why they aren't.
Well, not really. What you're describing is the floor for any product I'll consider (depending on what "fundamental flaws" means), but that's not security.
Security is process.
- Do the engineers writing the code have sufficient time to do a good job (assuming they are competent in the first place? Which gets to the hiring process), or does marketing win that battle?
- What is the security audit process? Who has the keys to the servers, who changes the keys when one of those people leaves/dies?
- What processes exist to deliver security fixes to the lightbulb/baby monitor/robo-proctologist? How are consumers notified of the need, and how does the update payload delivery work?
- etc. etc. etc.
I mean, I do have a checklist of features for networked devices for my house. Those include things like user-serviceable certificates, root on things I own, etc. But unfortunately, when searching for a product, the important parts of the security picture are invisible, and reputation and visible implementation are really all there is to go on.
Open source client + whitepaper describing how the client encrypts the data with a particular scheme that still allows the server processing they need, without leaking undue data.
This can be as simple as: audio stream is discarded on device unless "ok Thing" is recognized, by a low quality open-source on-device recognition software. After that, the next 2 minutes of audio are sent to the mother-ship for higher-quality recognition and analysis.
Done, privacy-preserving Amazon Echo alternative. Get a third party (the EFF?) to audit it for you and put a badge that means to semi-technical users, 'this product goes beyond snake-oil on privacy'. Super-paranoid users can inspect the code for the client, which anyways includes little more than well-known open source libraries and some trivial glue code you don't care who copies anyway.
Of course, the real reason not to do this, is that companies don't want the 2 minutes of audio after the user asks their devices a question. They want the 'big data' of 24/7 surveillance (with all the beneficial applications this can have, but also the chilling ones).
As long as they're not trying to roll their own crypto, the concern is significantly lessened. I need to be convinced that this new app doesn't just rot13 everything and call that 'advanced new encryption'.
Just explaining which established crypto you're using and where you're using it goes a long way. (And please don't let Marketing write this part - specifics matter)
When I see an app or product that touts some security claim, I check around their website to see what they offer to back that claim up. I do not file support tickets asking for clarification unless I really really want the product.
People like me probably note that the product mentions end to end encryption and simply move on if there is no more information provided to explain this.
My thinking behind this is: When vendors are proud of their security they flaunt it. When they don't flaunt it, you should be concerned about why they aren't.
From my perspective anyway. Just my 2c.