Risks of using US apps and services

Report: There are increased security risks when using US-developed apps and services for global entities.

Tags: cybersecurityPosted on: 2026-04-02

Today I wanted to address the increased risks of using apps and services (software) developed in the United States. These risks have increased substantially during the past year and should be considered before anyone uses US-developed software, whether in Canada or anywhere in the rest of the world going forward.

This week, the FBI released a report that exposes potential risks of software from certain countries, but fails to mention the much more numerous risks present in US software. This post details some of those risks along with mitigation options, and is aimed at both individuals and corporations.

Risk categories

Users should be aware that modern software typically connects to cloud servers, often hosted and managed by US entities. Several risk categories arise from this type of connection:

• Connections are made over the public Internet, which go through various network providers. The NSA has a long history of spying on both domestic and foreign entities through vast partnerships with network providers. Any data that touches a US network is likely being collected through this system. This is also true if your data transits through one of the "Five-Eyes" countries (US, UK, Canada, Australia, New Zealand) which also do broad collection of communications data.
• US laws can compel providers to hand over any user data through a low barrier-to-entry administrative warrant, even if the data is stored abroad, creating conflicts with foreign privacy laws. For example, data stored in Canada or the EU on Microsoft or Amazon owned servers are still subject to the CLOUD Act, which means the US government can compel these companies to hand it over. This can mean private data owned by users are subject to review by government employees, and the warrants typically forbid companies from even informing their users that the data was handed over to the authorities.
• Studies show that cyber attacks on popular US services have surged recently, and the trend is only going up. This includes things like DDoS attacks, data breaches, supply chain compromises, ransomware and more. The risk of using a US-based application or service comes with a heightened risk of compromise, especially compared to open source solutions.
• US tech companies have a long history of using "embrace and extend" along with "vendor lock-in" strategies to unfairly gain market share. This has been going on since Microsoft killed Netscape by using its Windows monopoly to push its browser on every computer, and is still going on with features like Microsoft Copilot being forced upon users. Facebook is also guilty of copying features from competitors (Stories from Snapchat, Reels analogous to TikTok) and Amazon has a long history of bullying publishers and smaller shops. By using US-based services, you add to that bullying power through another set of eyes that they can sell their services to.

Mitigation and alternatives

You can mitigate these risks by adopting a good security higyene. Namely:

• Disable any data and telemetry sharing.
• Enable all possible privacy options.
• Ensure you only use software from sources you trust.
• Perform regular software updates.
• Opt for self-hosted solutions rather than cloud services.

Unfortunately, some risks can only be avoided completely by using alternatives to US software whenever possible. Here are some useful lists you can use:

• Canadian-Tech.ca - A list of Canadian digital services alternatives.
• European-Alternatives.eu - A list of EU-based digital services alternatives.

If you believe your data has been compromised, or you have experienced suspicious activity related to a US-developed app or service, file a complaint with your government. Most countries have a government entity responsible for reviewing these instances, such as the Office of the Privacy Commissioner of Canada (OPC).