In a system built for trustless verification, why must we trust server operators with our digital footprints?