Is the Linux environment doing enough for user privacy?

I understand that to have a reasonably private life, we need to use a private operating system. Linux offers a private experience. It doesn’t share your data to other parties without your consent, nor does it encourage or trick you to do so. Linux is designed for privacy.

Linux is also robust and designed to protect you from malware infiltration. We have world-class teams and all the eyes around the world finding flaws and patching them. And many desktop distros implement security in depth by sandboxing with Flatpak and some degree of Mandatory Access Control with AppArmor/SELinux.

Linux is, therefore, both secure and private.

And it’s safe to say that malware is a risk to user privacy. If a malicious actor can breach into your system and exfiltrate your information, it can use your operating system to act against your privacy. It follows that malware can convert your private operating system into a non-private one. Your level of privacy is, therefore, linked to your security from malware.

But Linux is, understandably, not absolutely secure. A system can be compromised through a vulnerability or user error. For example, in 2021, a Minecraft RCE exploit ran rampant. In 2023, CS:GO had a remote code execution vulnerability. In 2024, a malicious BeamNG mod breached a top Disney executive’s computer. Even VSCode has malicious extensions popping up every now and then. This is a real risk of everyday computing. Even the most well secured military perimeter is vulnerable to an officer unwittingly inviting an enemy inside. This “officer” can be the either user or an application. I accept that total impenetrability is impossible, and this isn’t because Linux is flawed or because people are stupid; it’s just a natural consequence of daily computer use.

It follows that, to accept that an impenetrable system is unrealistic, then infiltration is always realistic. And if infiltration is realistic, then we should have some manner of post-infiltration response. This is where, in my opinion, desktop Linux falls short, because desktop Linux environments have no automated post-infiltration response. What measures do we have to identify if a compromise has occurred? How is the average user supposed to know they have been pwned so they can wipe their system? We don’t have any accessible means of identification, as far as I know.

Entertain the previous example: imagine if a user had played CS:GO in 2023 and had their system compromised by a malicious server. From their perspective, nothing in their computing would have changed despite the compromise. They would continue using their computer for years, allowing the breacher to gather and act against their privacy until they ceased use of that system.

Windows addresses this in their security model. Microsoft Defender periodically scans files and also each file before it’s executed. It also actively scans processes running in the background for suspicious patterns. And if it finds something suspicious, it tells the user and it lets the user act on that information. How come Linux distros don’t offer these solutions as part of standard security practice? If privacy depends on security from malware, why are we not addressing this?

In my opinion linux relies more on the user’s own understanding of the risks involved by using the OS rather than being secure. Because by employing the type of anti malware solution that windows does, you are in some aspects giving away some privacy.

Windows is tailored to users who want things done for them, where linux is used by people who want to do things themselves, at least thats how I see it.

To add, windows isn’t inherently safer than linux, virus signatures can be out of date, most malware targets the windows user base, and by default you dont even have root access on linux.

So neither is more or less safer when you consider the human factor, because regardless of any anti malware solution you have, you aren’t 100% secure.

Not necessarily. A heuristics-based, behavioral live analysis of software is not inherently privacy-invading. Windows’ specific method of doing it involves automated sample submission and cloud analysis. This is not a necessary condition for this type of solution. It is only how they chose to augment it.

I understand the sentiment, but these two aspects have little to do with post-infiltration analysis.

Which one of Windows or Linux is more secure is ultimately a different question. Windows security benefits from automated compromise identification. Linux environments would benefit as well.

Yes, neither operating system is 100% secure. My original post builds on top of this as a premise.

Qubes OS bases its entire existence on this assumption:

I will get around to answering your remaining questions later today (12-24 hours from this one).

It does, but Qubes implements a security solution through virtual machine compartmentalization. While it’s a valid approach to security, it comes with significant tradeoffs that make it not a viable day-to-day use system for the vast majority of users.

Linux desktop distros are good for privacy from the perspective of the maintainers not harvesting your data, but there is a lack of sandboxing and modern permission controls. Not every program should be able to access all user files, camera, microphone etc by default.

The Linux kernel is the best we have, but it is a monolithic kernel written mostly in memory unsafe languages. Most commits are from developers working for large tech companies, especially hardening is dependent on their contributions.

Security is important if you want privacy. I will happily replace Linux on my devices once the future brings a stable and usable OS running on a modern microkernel written in Rust.

The Linux community has done a lot in regards to sandboxing with Flatpaks. The sandboxing is not perfect, but it’s a step in the right direction. But still, this does not address the question: how can a user know if they’re compromised? As far as I know, no popular Linux distro has systems that detect a possible breach of security.

I agree. You may be interested in this Qubes OS topic that just popped up within the last 12 hours:

I have time to address your questions now.

Heads or TrenchBoot:

Usually that indicator is unexpected privileged behaviour, even if it ends up being benign. There is a dedicated category on the Qubes OS Forum for such suspicions:

My best answer is that Linux distributions are generally not opinionated regarding privacy nor security compared to centralized vendors.

Everyone’s threat model is different, so what may be sufficient countermeasures for one individual may not be for another.

How come Linux distros don’t offer these solutions as part of standard security practice?

Linux lives more from open source ecosystem where developers will using their own name develop free software. There’s much less chances of infection when you have GIMP instead of some commercial cracked image editor. The market segment is also too small to make it profitable.

Also, you can and should do better: open potentially malicious files in a live CD, or Qubes disposable VM, never execute files you don’t inspect first, airgap sensitive data to safe environments to guard against exfiltration, have airgapped backups in case of ransomware etc.

Don’t download software from random places, it’s literally as simple as that. Linux, unlike Windows doesn’t require you (for the most part) to download software from websites. Your package manager, or Flatpak, will be your source, lowering the risk of phishing.

For the rest, antivirus are just a bunch of other things like Firewall. Most Linux distro have a built-in one.

While this is all good advice, it doesn’t account for the scenarios in which the user isn’t at fault for infection. Like in the examples I posted above of two games posing malware infiltration risks despite the user having run entirely trustworthy software.

The user is entirely responsible for malicious compromise because they chose to trust two proprietary software applications despite the technical inability to audit/review the source code themself.

How many of the tens of millions of lines of code, which runs on your devices, did you check yourself? Do you check every update? Did you compile all binaries yourself?

I don’t think the question of the thread title matches the thread.

Linux is perfectly fine for user privacy, or I should same most Distros offer better privacy than other desktop OSs. I don’t think there is debate here.

But the conversation is geared at security, which is a long-standing weakness of Linux.

Linux kernel is likely incrementing ever so slowly towards better security, but a lot of distros need to do work atop the kernel. Flatpak isn’t a kernel product.

Honestly, this is why I run Secureblue for my daily driver. Even they say it’s for those who want privacy first, security second.

A normal application should if possible, be sandboxed in a way that no matter what code runs inside, it can’t attack the operating system or other application’s (as long as it doesn’t abuses an unpatched zero day exploit)

If someone pwns your device and steals your files, you don’t have privacy. If your security/threat model include invasion of your privacy, then losing privacy means losing security.

Security and privacy have different definitions, but generally with computers you can’t have one without the other.

When you say the user is “responsible for the malicious compromise”, I will make the good faith assumption that you mean to say that the user is at fault for the compromise due to negligence.

And I assume this supposed negligence arises from the fact that they did not audit or review the source code themselves and instead chose to trust the developers of the proprietary applications to keep them secure.

Following this, all users I know – myself included – are negligent. Because we don’t individually review the source code of all of the applications we run, even if they’re free and open-source. In this manner, Terry A. Davis may have been the only responsible computer user to ever exist.

It matches the thread if you agree with me that privacy is dependent on security from malware. As I said, malware can turn a private operating system into a non-private one. Therefore it is paramount that a private operating system have sufficient security from malware to maintain a level of privacy.

This is true – prevention is an effective form of security. It is, however, just one layer of security. Realistically, thousands of packages in your operating system aren’t sandboxed, and several user-level applications cannot be sandboxed because it would fundamentally limit their use (like IDEs for example). This is why I argue in favor of a last-layer of defense, one that is intrusion detection, because absolute impenetrability is impossible.

Right, that also goes back to the initial post I made in this topic. Even if everyone reviewed every line of code with the prequisite expertise before installing the software, it may contain bugs that could be chained as an attack vector to perform privilege escalation or other objectives. In this case, auditing the code before compiling it is not sufficient to counter compromise.

What about ClamAV? https://www.clamav.net/