Allow me to preface this post by pointing out that this is largely a discussion piece that has been on my mind for the last few days. I’m sharing my personal views and frustrations in an effort to ignite a fruitful discussion with like-minded peers. While suggestions and critical feedback are always welcome, I strongly urge readers to see this as an opportunity to engage rather than as someone looking for any particular suggestions.
As someone who cares deeply about both privacy and security, I am very frustrated with the current state of desktop operating systems and commodity hardware. We are forced to choose between using an operating system that respects our privacy or an operating system that offers better proactive security features. Additionally, it is extremely difficult to find commodity personal computer hardware that meets the HSI-3 & HSI-4 requirements to better protect against physical threats. You’re effectively forced to choose between big tech companies if you care about or require a higher level of security on a personal computer, but the cost of this choice is giving up a lot of privacy for the sake of security. Likewise, you can choose to use privacy respecting alternatives, but the cost of this choice is giving up a lot of security for the sake of privacy.
An unfortunate reality is that we must all think long and hard about how much privacy or security we are willing to sacrifice in order to strike the right balance. However, one could argue that this balanced approach will ultimately just leave you stranded in the middle of the spectrum where you will be worse off, even if it makes you feel better. The sad truth is that we must all choose between privacy and security when it comes to desktop operating systems and there is no real way around that. We are all given bad options and forced to choose the least worst one based on our personal objectives.
The first bad option is committing to Microsoft’s ecosystem. Microsoft has their Secure Core initiative that forces manufacturers to implement and enable more advanced hardware-level security mechanisms if they wish to be certified. Additionally, Windows 11 offers strong exploit mitigations, such as Control Flow Guard and Data Execution Prevention, along with Virtualization-Based Security (VBS), which isolates critical parts of the operating system to protect against attacks. The operating system also features a robust Secure Boot implementation and full-disk encryption through BitLocker, which can utilize your Trusted Platform Module for enhanced security. However, Microsoft does not respect your privacy at all. Their flagship operating system is designed to collect extensive telemetry data, including user interactions with applications and browsing habits, often without explicit consent, making it one of the worst choices for your privacy.
The second bad option is committing to Apple’s ecosystem. Apple goes above and beyond to mitigate physical attacks by designing their own hardware with security in mind, particularly with the M1 and M2 chips, which integrate advanced security features like the Secure Enclave for encrypted data storage and secure boot capabilities. Additionally, macOS on M-series hardware offers strong application security mechanisms, excellent exploit mitigations, and robust full-disk encryption through FileVault. However, Apple is still known to collect data for its own use, and they have had their hand caught in the cookie jar a few times now, such as in instances where they were found to be collecting data even when users were opted out. While Apple claims to prioritize privacy and offers features like end-to-end encryption for some services, their track record suggests that they may not be as trustworthy as they claim. As of now, I don’t believe they are a good choice if you care about privacy, but they are certainly better than their competition.
The third bad option is to commit to using a community-maintained Linux distribution. Unfortunately, the Linux kernel was not designed with security as a main priority. While kernel developers are actively working to improve this situation, many architectural choices have left it lagging behind the competition in critical areas. For example, Linux lacks built-in features like Virtualization-Based Security (VBS), System Integrity Protection (SIP), and a robust Secure Boot implementation on par with Windows or macOS. However, there are a lot of distributions to choose from that do respect user privacy.
Projects like SecureBlue attempt to address the security shortcomings of desktop Linux by offering better exploit mitigations, improved application security through stronger SELinux policies combined with Flatpaks for sandboxing, and better default settings. However, even with these customizations and patches, such projects will always fall short of the security features offered by Windows and macOS until Linux security capabilities catch up with the times. The situation becomes even worse when you’re using a typical Linux distribution. Unfortunately, this means Linux is the worst choice for those who need better security.
I realize that these are not the only three options available. However, I strongly believe these are the most reasonable choices for the vast majority of people. I fully acknowledge that we all have different priorities and comfort levels regarding privacy and security. I’m not trying to tell you that your choice is right or wrong; I am merely frustrated with the lack of a good option and hope to live in a world where we are not forced to choose between privacy and security. To achieve this, it is important that we never become complacent with selecting the least bad option and moving on with our lives.
While we need to keep our expectations aligned with reality and make informed choices that benefit us today, we must also strive for better options in the future. As a collective, we should do our part to forge a path so that future generations don’t have to make these sacrifices.This might mean pushing harder for the Linux project and major distributions to take security more seriously, compiling lists of consumer hardware with good security support, or advocating for stronger privacy laws. Honestly, while I have strong opinions and ideas, I don’t have all the answers. I am just one person on the Internet, frustrated with the current state of affairs.
I’d love to hear your thoughts. Please share what you think we can do to improve this situation as a community or how you personally feel about our existing choices.