The Great Trade-Off: Privacy vs. Security in Desktop Operating Systems

Allow me to preface this post by pointing out that this is largely a discussion piece that has been on my mind for the last few days. I’m sharing my personal views and frustrations in an effort to ignite a fruitful discussion with like-minded peers. While suggestions and critical feedback are always welcome, I strongly urge readers to see this as an opportunity to engage rather than as someone looking for any particular suggestions.

As someone who cares deeply about both privacy and security, I am very frustrated with the current state of desktop operating systems and commodity hardware. We are forced to choose between using an operating system that respects our privacy or an operating system that offers better proactive security features. Additionally, it is extremely difficult to find commodity personal computer hardware that meets the HSI-3 & HSI-4 requirements to better protect against physical threats. You’re effectively forced to choose between big tech companies if you care about or require a higher level of security on a personal computer, but the cost of this choice is giving up a lot of privacy for the sake of security. Likewise, you can choose to use privacy respecting alternatives, but the cost of this choice is giving up a lot of security for the sake of privacy.

An unfortunate reality is that we must all think long and hard about how much privacy or security we are willing to sacrifice in order to strike the right balance. However, one could argue that this balanced approach will ultimately just leave you stranded in the middle of the spectrum where you will be worse off, even if it makes you feel better. The sad truth is that we must all choose between privacy and security when it comes to desktop operating systems and there is no real way around that. We are all given bad options and forced to choose the least worst one based on our personal objectives.

The first bad option is committing to Microsoft’s ecosystem. Microsoft has their Secure Core initiative that forces manufacturers to implement and enable more advanced hardware-level security mechanisms if they wish to be certified. Additionally, Windows 11 offers strong exploit mitigations, such as Control Flow Guard and Data Execution Prevention, along with Virtualization-Based Security (VBS), which isolates critical parts of the operating system to protect against attacks. The operating system also features a robust Secure Boot implementation and full-disk encryption through BitLocker, which can utilize your Trusted Platform Module for enhanced security. However, Microsoft does not respect your privacy at all. Their flagship operating system is designed to collect extensive telemetry data, including user interactions with applications and browsing habits, often without explicit consent, making it one of the worst choices for your privacy.

The second bad option is committing to Apple’s ecosystem. Apple goes above and beyond to mitigate physical attacks by designing their own hardware with security in mind, particularly with the M1 and M2 chips, which integrate advanced security features like the Secure Enclave for encrypted data storage and secure boot capabilities. Additionally, macOS on M-series hardware offers strong application security mechanisms, excellent exploit mitigations, and robust full-disk encryption through FileVault. However, Apple is still known to collect data for its own use, and they have had their hand caught in the cookie jar a few times now, such as in instances where they were found to be collecting data even when users were opted out. While Apple claims to prioritize privacy and offers features like end-to-end encryption for some services, their track record suggests that they may not be as trustworthy as they claim. As of now, I don’t believe they are a good choice if you care about privacy, but they are certainly better than their competition.

The third bad option is to commit to using a community-maintained Linux distribution. Unfortunately, the Linux kernel was not designed with security as a main priority. While kernel developers are actively working to improve this situation, many architectural choices have left it lagging behind the competition in critical areas. For example, Linux lacks built-in features like Virtualization-Based Security (VBS), System Integrity Protection (SIP), and a robust Secure Boot implementation on par with Windows or macOS. However, there are a lot of distributions to choose from that do respect user privacy.

Projects like SecureBlue attempt to address the security shortcomings of desktop Linux by offering better exploit mitigations, improved application security through stronger SELinux policies combined with Flatpaks for sandboxing, and better default settings. However, even with these customizations and patches, such projects will always fall short of the security features offered by Windows and macOS until Linux security capabilities catch up with the times. The situation becomes even worse when you’re using a typical Linux distribution. Unfortunately, this means Linux is the worst choice for those who need better security.

I realize that these are not the only three options available. However, I strongly believe these are the most reasonable choices for the vast majority of people. I fully acknowledge that we all have different priorities and comfort levels regarding privacy and security. I’m not trying to tell you that your choice is right or wrong; I am merely frustrated with the lack of a good option and hope to live in a world where we are not forced to choose between privacy and security. To achieve this, it is important that we never become complacent with selecting the least bad option and moving on with our lives.

While we need to keep our expectations aligned with reality and make informed choices that benefit us today, we must also strive for better options in the future. As a collective, we should do our part to forge a path so that future generations don’t have to make these sacrifices.This might mean pushing harder for the Linux project and major distributions to take security more seriously, compiling lists of consumer hardware with good security support, or advocating for stronger privacy laws. Honestly, while I have strong opinions and ideas, I don’t have all the answers. I am just one person on the Internet, frustrated with the current state of affairs.

I’d love to hear your thoughts. Please share what you think we can do to improve this situation as a community or how you personally feel about our existing choices.

If you thought Linux security was bad, you should have a look at FreeBSD, Solaris, Haiku, ReactOS, there are always worse options.

Nearly all 2024 onward ThinkPads get HSI-4 and some can be had for under $1000.

LVFS makes this easy to lookup for models before buying: LVFS: HSI Devices

Thank you for taking the time to point this list out to me. I’ll be honest, I have not came across this list before, so it was actually helpful. However, it seems like it is just pointing out laptops which can meet these requirements. Do you happen to know if there is a similar list for consumer grade motherboards?

When I said it was difficult to find hardware that can meet the HSI-3 & HSI-4 requirements, that is actually what I had in mind. For example, the motherboard I am using is from ASUS and it just falls short of being HSI-4 compliant because the manufacturer decided it would be a good idea to implement some things in a non-standard way. You can read more about this particular issue here: AMD Rollback Protection and/or Firmware Replay Protection should say it is enabled but instead says it's disabled · Issue #5261 · fwupd/fwupd · GitHub

I really do hope you are able to respond back with some actionable information that proves my statement to be factually incorrect, because I would happily purchase a new motherboard for the additional security features if I knew which one would meet my needs.

Edit: I took a closer look at the provided list and realize that it does list different types of motherboards. I missed that when I was originally scroll through the items. I have not been able to find one that meets HSI-4 requirements, but I have not looked at all of the entries yet. Thanks again for the helpful feedback.

While I agree that there are always worse options out there, it isn’t really relevant to this discussion. The heart of this discussion is that there are no good options for someone who requires a high level of security but also values privacy. Unfortunately, at the time of this writing, Apple is the only organization that offers strong security without completely disregarding user privacy. Though, I imagine the latter is debatable.

I was just reading up on boot chain related matters. I find it pretty annoying that my fedora install’s fde can be trivially bypassed via initramfs tampering, so I started looking into TPM signing different stages of the boot process but there’s an exploit that uses a fake file system to obtain the key quite easily, the author of the exploit suggested a mitigation, but implementing it is a bit beyond my skill level. So then I started looking into UKI as that’s another way to get stronger boot integrirty, but there’s not currently a noob friendly guide I’d feel comfortable attempting on my own (one github gist says to modify this one system file “as required,” as if I know how it should be), and they’re all different, so clearly a standard approach hasn’t been set yet.

So yeah, I feel that frustration.

nope, you are correct: nearly all standalone motherboards fail to meet HSI-4 requirements because the vendor does some stupid shit

only laptops or prebuilt desktops can be somewhat easily had that meet it sadly.

Yeah, it boggles my mind that an attacker with physical access can easily drop into a debug shell, edit the initramfs and just wait for you to successfully unlock the disk and execute their payload.

Luckily, it looks like Fedora is doing some work to support and sign unified kernel images ( What is the status of providing uki - #6 by kraxel - Fedora Discussion ). If we ever get properly signed UKI’s shipped by Fedora, this would go a long way to help secure the boot process.

At least in this particular example there are mitigations you can implement to defend yourself if you think this is something you might need to worry about. However, as you pointed out, none of these solutions are particularly useful for most people.

The more that people look into how security is handled within Linux and the major distributions, the more obvious it becomes that we are all trying to build something solid on a shaky foundation.

That’s unfortunate to hear. I was really hoping you might chime in and be able to tell me about a good stand-alone motherboard with these features. Oh well, at least now I have a solid list to reference that might help me find something that better meets my needs.

Apple/MS are only even worth considering if you fully embrace the walled garden and only download programs from the app store. Otherwise, Linux should be better.

Not related, but maybe relevant: How to tamper protect a laptop

Edit to avoid doublepost: my current perspective is that there isn’t any reason to avoid using linux. The important thing IMO is to know what you’re getting out of your chosen solution and in which ways the shortcomings of your solution can become actual threats to you. Physical tampering is probably not a big threat to most people but even if it was, tamper proofing would be likely still better than simply trusting the OEM to keep you safe.

QubesOS is decent except it’s behind in defending against physical attacks, but that’s similar to most Windows PCs anyways.

Physical tampering…

I go back and forth on this. Once upon a time I accidentally locked myself out of the bios on a laptop I had (lol) and was searching for ways around it. This lead me to a hardware hacking forum that had some sketchy vibes. I don’t think im willing to rule out that there ARE theives with the technical chops, or motivation to obtain them, or with access to buyers that have those chops, even if the majority aren’t. Generally I’m pretty smart about keeping my personal stuff locked down, but if I get my PC stolen, knowing there’s a chance the thief might be proficient enough, or have some underworld contact that is, to go rooting through my stuff would definitely result in the feeling of my privacy being violated. That’s the whole reason I’m in to this stuff, trying to find piece of mind through privacy and security.

At this point, I’d relied on at-rest encryption and keep my laptop turned off most of the time.

If it’s a thief, they will just take the computer and your data would be safe if your HDD is encrypted. The issue is evil maid.