I understand Windows is not a privacy friendly OS but I am a bit unclear on the risks for the “average user”. My understanding is that the OS is not particularly private in terms of your data but I see a lot of users talk about how Windows should be avoided for any sort of sensitive work.
Is the typical Windows Home or Pro, that is regularly updated, considered so insecure that sensitive work should be avoid at all relative to mac, or a linux distro that doesn’t focus on security? Maybe I am separating out things that shouldn’t be but, it seems to me there are varying degrees of private and sensitive tasks and not all of them are hugely affected by the telemetry and data issues I see commonly associated with Windows.
I guess what I am trying to get at, in a broader sense, is sometimes I find myself a bit confused about what privacy risks are actually associated with the more common “should be avoided” software that mentioned on the forum.
I am sure there are probably a million other threads on Windows so if the mods want to close this and point me to the proper one, that’s fine and I apologize for the trouble.
There is so much info about this topic on this forum. Please search and start reading all that’s already been said. It should answer all your questions.
Here is the issue for me at least, its almost to much info and threads can be years old so its hard to parse out whats actually relevant anymore. More importantly, the degrees to which people claim Windows is a privacy threat varies drastically, which is where my confusion really begins.
Take @jerm link for example. I am sure there is a ton of relevant info but I don’t know which of the links in that kicksecure that were last updated in 2021 would be.
Only security patches are the new updates and good things Windows has done. All the bad stuff is still valid. And it’s only getting worse by the day so you’re good to read the info already available.
You need to separate security and privacy if you want to determine how risky Windows is for you. With full-disk encryption through BitLocker and applying regular updates, Windows is honestly not that bad for basic browsing. That is, if you don’t install random software or open suspicious PDFs. That’s how Windows may seem “insecure” or “malware” prone for the average person because most malware is made specifically for Windows. If a virus is developed specifically for MacOS and common Linux distros, it might be more rare but not necessary mitigated by the OS if it does somehow gets on your computer.
Most Linux distros aren’t magically secure and needs a lot of modification (i.e. a specific anti-forensics distro or personal modification) for it to be “secure”. What makes Linux stand out is that it is much more privacy respecting. You install Linux because it does not include spyware-like capabilities by default. Most likely, you will not run random software apps that would otherwise be a trojan. However, your grandma on her Windows machine will probably install a virus eventually.
If you do want to learn more, I highly recommend looking over the Windows discussion here. Otherwise, feel free to ask more specific questions that you feel haven’t been answered on the forum before.
“Sensitive work” means too many different things to different people.
When it comes to Windows it’s best to start out assuming that it is bad for the average person, but it could be good for specific situations, when it comes to privacy and security. So basically the opposite of Linux, which is generally good for the average person, with specific situations where it could be very bad.
Either way you have to know what your specific situation actually is before you can determine whether Windows and/or Linux and/or macOS is right for you. What I said above is just a starting point for the typical person concerned about privacy and security.
Fair enough and I appreciate you and @jonah weighing in. For me, I am having a hard time distinguishing which tasks are really at risk by using a Windows machine.
Let take taxes as an example. I don’t see these issues with privacy and telemetry being that much of a concern as the information is being sent off to the government anyway, typically via a third party that also sells that data. BUT if your telling me just by doing the task on Windows, my SSN is more at risk of being leaked then a common linux distro or mac, it puts the concerns of using Windows in a different category for me.
Feel free to tell me I am just going in circles and should spend time reading the threads people have recommended.
I will try and keep this in mind going forward as I hope to try and integrate using linux more in my life as I get more acquainted with it.
The only situation where I can see your SSN being leaked is if forensics software is used to obtain your tax documents after recycling your old PC. Or perhaps you had an old backup lying somewhere on a drive, have Recall enabled and someone browsed through your pc, or got malware that scanned for that info specifically.
The privacy concern with data like this is largely similar to macOS out of the box, however, Windows does include many built-in, optional features which could jeopardize your privacy significantly further than normal.
The aforementioned Windows Recall, for example, presents a substantial security risk when it comes to data leakage, because all of your personal information becomes consolidated in a single locally-accessible database. Similar concerns could be had with deep OneDrive integration in modern versions of Windows.
These features are ostensibly opt-in, but there are many stories of OneDrive being unintentionally/unknowingly enabled by users, and I suspect we will see more of that with Recall over the next few months as well.
Some of these features can be further prevented from accidental use by following these configuration instructions:
If you follow these instructions (ideally on Windows Enterprise Edition) then the system should be workable for basic tasks like what you are talking about. You are still likely at a heightened risk of data exposure, but this is mainly due to the higher prevalence of Windows-based data stealing malware, not necessarily Windows being lower in security.
That being said, it is perfectly valid to consider the much larger threat landscape of Windows compared to Linux when you are assessing the security of your operating system. Security does not exist in an isolated bubble
That makes sense and I took the time to do the recommended group policy settings, thanks!
I think, especially with the more popular products that are not well received by the privacy community, there is a lack of nuance about what the harms are of the product and it devolves into the product being all bad and you are at risk just by using it. Once that’s repeated enough it gets hard for me to understand what the proper evaluation should be or if the risks make sense to my threat model.
That’s all to say i appreciate yours and @KevPham more considered answers.
I think there is certainly a preference for software which does not need to be finagled into being privacy-respecting in the first place. The erosion of privacy is a systemic problem, and boycotting products like Windows is a legitimate path forward and out of this mess, and so I think it is generally the correct move to highly encourage that whenever possible.
Using Linux is extremely cool
There is really no need for fearmongering or withholding information about Windows for people who are making a measured decision to use it anyways though, no.
It’s possible to disable most of the invasive things as stated above, but to prevent things like:
which is very very bad as that means unknowingly uploading potentially sensitive information to Microsoft without any E2EE
It’s better to stick to Windows 10 Enterprise LTSC until it loses support if it suits your needs as Windows 10 no longer gets feature updates (feature updates typically come bundled with at least a few bad things, may revert your settings back to defaults etc).
Also worth noting that Windows can’t be secured in the same ways that Linux can, it’s as bad as most linux distros by default but linux distros can at least be made more secure if you sandbox your apps, use a MAC etc.
One of the issues I run into with these types of versions is that there policy settings are different so its not apples to apples to follow the group policy guide
this sort of things becomes even more of an issue if you want to use the Microsoft Security Baseline, especially for users that rather automate doing it via a script such as this one.
oddly enough, atleast for me, its easier to “harden” Windows Home or Pro because the large majority of guides are based on these versions.
