Technology in terms you understand. Sign up for the Confident Computing newsletter for weekly solutions to make your life easier. Click here and get The Ask Leo! Guide to Staying Safe on the Internet — FREE Edition as my thank you for subscribing!

Privacy Begins with the Operating System

The amount of trust you place in an operating system is substantial.

Privacy is a complex and far-reaching topic. One of the most basic and often overlooked players is the operating system on your device.
The Best of Ask Leo!

Privacy Settings

When Microsoft released Windows 10, they took a lot of heat for particularly permissive default privacy settings, as well as a lack of clarity about what information is sent back to Microsoft and under what conditions.

While they’ve addressed some of those issues, it all serves to highlight an important concept that many people all too readily overlook: the operating system on your machine has a tremendous capability to protect — or violate — your privacy.

Do you trust it?

Become a Patron of Ask Leo! and go ad-free!

TL;DR:

Privacy and the operating system

Operating systems have the potential to violate your privacy by collecting data about your activities. You can reduce this risk by only using operating systems from companies you trust and by carefully managing your privacy settings.

The OS sees all and knows all

The operating system on your computer is the interface between all of your software and hardware and the rest of the world.

When an application wants to read from the disk, it does so via the operating system. If an application wants to communicate on the network or internet, it uses the operating system. Even when an application just wants to display something to ask you a question, it’s the operating system displaying the message and collecting your response.

This puts the operating system in a unique position to see absolutely everything you do because it’s instrumental in making anything you do happen at all.

It’s something we rarely think about, at least until things like the furor over Windows 10. Then things change a little or a lot; but in the long run, the issue blows over because we need to get on with our work. The fundamental power of the operating system, and that it’s in such a unique position to examine what we do, is something that fades to the background.

It’s not just Windows

I use the Windows 10 release as an example because it made a lot of news at the time and because so many people use Windows.

But before you start pointing fingers, it’s critical to realize that every operating system has this level of access to what you’re doing. Be it Mac OS, iOS, Linux, Android, or something else completely, by the nature of what they do, all operating systems are in a position to examine, record, and report back anything they care to.

It’s not that they do; it’s that they can. It’s not malicious or even surprising. Giving an OS the power to do its job also gives it the power to examine what’s happening when it’s used.

How do you know it’s not sharing that information with others? Well, as an average computer user, you can’t.

It all boils down to trust.

If you don’t trust it, why are you using it?

One of the extremely frustrating aspects of my job is hearing people rail against some large entity like Microsoft, Apple, or Google, all the while using the software and/or services provided by — you guessed it — Microsoft, Apple, or Google.

It might sound brutal, but the bottom line is simple: if you don’t trust them1, then don’t use their software. That could be as extreme as never, ever using it, or it could be more strategic, choosing to avoid it for certain types of activities you consider particularly sensitive. Either way, “fixing” the operating system is not an option in your control, so the only true options you have are:

  • Live with it
  • Avoid it for specific areas of concern
  • Avoid it completely

And again, while Microsoft Windows is a common example, these statements apply equally to any software vendor whose products you choose to use.

Alternatives to consider

Whenever we talk about alternatives to operating systems, we’re really asking the question, “Who do you trust?”

When it comes to desktop and laptop PCs, this typically means one of three things.

  • Windows: you’re trusting Microsoft
  • Mac: you’re trusting Apple
  • Linux: you’re trusting an army of independent developers (as well as the sponsor of the particular distribution you’re using)

When it comes to tablets and mobile devices, the choices are a bit more limited:

  • Android and Chrome OS: you’re trusting Google and to some degree Linux
  • iOS: you’re trusting Apple

In almost all cases, if your device comes pre-loaded with the operating system and other software, as many do these days, you’re also trusting the vendor of the device, since they can and do add things.

As I said, the question really does boil down to: of those alternatives, who do you trust?

Or, perhaps, who do you distrust the least?

The pragmatic reality

Operating systems and the privacy implications they bring are truly too complex for the average consumer to completely understand. We shouldn’t have to get that deep an understanding, or we’d never have time to move on to whatever it is we’re trying to accomplish!

In many ways, some privacy exposure is part of the cost of using today’s complex systems.2 For any system you use, information is likely being shared “upstream” for a variety of reasons, ranging from beneficial and benign (such as information used to make the software better) to malicious and invasive (such as truly tracking what you as an individual are doing).3

Unfortunately, we might also find ourselves faced with constraints — software we rely on that only runs on an OS we don’t trust, or cross-platform compatibility issues with people we work with on a regular basis, for example — perhaps forcing us to rely on an OS we’d prefer to avoid.

In situations like this, it’s important to understand what’s possible and take whatever steps you feel are appropriate.

As for me, I run almost all the operating systems I’ve mentioned here, and I honestly have few concerns. I trust that any information these operating systems transmit “home” is either inconsequential, appropriately anonymized, or appropriately protected, and serves to make the software and my experience using it better.

I know not everyone agrees with my approach.

Do this

Regardless of who you trust or who you don’t trust, understand what is and is not possible. Make appropriate decisions to protect your privacy to the degree you feel you can.

When available, review and configure the privacy settings offered by the operating systems and other software you use (though realize you’re also trusting that your preferences will be honored).

Subscribe to Confident Computing! Each week, I share items like this to give you more confidence with solutions, answers, and tips in your inbox.

Podcast audio

Play

Footnotes & References

1: For any reason. If you don’t trust their privacy protections, security, or overall capability, then avoiding their product would be the thing to do. Even if that’s all OK to you, perhaps you don’t trust that they won’t change something out from underneath you in a future version. Either way, it all comes back to trust.

2: And I haven’t even touched on online services like social media.

3: My stance remains: you and I simply aren’t interesting enough for this level of detailed, personal tracking. But it’s important to understand that the possibility exists.

15 comments on “Privacy Begins with the Operating System”

  1. “One of the more frustrating aspects of my job is hearing people rail against some large entity like Microsoft, Apple, or Google, all the while using the software and/or services provided by – you guessed it – Microsoft, Apple, or Google.”

    I too scratch my head at people who complain about the “lack of privacy” that they perceive, yet continue use Chrome, Gmail, Google search engine, Google Maps, etc. Not realizing that Google is just as bad/good as the company they complain about. And worse, is that they use all of the services provided by one company. That means that this company is capable of building a good profile of the person, if the company had any interest in doing so.

    Reply
  2. Isn’t the open source aspect of Linux a safeguard against invasive phoning home? The source code is available to everyone, and thousands are looking at it for vulnerabilities. Or do the various distros have some closed source components?

    Reply
    • The open-source aspect of Linux gives it a leg up with respect to privacy. That won’t stop programs the “phone home” with personal information, but any phoning home by the OS is unlikely with so many eyes on it.

      Reply
  3. Let’s not dump everything into the same bucket by saying since they all spy on you, then it’s all OK. There is a distinction between being on the internet and using a standalone computer independently or on a private network. To many it may be an astounding revelation that a computer can be used productively without being online and on Facebook or Twitter. In fact, most productive uses of a computer in business and industry don’t (or shouldn’t) need an internet connection. I use my computer without necessarily needing an online interface and use the OS as a tool to run my computer. As such, I don’t expect my OS to attempt to spy on me or to stop working because I’m not connected to the mothership. This article says that the OS needs the connectivity “to do its job”. No, it doesn’t. Constantly downloading obscure updates or other garbage is not a part of an OS’s job. Mining information from my hard drive is not an OS’s job. Parsing my email to get a profile of me is not the OS’s job. Controlling what applications I can use on my machine is not an OS’s job. And, if an OS requires internet connectivity and registration with the OS manufacturer to allow me to use my paid-for computer and OS, it is holding me hostage and asking for a ransom.

    The article also says that if you don’t trust it, then don’t use it. That may be true for a brand of cheese, but not a ubiquitous OS such as Windows which is used by billions of people. Most of us have built our entire digital lives and businesses around Windows and can’t just decide not to use it. Certainly, someone like Leo, who’s career is dependent on Windows, can’t just drop it. Windows is a necessary commodity product – and it is precisely that fact which allows Microsoft to abuse the trust of its customers. By analogy, consider not using a car because you’re afraid of getting into an accident. Or consider not going to the doctor because you’re afraid your ailment will be reported to the insurance company.

    Finally, the article says that any information sent back “home” is inconsequential. Firstly, no one really knows. Secondly, this era of spying is just the first phase of social acclimation and spy technology development. No, I’m not saying it’s a conspiracy, but the natural evolution of social technology. History suggests that every big brother action has evolved to grow and become more intrusive and pervasive. Don’t expect governments to scrutinize or stop this type of spying – not only governments don’t seriously challenged company spying, they are happy to have easy access to back doors for more information gathering themselves. The next device to spy on you is your smart TV in your living room (this is already happening).

    Reply
    • Constantly downloading updates *is* part of the job of a good OS. Unless you write one yourself, you can expect to need constant updates. Even Linux installs constantly update.

      Reply
    • Of course I could stop using Windows. There would be ramifications and costs, but if I were that distrustful of Windows I could choose to switch.

      I’d not about driving a car or not, it’s about choosing which car to drive. There are cars that I would not drive because I’m afraid that I’d be more likely to be injured in an accident. Other cars are safer. That’s the choice I make when I elect which car to use.

      Absolutely we can (and should) debate what the job of an OS is, but one thing I will disagree with right away: “Constantly downloading obscure updates or other garbage is not a part of an OS’s job.” – Keeping itself up to date absolutely is the OS’s job today. It’s more critical than ever.

      Reply
    • In all this post there is one valid point: an Internet connection is not essential to use a computer. Its use may be somewhat limited, but it will still function adequately and be very productive.

      I agree with Leo; if you don’t trust something, don’t use it. The similitudes (wrong use of “analogy”) presented make a singular item into a generality. A better comparison would be when I quit using an axe because the head came off while I was slinging it. (Nothing like seeing a bare axe handle strike a log and not knowing where the head went!) That didn’t stop me from using axes – I just replaced it with one I could trust.

      No one is actually forced to use any particular product. It is a matter of choice. The user has to decide which features or functions they want, and what trade-offs they are willing to make. OSs and other software are no different. I totally fail to understand why people seem to expect these to be any different from all other products they use.

      As for “spying”, I’ve been a member of Microsoft’s User Experience program since it first started as an Opt In. For the most part, Windows will ask permission to send a report – with the option to view what will be sent. That doesn’t mean some information isn’t being passed without my consent, though. I do trust Microsoft (on a scale of 8 out of 10) enough to continue using their products.

      As Leo frequently says: I just am not that interesting. I don’t have any government/corporate secrets, patient/client records, extensive high-finance records, or any other high-profile information on my computer. For the most part I’m just so much background noise. I don’t use any fancy tools or techniques that would only tend to bring attention to me. [Which would draw more attention: a common house in a crowded neighborhood, or a heavily guarded and secured place just out of town?]
      NOTE: Try this experiment. Walk through a busy shopping center. Then see how many people you remember seeing – and why you remember them. Unless you have an exceptional memory, the only ones you remember are those who were different in some way. The rest were only “there”.

      Reply
  4. An interesting article for sure. I totally agree with Leo. Having said that, I do not use or allow Google on my computer. I also stopped using my Android Phone but that was because I like the Blackberry Classic much better as I can encrypt it if needed. I stay away from Google because even once it is uninstalled (PC), it remains on the computer in several different places. Well written software should uninstall clean but Google embeds itself. The only way to get completely rid of it is to search the registry. In a previous version, it took me over two hours but in the latest one I tried it took about an hour pressing F3 over and over until the registry was clean. The file is update.exe (or close to that). If you run Chrome, check the registry for the update file because that is the one that will be in several areas of your computer.

    As for Microsoft, I started in computers prior to DOS on an IBM mainframe. I’ve used ever single PC version of Windows they ever put out (even Windows ME that I dubbed Misery Everlasting). I loved Windows 7 and did beta testing before it was released. I ordered before it was finished and never regretted my decision. It worked flawlessly out of the box. I was happy.

    Then came Windows 10. I checked the Dell site to make sure there were no concerns or warnings. I backed up all of my drivers, updated them, etc. Then Microsoft installed Windows 10 whether I wanted it or not. It ran fine for over a year and then it killed my computer by trying to update the Intel video driver. It left my XPS 3300 dead and unrecoverable. I am not the only person this has happened to. Only after the crash did I see a notice on the Dell site that my computer might not run properly with Windows 10. Needless to say, my faith in Microsoft has been sorely tested but I live and work in a Microsoft world. I considered Linux but it would not be a viable solution so I bought a new Dell XPS 8910 built for Windows 10. So far, so good but I no longer have the same level of trust I once had.

    Reply
  5. This reminds me of a funny instance a friend had while using his android phone.
    He turned off all access to the microphone in Settings.
    He then said “Hey Google”.
    His phone responded with ‘Sorry, your microphone is turned off’.

    Corporations have repeatedly been caught using data they specifically said they “would never collect” and apologized. How much data have they not been caught using?

    Reply
  6. Updates are part of an “internet enabled operating system” and are important when the system is connected to the network. When a system is stand-alone and not connected to a network the updates are not required (or even possible – right?) I have a few customers still running DOS and Windows 3.3 systems – not to mention XP – for dedicated non internet connected applications – and they are always worried what will happen when the machine ultimately crashes and they are forced to upgrade – quite possibly involving tens of thousands of dollars in non-computer equipment that cannot be connected to Windows 10 or Unix or whatever.

    Reply
  7. I’m with you, Bob. I use Windows 10, 11, and a couple GNU/Linux distributions here. Since I use Windows, I’ll speak about Microsoft, although you could probably replace it with Apple, Google, Amazon, or any other large corporate entity, and what I say will still make sense (at least to me). While I don’t necessarily trust Microsoft et-al (they are, after all, a corporation, and their highest obligation is to the bottom line and nothing more), I don’t think most users (as you put it) are interesting enough to warrant the level of individual tracking that would be required to collect and collate all the information that could be collected from each and every one of the billions of users who use some version of Windows.

    With that said, all the ‘anonymized’ data they regularly and constantly collect from that same billions of users may well be a very lucrative source of revenue. I’m sure they use the ‘telemetry’ they collect to make Windows better and probably to make decisions on their future efforts/direction, but I would not be surprised to learn they then use it to forecast trends in their user’s activities (for reasons I can only guess at) or even sell it to ‘partners’ who could use it in more ways than I can ever imagine.

    I’ve been using computers since MS-DOS 3.3 was current, and GNU/Linux since Mandrake was a relatively new distribution (circa 1998/9). My use of computers has had no significant/recognizable effect on my sense of privacy, mostly because I start from the position that if I don’t do anything to be ashamed of, I don’t have to be worried about what others may learn/know about me. While I don’t have the level of concern over personal privacy that many other users seem to have, I am careful about what personal information I broadcast ‘out there’. When I speak about my family, I speak in generalities and I never publish any information about specific personal events on social media (or even in email messages). While I may write about how I do some things (e.g.: install a GNU/Linux distribution or resolve a computer problem I’ve encountered), I never provide specific information about my hardware, my username/password, or anything else that could potentially compromise security. One thing I’ve learned over the years is that when I’m out in public, I can have no expectation of privacy. The Internet is a public ‘place’, so I have no expectation of privacy there either. If you want real privacy, stay home, close your curtains, and lock your doors. The price of that level of privacy is isolation. I’d rather not be so isolated.

    My2Cents,

    Ernie (Oldster)

    Reply
  8. I agree, we live in an “MS” world. I refuse to use GOOGLE. All they are is an ADVERTISING Company. Has anyone read their “privacy policy”? You have to be a lawyer to understand the first paragraph. (that’s another story). Yes, even Mozilla warns one about what their “add-ons” can read, modify, spindle and mutate. I dunno! That’s why I never get on-line without cleaning (to the best of my abilities) all “phone home” logs, stats, etc. It’s quite scary. But as said by Leo, who CAN you trust?

    Reply
  9. I try my best to be as unattractive and inprenitable to mega corporations, hackers and governments as possible. I use Linux Mint and have for years. I never go online without a VPN with Killswitch enabled. I use DuckDuckGo for a browser and never Google or Bing. My email provider is Tutanota, a high security provider. To access my bank or broker, (or any other site which is nobody’s business) I use the Mullvad browser as being nearly as secure and much faster than Tor, although admittedly my weakness is the Edge browser which I use for everyday tasks: browsing Anazon and Ebay, etc. In addition I do daily automatic system and data backups plus dynamic backups of my essential files to an end-to-end encrypted cloud service. Result: In over 20 years I’ve never had a hack or malware.

    Reply
  10. Why to go! I’ve said it before, NEVER use GOOGLE! My ISP is pretty secure (except those pescky “trackers.” I use the Disconnect Add-on from the fine folks at Mozilla! Stops them in their tracks! EVEN MS! Google, is hard to block, disconnect will block them (after the fact). UblockOrigin works wonders too! it just burns my buscuits! What are going to do?

    Reply

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.