I’ve spent years championing Linux as the only escape from Big Tech, but I’m starting to get twitchy.
While we’re distracted by the Steam Deck making Linux “mainstream,” the corporate players and politicians are busy building a digital cage. Between California’s AB-1043 mandates and Microsoft’s “Face Check” infrastructure, I’m worried we’re heading for a hard schism: “Sanitised Linux” vs the “Free Rebel” distros.
If the compliant, age-gated version becomes the industry standard, where does that leave the rest of us? Digital exile?
I’ve put some thoughts together on why the “Golden Cage” is closing in and why education, not mandates, is the only real fix.
I think it’s helpful to put some thought into why you use Linux and what you really need from it. I use it primarily for choice, privacy, and to just not be using anything by Microsoft/Apple/Google. Security is nice to have but it’s not the reason I’m using Linux, so handing over my photo ID to a third party I trust is an acceptable if disappointing risk.
Sure, my OS will be tied to my ID, but as long as my online traffic isn’t that should be fine. If they wanted to monitor my online traffic it would make far more sense to do it at the VPN level instead. Not by having my open source operating system redirect my traffic so that it’s associated with my ID.
The big risk is social media requiring proof of ID. Bots are becoming more and more common and proof of ID available at the OS level on Windows, Mac, and Android would be very tempting for social media. That’s a different concern though.
And for us who don’t find it an acceptable risk? Will I need an ID to read a book next?
You need ID to drive a car, which is essential in modern America. Worse still you need ID to rent a house and that’s normally getting fed straight into a massive insecure database. The advantage of Linux is that we could theoretically choose who we give our ID to (whether that’s Red Hat, Ubuntu, OpenSUSE, Debian, Arch, etc). Handing over your ID is necessary for some essential parts of modern life, and while I wouldn’t want to hand it over to access my operating system, I would be able to accept it.
Thinking critically, let’s imagine that only government approved companies could verify your ID and those companies are Google, Apple, Microsoft, and Persona. At that point I’d … really hate it but I’d hand over my ID. Then I’d double check my operating system isn’t logging and sharing my internet traffic.
There’s no indication that our online traffic will be required by law to be linked with our proven ID. If such a thing does happen, then firstly we are totally screwed, and secondly it would likely involve all major websites participating. We fundamentally won’t be able to get around it in that case.
I think that’s a dangerous assumption to make. If the OS is tied to your physical identity, the ‘VPN’ layer becomes much less of a shield. Once the kernel level is ‘compliant’ with an ID check, the metadata being leaked or even the hardware ID itself makes anonymity a lot harder to maintain.
You’re right about the social media risk, but the OS is the foundation. If you give up the keys to the house, it doesn’t matter how many extra locks you put on the individual room doors. That ‘disappointing risk’ is exactly how the ‘invisible borders’ start getting built.
Parts of what you just said are not really a proper response to what I said, either because of accuracy or relevance. So I’m just going to address the one important part of what you said, metadata.
I didn’t consider metadata because I treat proof of age as what it is, proof of age with proof of identity being incidental. If visiting a website requires handing over my full birthday, “hardware ID”, or real identity then I would be concerned, but we’re not there yet.
It’s a widely held view in the general public that you should be able to browse the internet privately just like you should be able to browse a library without the government seeing a log of every book you read, and I hope that would be enough to resolve this. The general public is not very concerned about browser fingerprinting, which effectively erases user privacy, but government mandated sharing of your identity online would be a red line that would get the normies involved.
You’re right that the average person doesn’t care about fingerprinting, but that’s exactly the problem. To me, browser fingerprinting isn’t just a technical quirk, it’s a violation of privacy that effectively erases your ability to be anonymous, regardless of whether you have a VPN or not.
If we let OS-level ID checks become the standard because people don’t care, we’re essentially legitimising that tracking. My red line isn’t just a government log of my identity, it’s the fact that the tech is being built to make that log possible in the first place. Once the infrastructure is there, the incidental proof of identity quickly becomes the primary feature.
Your response again doesn’t really follow from what I wrote. It retains some key words but not the ideas.
Browser fingerprinting which exists because the average person can’t be bothered concealing it and the theoretical sharing of your ID with the sites you visit due to a government mandate are two entirely different things. The relevant difference is that the government doesn’t mandate browser fingerprinting, it exists because it is technologically possible and the mitigation measures are more inconvenient than the average user is willing to deal with.
As for normalizing OS-level ID checks as a slippery slope towards sharing your full ID as part of a HTTP request … firstly that is not something you can get around with an alternative distro anyway, because it would involve all major websites. Secondly, that is a hypothetical within a hypothetical. Thirdly, if that really is the path that we’re on, now is not is not the most effective time to oppose it, because the slippery slope argument is far more persuasive from the bottom of the slope.
EDIT: I think I just did the same thing I accused you of, talking past you. My response basically just rejects your core conceit, that being a distinction between the private power-user experience and the non-private normie experience, and nothing else. I’ll need to edit this.
EDIT 2: Okay, fixed.