The cybersecurity industry has spent decades training us to fear the hacker in the hoodie — the shadowy figure in a dark room, the ransomware gang, the state-sponsored APT. Meanwhile, the actual predators have been wearing polo shirts, sending us EULAs, and sponsoring the very regulations that claim to protect us.
Let's apply the formula that actually matters:
Risk = Probability(attack) \ Severity(attack)
And let's populate it honestly, not the way a Norton marketing department would.
The Threat Landscape: Populating the Matrix
Category 1: Solo Hackers & Criminal Botnets
| Factor | Assessment |
|---|---|
| Probability | Moderate-to-high for opportunistic attacks — ransomware, credential stuffing, phishing. Highly dependent on your attack surface. |
| Severity | Generally limited. They want your credit card, your crypto, maybe a few grand in Bitcoin. They don't want your life — they want a quick payday. |
| Risk Score | Medium. Real, but tractable. And crucially: they don't own the update channel. |
Criminal hackers are the pickpockets. They're real, they'll hurt you, but they're not running the city.
Category 2: State Actors (NSA, FSB, MSS, Unit 8200, etc.)
| Factor | Assessment |
|---|---|
| Probability | Extremely low for the average person. Unless you're a journalist, a dissident, a whistleblower, or a defense contractor, you are simply not worth the zero-day. |
| Severity | Catastrophic. Total compromise. Indefinite persistence. Legal system weaponized against you. |
| Risk Score | Low for most — not because severity is low, but because probability rounds to zero. For targeted individuals, this flips to Extreme. |
But here's where the analysis gets uncomfortable — and where the conventional "state vs. criminal" distinction collapses.
Category 3: The Big Five (Microsoft, Apple, Google, Meta, Amazon)
| Factor | Assessment |
|---|---|
| Probability | Near 100%. If you use their products — and you almost certainly do — they are collecting, processing, and monetizing your data right now. This is not a potential attack. This is the business model. |
| Severity | Structural and total. Not a one-time breach. Continuous, permanent, cumulative extraction of your entire digital existence. |
| Risk Score | Extreme. This is not a future threat. This is the water you're swimming in. |
The Predator Hierarchy: Who Guards the Guards?
Here's the uncomfortable truth that the previous articles in this series have laid out in architectural detail:
The entities we invite into our systems to protect us from the small predators are themselves the large predators.
Your antivirus has root access to every file, scans everything you open, monitors every URL you visit, and phones home with the results — to servers in jurisdictions with inadequate data protection, under privacy policies written in weasel words. Closed-source software precludes independent verification of data handling. You cannot verify what you cannot see. You cannot trust what you cannot verify.
This isn't a conspiracy. It's architecture.
The Protection Racket Model
THE BIG FIVE
(Root access, closed source, permanent exfiltration)
"We'll protect you from malware, hackers, and
tracking. Just give us your root password,
your files, your browsing history, your..."
|
|
| Extracts everything
|
|
THE USER
"At least I'm safe
from hackers!"
Hackers, malware, botnets, script kiddies
(Blocked by the same infrastructure
that's harvesting you)
The Big Five don't just allow smaller predators to exist — they benefit from them. Every ransomware headline is a marketing opportunity for "trust us with your security." Fear of the pickpocket drives you into the arms of the mafia. And the mafia keeps the pickpockets away — but who protects you from the mafia?
When the Mafia Writes the Laws
If you needed proof that the line between "state actor" and "Big Tech predator" has dissolved, look at what happened in the EU Council in June 2026.
The European Commission proposed Article 88b of the GDPR as part of the Digital Omnibus — a provision that would have replaced cookie consent banners with an automated browser-level signal. Users would set tracking preferences once, in their browser settings, and websites would be required to respect that signal. It was the single measure in the entire package that would actually have simplified things for consumers.
Google submitted a lobbying paper arguing that removing cookie banners would halt online advertising — using figures the Commission itself described as "highly exaggerated." The paper conveniently ignored that the proposal explicitly allowed per-website consent overrides. On 18 June 2026, the Council removed Article 88b entirely. Germany, France, and Poland — the same member states publicly calling for "cutting red tape" — pushed for its removal.
As Max Schrems put it: "You really have to let that sink in: the European Commission finally wants to get rid of cookie banners, but Google and some EU Member States are now determined to keep them."
Cookie banners are not an invention of data protection law — they're an invention of the tracking industry. Studies suggest only 3–10% of users actually wish to be tracked, yet dark patterns achieve consent rates up to 90%. Google doesn't want you to say "no" easily. It wants you to say "yes" through exhaustion. And when the EU tried to give you a simple, one-time "no," Google lobbied sovereign governments to kill the proposal. Germany and France complied.
This is the predator hierarchy in action. The state is not a separate threat category from the Big Five — it is increasingly their infrastructure. When a corporation can dictate legislation to member states, the distinction between "state actor" and "corporate predator" becomes academic. They operate the same servers. They share the same data. They write the same laws.
The Deskilling Hypothesis: Helplessness as a Business Strategy
There's a deeper layer to this predation, and it's not just about data extraction. It's about induced helplessness — the systematic erosion of basic computing skills to make the user permanently dependent on the ecosystem.
Consider what's been taken from the average user in the last two decades:
| Skill | When Lost | Who Benefited |
|---|---|---|
| Distinguishing URLs from queries | ~2008 — Chrome unified omnibox | Google (every "google.com" typed becomes a query through their servers) |
| Remembering URLs at all | ~2010 — Mobile apps replace bookmarks | Apple/Google (app store gatekeeping, total search dependency) |
| Local file management | ~2012 — iCloud/Dropbox/OneDrive defaults | Apple/Microsoft/Amazon (your files on their servers = their data) |
| Understanding directory structures | ~2015 — iOS/Android sandboxing hides filesystem | Apple/Google (you can't leave the garden if you don't know there's an outside) |
| Installing an OS | ~2018 — Devices ship sealed, OS pre-installed | Microsoft/Apple (your hardware, their software, your data) |
| Basic networking (IPs, ports, DNS) | ~2020 — Everything is "the cloud" | Amazon (AWS is the internet now, and they know every packet) |
| Distinguishing local from remote | Present day — "What do you mean my files aren't on my computer?" | All of them |
This is not accidental. It's induced helplessness as a business strategy. A user who understands their filesystem might ask uncomfortable questions about what rapportd is doing. A user who knows what DNS is might wonder why all their queries go through 8.8.8.8. A user who can install an OS might try Linux — or OpenBSD.
The complexity of open source tools isn't a bug. It's that we've been trained for two decades to find complexity unnatural — to expect to be served rather than to understand. A 10-year-old in 1995 could configure autoexec.bat and config.sys to free up conventional memory for games. That same 10-year-old today can't find the Downloads folder on an iPhone. The hardware got simpler. The user got simpler too. By design.
Education and Privacy-by-Design: The Two Pillars the Big Five Sabotage
This is where the GDPR's architecture becomes devastatingly relevant — and where the Big Five's strategy reveals itself as a direct attack on compliance itself.
The GDPR rests on two operational pillars:
- Privacy by design (Art. 25) — data protection must be built into the system, not bolted on after the fact.
- Staff training (Art. 39) — personnel must be educated on secure data handling.
And the architrave holding them together is accountability (Art. 5(2)) — the controller must be able to demonstrate compliance.
Mainstream operating systems fail all three. They are closed-source, unauditable, laden with telemetry, and so complex — hundreds of millions of lines of code — that vulnerabilities are a mathematical certainty, not a bug to be patched. You cannot demonstrate that data is processed transparently when the processing logic is opaque. You cannot ensure confidentiality when you cannot verify what data leaves the system. You cannot fulfill the accountability principle when you cannot account for what the software does.
But the attack on the training pillar is subtler and, in some ways, more insidious. The Big Five don't just fail to educate users — they actively make users hostile to learning. Every interface decision, every dark pattern, every "it just works" abstraction layer is designed to make the user stop thinking. To stop asking questions. To stop wanting to understand.
When a DPO deploys a Windows fleet, they're not just deploying an operating system. They're deploying a training environment that teaches employees: don't worry about how it works, someone else will handle it, just click "accept." That's not staff training. That's staff untraining. It's the opposite of what Article 39 demands.
Now consider the alternative. Linux and BSD systems — particularly OpenBSD, the only operating system in the world that undergoes continuous, funded, line-by-line security auditing — don't just permit understanding. They require it. You cannot use OpenBSD without learning something about your system. You cannot compartmentalize without understanding why compartments matter. The learning curve that the industry dismisses as "too steep for normal users" is not a bug — it's the training pillar made operational. It's Article 39 compliance not as a checkbox webinar but as the daily act of using a computer.
The budget shifts from remediating breaches and renewing licenses to training personnel — exactly where GDPR intended it.
The Open Source Response: How Far Do You Go?
If you accept the risk analysis above, the question becomes practical: what does defense actually look like?
The Spectrum of Defense
| Level | Solution | Defends Against | Cost |
|---|---|---|---|
| 1. Awareness | Firefox + uBlock Origin + DNS filtering (Pi-hole) | Basic tracking, ads, malware domains | Near zero |
| 2. OS Migration | Linux (Debian, Fedora) or OpenBSD for daily computing | Microsoft/Apple telemetry, forced updates, OS-level surveillance | Learning curve, some app compatibility loss |
| 3. Application Hygiene | Signal, Thunderbird, LibreOffice, local storage over cloud | App-level data exfiltration, cloud dependency | Convenience loss, collaboration friction |
| 4. Compartmentalization (lightweight) | Unix user separation, PF firewall rules, disposable browser profiles, blind-gate privilege escalation | Cross-domain malware propagation, persistent browser compromise, data leakage between contexts | Learning curve, workflow adjustment |
| 5. Compartmentalization (full virtualization) | Qubes OS — every task in its own VM with separate kernel | Kernel-level exploits, targeted input sniffing, state-actor forensics | Significant hardware, heavy RAM, major workflow friction |
| 6. Air-Gapped + Tails | Offline machine for sensitive work, Tails for anonymous activity | Near-total compromise, forensic recovery | Extreme inconvenience |
The Sweet Spot
For most users — and most organizations processing personal data under GDPR — the rational choice is somewhere around Levels 2–4. Linux or OpenBSD as a daily driver, open source applications, conscious data hygiene, and compartmentalization through Unix primitives rather than hypervisors.
Qubes OS defends against a threat most people don't face (kernel-level state actor exploits) at a cost most can't sustain (8 GB RAM minimum, 30+ GB disk, massive workflow friction). It's the right tool for journalists and dissidents. It's overkill for everyone else.
What's needed is something in between: compartmentalization without virtualization. The core insight of Qubes — security through isolation — stripped of the hypervisor and implemented with native Unix user separation, a strict PF firewall, and disposable tmpfs-backed browser sessions. Something that runs on 1 GB of RAM, installs in ten minutes, and is auditable in an afternoon. Something built on OpenBSD — zero telemetry, continuous security auditing, a codebase small enough to be understood.
That project exists. It launches in a few weeks. More on that in the next piece.
The Real Risk Equation, Recalculated
[Probability(hacker) x Severity(hacker)] # Manageable, not existential
+ [P(State) x S(State)] # Near-zero for most, extreme for few
+ [P(Big Five) x S(Big Five)] # ≈100 structural total surveillance
-----------------------
= TOTAL RISK
The third term dominates. By orders of magnitude.
And the state actor term is increasingly just a special case of the third term. When intelligence agencies run their operations on AWS, when surveillance requests go through corporate legal departments rather than courts, when Google lobbies France and Germany to kill privacy legislation — the distinction between "state threat" and "corporate threat" is a vestigial organ of a threat model that no longer describes reality.
Conclusion: Defend Against the Actual Predator
If you accept this analysis, the priorities become clear:
-
First priority: Escape the Big Five surveillance architecture. You cannot fix this with settings. You cannot disable enough telemetry. The closed-source nature means you cannot verify anything. Migrate to Linux or OpenBSD. Use open source applications. Store data locally.
-
Second priority: Basic hygiene against criminal threats. Keep things updated. Use a password manager. Don't click stupid links. Use uBlock Origin. This handles 95% of the hacker threat without any AV bloatware.
-
Third priority (only if applicable): State actor defenses. If you're a journalist, activist, or handle sensitive data, Qubes or Tails. But be honest about whether this is your actual threat model — and recognize that the state probably already has your data from the same cloud providers you pay monthly.
-
Forget antivirus entirely. It's anti-privacy by design. On Linux and OpenBSD, you don't need it. On any OS, network-level filtering does more for security than a rootkit that uploads your files to "analyze" them.
-
Embrace the learning curve. The difficulty of open source systems is not a barrier to adoption — it's the mechanism of adoption. Every hour spent learning your system is an hour of Article 39 compliance, an hour of immunity from induced helplessness, an hour of reclaiming the skills the Big Five spent two decades extracting from you.
The pickpockets are real. But the mafia owns the police station, writes the laws, and sponsors the training seminars on theft prevention. Choose your enemies wisely — and don't pay protection money to the people robbing you blind.
The previous articles in this series demonstrated that antivirus software is architecturally indistinguishable from malware, and that closed-source privacy claims are logically incoherent. The next piece introduces the practical alternative: compartmentalization without virtualization, built on OpenBSD, launching soon.
- Date
- 2026-07-19
- Taxonomy
- English | privacy, open-source, closed-source, gdpr, dataprotection, cybersecurity, infosec, big-tech, risk-analysis, deskilling