Switching your company’s desktops from Windows to Linux is one of the smartest moves a European business can make. You reduce licensing costs, eliminate forced telemetry to US servers and gain full control over your IT environment. But here is the part that most organisations overlook: a default Linux installation is not private out of the box. It requires deliberate configuration to deliver the privacy and sovereignty benefits you switched for in the first place.
This article walks through the most common privacy gaps in default Linux desktop deployments and explains what your IT team (or your managed infrastructure partner) should address before considering the job done.
Ubuntu’s Telemetry: Small but Present
Ubuntu is the most widely deployed Linux desktop distribution and for good reason. It is well supported, hardware compatible and familiar to a broad talent pool. However, since version 18.04, Ubuntu ships with telemetry tools that collect hardware and system information and send it back to Canonical, the Canadian company behind the distribution.
The data collected includes CPU type, RAM, disk size, GPU model, screen resolution, installation choices and your approximate region. Four separate tools handle this: Ubuntu Report, Popularity Contest, apport (crash reporting) and whoopsie (crash report delivery).
Canonical states this data is aggregated and never used for profiling. That may well be true. But for a European business that switched to Linux precisely to control where its data goes, sending system information to servers outside Europe by default is not an acceptable starting point. The fix is simple: remove all four tools in a single terminal command and, if Snap is not needed, remove that as well.
For organisations deploying fresh desktops, consider Debian or Linux Mint Debian Edition (LMDE) instead. Both are Debian-based (sharing the same packaging ecosystem as Ubuntu) but ship without any telemetry. You start clean rather than cleaning up afterwards.
DNS Leaks: The Silent Exposure
This is where things get serious and where most Linux desktop deployments fall short without anyone noticing.
Every time a user visits a website, their machine sends a DNS query to translate the domain name into an IP address. On most Debian-based distributions, the default DNS resolver (systemd-resolved) sends these queries in plain text to whatever DNS server your ISP provides. That means your internet service provider can log every domain every employee visits. Not the content of the pages, but the destinations: healthcare portals, financial platforms, competitor websites, legal resources.
For European businesses, this creates two problems. First, it is a privacy and potentially a GDPR exposure issue. Second, if your ISP routes DNS through infrastructure outside Europe, your employees’ browsing metadata is leaving the EU with every request.
The situation gets worse when a VPN is involved. systemd-resolved can bypass VPN tunnels and send DNS queries directly through the regular internet connection. This is a well documented issue known as a DNS leak. Your employees believe they are protected; they are not.
The fix requires two things working together. First, configure encrypted DNS (DNS over TLS) using a European or self-hosted resolver. Second, implement a firewall kill switch using UFW that blocks all traffic except through the VPN tunnel. If the VPN disconnects, the internet stops working rather than silently falling back to an unprotected connection.
For businesses serious about sovereignty, the strongest option is running your own DNS resolver on European infrastructure. This eliminates third-party DNS providers entirely.
Browser Fingerprinting: Linux Users Stand Out
There is a common assumption that being on Linux makes employees harder to track online. The reality is often the opposite. Because Linux users run such a wide variety of distributions, desktop environments, kernel versions, and hardware combinations, their browser fingerprints tend to be more statistically unique than those of Windows users on identical corporate hardware.
Browser fingerprinting does not rely on cookies. It reads system properties (OS, screen resolution, installed fonts, GPU rendering behaviour, timezone, language settings) and combines them into a profile that can identify a specific device across sessions. Cookies can be cleared; a fingerprint cannot, because it is generated from the live state of the system.
For business deployments, this means standardising browser configuration across your fleet matters. Deploy Firefox with a hardened configuration: enable fingerprint resistance, disable WebGL, disable WebRTC (which can leak real IP addresses even through a VPN), and disable geolocation. A consistent browser policy across all desktops reduces the uniqueness of each machine’s fingerprint.
Unnecessary Services: Reducing the Attack Surface
A default Linux desktop installation runs services that most business users will never need, and each one represents a potential vulnerability and an unnecessary network conversation.
CUPS, the printing system, runs on machines that may never connect to a printer. In late 2024, critical vulnerabilities in CUPS were publicly disclosed that allowed remote code execution through its printer auto-discovery feature. A single unauthenticated request was enough to potentially compromise a machine.
Bluetooth services broadcast your device’s presence to nearby devices even when not in use. The Avahi daemon announces machine information to the local network. These are unnecessary for most office deployments and should be disabled.
Auditing running services and disabling what is not needed is basic security hygiene, but it is routinely skipped on desktop deployments because the focus tends to be on getting the desktop “working” rather than getting it hardened.
Disk Encryption: Non-Negotiable for Business
If an employee’s laptop is stolen or lost and the disk is not encrypted, every file on that machine is readable by anyone who connects the drive to another computer. No password, no login screen, no security measure of any kind will prevent this.
Full disk encryption using LUKS should be enabled during installation on every business laptop and desktop that stores or accesses company data. It is a one-time setup step that protects everything on the device permanently. For existing unencrypted deployments, the cleanest path is a fresh install with encryption enabled.
Hostnames, Usernames and MAC Addresses
Small details matter in aggregate. A hostname that contains an employee’s name or a department label, a username that is a real name, or a MAC address that remains constant across networks all contribute to identifiability.
For business deployments, use generic hostnames and usernames. Enable MAC address randomisation through NetworkManager so that devices do not present a consistent hardware identity to every network they connect to. These are small configuration steps that meaningfully reduce the ability to track and correlate devices.
AppArmor: Enforce, Do Not Just Complain
AppArmor is a powerful mandatory access control system built into Debian-based distributions. It restricts what each application can access: which files, which network connections, which system resources. Even if an application is compromised, AppArmor can contain the damage.
The problem is that many AppArmor profiles default to “complain” mode, which logs violations but does not block them. For a business deployment, every active profile should be switched to “enforce” mode. This is a straightforward administrative step that significantly limits the blast radius of any security incident.
The Bigger Picture
Switching to Linux desktops is the right foundation for European businesses pursuing digital sovereignty and vendor independence. But the foundation only protects you if you build on it deliberately. A default installation, regardless of distribution, leaves gaps that undermine the very benefits you switched for.
The good news is that every issue discussed here is fixable with standard Linux administration. The question is whether your organisation has the capacity to apply these configurations consistently across your fleet, keep them maintained over time, and respond when something changes.
For organisations that want Linux desktops done right without building an in-house Linux team, this is exactly the kind of work a managed infrastructure partner handles: deployment, hardening, ongoing management, and the confidence that your desktops are as private and sovereign as your servers.