What'd be really nice is transparent, built-in sandboxing of every non-system application by the OS. The desktop security model of "protect your files from other users but not from applications you run" is horribly outdated.
On top of all that, we also need deep packet inspection and filtering. All the data flowing into and out of the sandbox must be inspected while in the clear by filtering software under our control. If the packet is known to contain nothing but a unique identifier for tracking, it gets blocked. If it also contains useful data, the identifier is either deleted or anonymized before the packet goes through.
ISPs, companies and governments can do it for surveillance, censorship and security reasons. We should be able to do it too in order to empower ourselves.
