There are some speculations about TPM uncontrollably sending data to manufacturer servers if a laptop has any Internet connection. Others say it’s not intended/capable of that, like this answer for example (which is 5 years old though).
Lemmy, what do you say?
Tl;dr: TPMs are very unlikely to make your privacy better or worse, but they could definitely be abused by a company like MS to make end users’ experiences worse. They could also be used for significant security and privacy gains… they’re a tool.
The TPM can be used to provide a cryptographic binding between aspects of your system’s configuration and a unique key which is resident within the TPM (a process called “attestation”). It can also generate secondary keys that are associated with the base key, and use those to do cryptographic operations like encryption/decryption and authentication.
Telemetry wise, the TPM’s only utility might be to “prove” that the data sent from your PC wasn’t tampered with. That said, I don’t think MS is actually doing that, and they don’t need to in order to be incredibly invasive in their telemetry.
The (imo) worst way in which a TPM might be abused in a user-hostile sense is to detect if the OS has been modified by the user, or if an installation isn’t legitimate, etc. That could be used to disable certain features if you try to install unauthorised software, dual boot Linux or whatever. This would be similar to the smartphones of today, which can for example disable access to banking apps if jailbroken/rooted.
TPMs (>2.0 at least) otherwise have the potential to realise a significant improvement in security and privacy for users, if used correctly. They can be used for encryption and credentials that are bound in hardware and therefore practically impossible to steal. And can detect hardware tampering and potentially foil Evil Maid attacks. Imagine if your login sessions for various websites were bound to your hardware, such that a dodgy extension could never steal your cookies.
Big thanks for detailed answer! My understanding is more clear now.