It has to do with the history of how PCs worked and how difficult it is to change things.

In the early days of desktop computing, the software that ran on your computer was trusted completely. It could do pretty much anything it wanted. There were early computer viruses that would cause drives in your computer to run until they overheated and caught fire; although not very successfully.

The point is that early computer operating systems put in place very few barriers to what software could do, this includes access to devices. So if you were writing software for older operating systems, you could just connect to camera devices without doing anything special at all. The whole thing was terribly naive.

Fast forward a decade or two and we’re all much wiser now. When the original iOS and Android operating systems were developed both Apple and Google gave a lot of consideration to how much control the operating system would exert over access to devices and data.

When Apple introduced 3rd party apps leading up to the opening of the App Store in 2008, developers were shocked at the level of control that iOS exerted over their apps. An app needed permission to do a lot of things that were taken for granted on desktop operating systems. Developers had to write their software to handle cases where the user simply said, “No, this app cannot access my camera.” Android has similar controls, of course. I’m just using iOS as an example.

This concept is called a “sandbox”. All apps run in their own sandbox. They can play with all the toys inside the sandbox, but the operating system controls access to anything that isn’t explicitly inside the sandbox. The operating system can also control access to things like CPU, memory, and storage resources.

This is a radical departure from what desktop software developers were used to, but it proved to be incredibly effective at preventing the kinds of malware we see on desktop operating systems. So why didn’t companies like Microsoft simply introduce sandboxes in Windows right away? Because of the weight of legacy software.

Remember that desktop developers were *shocked* at the level of control in iOS. Decades worth of software was already running on end-user’s computers, and these changes would disrupt popular software that millions of people use. Simply adopting these constraints and forcing them on end-users would have led to revolt. Microsoft wasn’t about to risk losing any marketshare by making radical changes.

Instead what we’ve seen is a slow shift over time. End-users adjusted to the idea of granting permission to applications as they used their smartphone devices. Desktop software developers also frequently develop for mobile, so they also got used to the mechanisms required to adapt to this new environment.

Instead of simply adopting all the mechanisms at once, Microsoft started slowly and has built on these security controls. You might remember UAC in Windows Vista (2007). Over time, Microsoft has added additional controls. In recent versions of Windows 11, the end-user must grant permission for applications to use the web cam, for example. Apple introduced that on macOS Mojave back in 2018.

The contrast between how quickly Apple and Microsoft introduce these controls has less to do with what the company wants to do and more to do with their user base. Apple can move quickly because their user base is much smaller, and they have come to expect breaking changes. Microsoft has a *much* larger user base, and that user base heavily skews toward commercial customers who are absolutely *not* tolerant of breaking changes. Basically, Microsoft might *want* to introduce more secure versions of their operating system, but these changes are at odds with the financial interests of their large commercial customers.