defence.is

Module 18 / Explorations / Lab

Personal Security & Privacy Navigator (Lab)

A labelled personal-safety orientation page with boundaries around evasion and operational guidance.

Explorations / Lab - provocations, not policy Public-source companion Updated 2026-06-03
Explorations / Lab - provocations, not policy. This page is a public-source thought exercise. It is not operational guidance, tactical advice, weapons instruction, evasion guidance or adversarial tradecraft.
01

Brief

A navigator for people who need more privacy than default life permits: not a fantasy of total invisibility, but a disciplined map of risk, friction, jurisdiction, and defensive operational security.

02

The Working Premise

Extreme privacy is not a single tool. It is an architecture: reduce exposed identifiers, split identities into silos, remove obvious lookup paths, and avoid creating new records that reconnect everything.

What This Site Is

  • A navigator. It turns the supplied materials into a practical route map with levels, trade-offs, and source-backed caveats.
  • A critique. It separates durable advice from overconfident claims, outdated tools, and jurisdiction-specific tactics.
  • A defensive manual. It is for doxxing prevention, stalking resistance, breach containment, executive safety, and privacy against commercial surveillance.

Sources: Atlantic PDF from Drive; IntelTechniques; Privacy Guides.

What This Site Is Not

  • Not a promise of invisibility. Phones, cameras, payment rails, legal records, and social relationships make total disappearance unrealistic for most people.
  • Not legal advice. Trusts, companies, aliases, mail receiving, tax residence, and real estate reporting depend on local law.
  • Not an evasion guide. Any method that would deceive a bank, court, tax agency, immigration authority, or law enforcement process is out of scope.

Boundary: legal, defensive, accountable use only.

03

Start With The Adversary

A person hiding from advertisers does not need the same system as a crypto founder under kidnapping risk. The first mistake in privacy is buying tools before naming the threat.

04

Four Privacy Levels

Use the controls to isolate a tier. The levels are cumulative, but not mandatory: most people should stop at the lowest level that solves the concrete risk.

Baseline Hygiene

For ordinary people facing account theft, spam, low-level stalking, and routine broker exposure.

Use a password manager, phishing-resistant MFA where possible, device updates, credit/breach monitoring where available, encrypted backups, and removal from obvious people-search sites.

Stop here if: your risks are mostly account compromise, spam, and casual lookup.

Identity Hardening

For people worried about doxxing, swatting, harassment, exposed phone numbers, and vendor breaches.

Create unique email aliases per account, use virtual or masked payments where legal, reserve your real phone number, freeze credit in countries where this exists, and remove address trails from brokers.

Key idea: a breach at one merchant should not reveal your home, main inbox, phone, and bank at once.

Compartmentalized Life

For public figures, executives, activists, security workers, and people with credible targeted threats.

Separate personas, devices, phone numbers, addresses, browsers, and payment rails by context. Use hardened mobile configurations and repeatable rules for travel, delivery, school, guests, and contractors.

Failure mode: one family contact entry, school directory, or delivery account can collapse the separation.

Structural Obscurity

For high-risk people facing kidnapping, violent stalking, extortion, or advanced adversaries.

Use professional legal/security help for entity ownership, residential privacy, family protocols, physical security, executive monitoring, and incident response. DIY mistakes are expensive here.

Boundary: privacy structures must not be used to evade tax, court orders, sanctions, immigration rules, KYC requirements, or lawful obligations.

05

Tools Are Only Nodes

Filter by domain, then open any file. Each entry gives a tactical pattern, a correction to the source material, and the safest defensive boundary.

  • Use a password manager and unique credentials everywhere.
  • Prefer passkeys or hardware security keys for primary email, password manager, banking, cloud, domain registrar, and crypto accounts.
  • Keep at least two hardware keys: one daily, one sealed backup in a physically secure place.
  • Remove SMS recovery where possible; where impossible, isolate the phone number and carrier account.

Correction

Do not center Authy desktop in a 2026 guide. Authy desktop was sunset; recommend hardware keys, passkeys, or current exportable authenticators instead.

  • Use one unique alias per service. The alias identifies the leak source and can be killed without moving your main inbox.
  • Create naming rules by context: banking, shopping, medical, work, travel, public profile, experimental signups.
  • Protect the alias provider like primary email: hardware key, recovery review, export plan.

Boundary

Aliases are not false identity documents. Use them to reduce spam, breach correlation, and public lookup paths, not to deceive regulated institutions.

  • Use a supported device, keep it updated, and separate high-risk apps into different user or work profiles.
  • Disable network and sensor permissions for apps that do not need them.
  • Use sandboxed Google Play only when the app ecosystem requires it, and understand it is still Google software running as ordinary sandboxed apps.
  • Keep banking and travel apps in a compatibility profile if needed; do not assume everything works on hardened systems.

GrapheneOS is not magic de-Googling. Its value is systemic hardening, permission control, and optional sandboxed Google Play without privileged OS integration.

  • Use a reputable VPN to hide traffic from local networks and reduce ISP-level visibility.
  • Use Tor Browser for anonymity-sensitive browsing, not a normal browser plus a VPN.
  • Avoid logging into personal accounts from anonymity contexts; account login usually defeats network-layer anonymity.
  • Use DNS filtering to reduce tracking and malware exposure, but do not call DNS privacy anonymity.

A VPN changes who can observe parts of your traffic. It does not make you anonymous to websites, accounts, payment systems, browser fingerprints, or legal process.

  • Stop using the home address for shopping, public profiles, newsletters, warranty cards, and casual forms.
  • Use a receiving address that is legitimate for the context: mail service, office, parcel locker, trusted business address, or jurisdiction-specific CMRA equivalent.
  • Create a household rule: no legal names on packages to the residence unless necessary.
  • Audit school, club, HOA, medical, pet, utility, and contractor systems for home-address exposure.

Some institutions require a residential address. Give legally required information where required; reduce public and commercial exposure elsewhere.

  • If the threat justifies it, consult a local attorney before buying, leasing, or transferring property through a company, trust, nominee, or agent.
  • Plan banking, insurance, taxes, utilities, school enrollment, estate planning, and reporting before closing or moving.
  • Assume beneficial ownership may be known to banks, counsel, counterparties, or government systems even if not visible in county records.

Do not treat LLCs or trusts as universal invisibility. US domestic BOI reporting is currently narrowed, while FinCEN residential real-estate reporting status changed in March 2026 and remains legally volatile.

Sources: FinCEN BOI ; FinCEN RRE status .

  • Use merchant-locked virtual cards or bank-provided card controls where available.
  • Create per-merchant limits and close cards after a suspicious charge, subscription fight, or breach.
  • Keep a simple ledger mapping merchant, alias email, phone number, card, and shipping address.
  • Use cash for local purchases when lawful and practical, especially near home.

Payment masking reduces commercial correlation and breach blast radius. It does not hide lawful bank records, taxes, sanctions screening, or regulated payment obligations.

  • In the US, freeze Equifax, Experian, TransUnion, and Innovis; consider ChexSystems and NCTUE depending on threat.
  • Store PINs/recovery codes in the password manager and offline backup.
  • For other countries, identify local credit bureaus, telecom credit systems, and national identity-lock programs.

Why

This is one of the most practical defensive moves: it targets fraud and account opening, not ideological purity.

  • Make privacy boring. Standardize how you answer address, phone, birthday, delivery, contractor, and school-directory questions.
  • Prefer kind, low-drama refusals. Being memorable is a privacy failure.
  • Train family on a few rules rather than a full ideology: do not save the home address under legal names, do not post travel in real time, do not forward documents casually.
  • Keep identities 90 percent real and 10 percent withheld where lawful; elaborate lies create maintenance debt.

The strongest point in the Atlantic profile is not gear. It is cognitive overhead: privacy fails when daily life becomes too annoying to maintain.

  • Run an initial scan of people-search exposure and remove the most dangerous records first: home address, phone, relatives, age, property links.
  • Use removal services for time savings, not guaranteed erasure. Combine with manual opt-outs for high-priority sites.
  • Repeat quarterly or after major life events: move, marriage, property transfer, business filing, breach, court record, new phone.

Consumer Reports found removal services reduce exposure but are far from complete; even the better performers left data visible after months.

Sources: CR removal study ; Permission Slip .

  • Use lawful minimization first: do not provide optional data, reject loyalty programs, remove metadata, avoid public posting, and use aliases for unregulated casual services.
  • Keep a private record of any benign variation you use so you can unwind mistakes.
  • Never falsify legally material information to banks, insurers, courts, employers, tax agencies, immigration systems, or regulated providers.

"Poison the database" sounds powerful, but it can create legal, contractual, and account-recovery problems. Treat it as narrow obfuscation, not a default tactic.

  • Use Faraday storage only when you have a clear reason: border-risk preparation, sensitive meetings, stalking threat, device quarantine, or location discipline.
  • Test bags periodically with Wi-Fi, cellular, Bluetooth, and GNSS behavior; many cheap bags degrade or leak.
  • For vehicle privacy, reduce linkage before trying clever tactics: registration exposure, insurance records, parking apps, toll transponders, infotainment accounts, and predictable routines.

Do not remove, obscure, or manipulate license plates where illegal. Target lawful minimization and record separation, not evasion of traffic or criminal enforcement.

06

The Critical Read

The materials are strongest when they describe architecture and weakest when they imply that one stack works everywhere. Privacy is a legal and social system before it is a gadget stack.

I agree

  • Compartmentalization works. Unique emails, cards, numbers, and addresses reduce breach correlation.
  • Home address is the critical asset. Many harms escalate when online identity resolves to a door.
  • Social leakage beats technical purity. Family, friends, contractors, schools, and delivery systems often expose more than malware.
  • Privacy has a fatigue budget. The best routine is the one you can repeat when tired.

I disagree or soften

  • "Disappear completely" is misleading. Most people can become harder to find, not absent from modern systems.
  • VPN advice is often overstated. VPNs are useful but do not defeat accounts, fingerprints, payments, subpoenas, or endpoint compromise.
  • Entity privacy is not portable. LLC/trust tactics are highly local and can collide with reporting, tax, lending, and insurance rules.
  • Data poisoning is not harmless. It can break recovery, violate terms, or create legal risk when used in regulated contexts.

I would add

  • Incident playbooks. What to do after doxxing, swatting threats, sextortion, SIM-swap attempts, or address exposure.
  • Relationship protocols. Scripts for schools, relatives, neighbors, service providers, and employers.
  • Recovery design. Privacy systems need backups, account recovery, heirs, medical emergencies, and trusted contacts.
  • Regional forks. US tactics should be labeled as examples; every country needs its own legal appendix.

Volatile claims last checked May 20, 2026: Cycurion/Halo/HavenX announcement, FinCEN BOI, FinCEN RRE status, GrapheneOS docs, Consumer Reports data removal study.

07

A Practical Reboot

The checklist is session-only. It does not save to local storage, does not transmit, and resets when the page is reloaded.

  • Move all passwords into a manager and remove duplicates.
  • Secure primary email and password manager with hardware key or passkey.
  • Review recovery emails, phone numbers, backup codes, and logged-in devices.
  • Patch devices and remove unused apps with broad permissions.
  • Create email alias rules for new accounts and migrate high-risk old accounts.
  • Reserve your real phone number for the smallest possible set of institutions.
  • Remove people-search listings and set a quarterly recheck calendar.
  • Freeze credit or identify local equivalents where available.
  • Stop routine delivery to home under legal names when safer alternatives exist.
  • Audit school, employer, medical, property, and utility exposure.
  • Use virtual or merchant-locked cards where lawful and available.
  • Document which email, phone, card, and address each service has.
  • Bring in local legal counsel before entity ownership, trust, domicile, or property changes.
  • Design family protocols for school, phones, travel, visitors, medical emergencies, and inheritance.
  • Consider hardened devices and separate profiles only when ordinary devices create unacceptable risk.
  • Write an incident plan for doxxing, swatting threats, extortion, and device compromise.
08

Link-light, Source-heavy

The site favors primary or directly relevant sources and labels volatile claims. Links are normal anchors; this static page does not load content from them.

Extreme Privacy Navigator / static local artifact / no external runtime / no persistent state / defensive use only.