Margaret is a fifty-three year old housewife in Birmingham who read an article on Substack last month about how to become a digital ghost. She followed all the steps. Deleted her old accounts. Checked Have I Been Pwned. Installed a VPN she found advertised on YouTube. Changed her passwords. Felt pretty good about herself. Then she hopped on Twitter and told a local politician exactly what she thought about his immigration policy using language that would have been considered mild pub banter twenty years ago.

Two weeks later, police showed up at her door. They had her name, her address, her IP address, her device identifiers, and screenshots of everything she posted. The VPN she installed logged everything and handed it over the moment law enforcement asked. Her browser fingerprint matched across six different sessions. Her mobile carrier had records of her location when every post was made. She is now facing charges under Britain’s Communications Act, joins the thousands of British citizens being arrested every month for saying things online that the government does not like, and she is absolutely bewildered because she thought she was invisible.

Margaret read an article written by someone who does not understand how digital surveillance actually works and she believed it because it had thousands of likes and shares and it told her what she wanted to hear. Now she has a criminal record and a court date and a very expensive lesson in the difference between feeling safe and being safe.

I do not want you to be Margaret. So let me teach you how digital privacy actually works.

The Viral Article That Started This

An article has been circulating on Substack about how to delete ninety-nine percent of your digital footprint and become a digital ghost. It has thousands of likes and shares and restacks. The author has four thousand subscribers and this single piece outperformed anything I have ever published despite having sixty thousand people following my work. I read it expecting to find some serious information security content and what I found was a guide so basic and incomplete that anyone who follows it and thinks they have become invisible online is only fooling themselves.

Deleting old accounts from services you no longer use reduces your attack surface. Using the Google removal tool to clean up cached search results is a legitimate step. Going through your email to find forgotten accounts is good operational hygiene. Changing your passwords regularly and not reusing them across services is basic security that most people still do not practice. Using privacy settings on social media and deleting old posts reduces your exposure. These are all reasonable suggestions and I am not saying the author is a fraud or an idiot.

The author covered the absolute basics that any functioning adult should already know and then stopped right where the real information begins. From the perspective of someone who has spent thirty years in tech and information security, this guide is so surface-level that it borders on dangerous because it gives people confidence they have not earned about protections they do not actually have.

I have spent thirty years working in tech. I was a teenage hacker who got approached by the FBI to work for them and turned them down. I spent years as a tech stock analyst watching how corporations actually handle your data behind the scenes. I know what real information security looks like, and that viral article is not it.

Share

Your VPN Is Not Protecting You The Way You Think It Is

The original article mentions using a VPN and checking that it has been publicly audited for no logs. That is good advice as far as it goes, which is not very far. What the author did not tell you is that the VPN market is saturated with honeypots, compromised services, and outright lies about logging policies.

First, understand what a VPN actually does and does not do. A VPN encrypts your traffic between your device and the VPN server, and it masks your real IP address from the websites you visit. That is it. It does not make you anonymous. It does not make you untraceable. It shifts trust from your internet service provider to the VPN provider. If your VPN provider is compromised, logs despite claiming otherwise, or operates in a jurisdiction where they can be compelled to cooperate with law enforcement, you have accomplished nothing except paying someone monthly for a false sense of security.

If you are serious about privacy, you need a VPN provider based in a jurisdiction outside the Fourteen Eyes intelligence sharing alliance. You need to pay for it in cryptocurrency, specifically Monero if possible because Bitcoin is not actually anonymous and can be traced through blockchain analysis. You need to use a provider that has been tested in court and proven they had no logs to hand over when subpoenaed.

But even a legitimate no-log VPN paid for in cryptocurrency is not enough if you are facing a serious adversary, because there are ways to correlate traffic that do not require logs from your VPN provider.

Your MAC Address Is Screaming Your Identity

Every network interface on every device you own has a unique identifier called a MAC address. When you connect to a network, that address is broadcast. Your home router logs it. The coffee shop wifi logs it. Every network you have ever connected to has a record of your device being there at a specific time. The original article did not mention this at all.

If you are serious about privacy, you need to spoof your MAC address before connecting to any network. On Linux this is trivial. On Windows and Mac it requires third-party tools or registry edits. On phones it is more complicated and in some cases impossible without rooting the device. You should be generating a random MAC address every time you connect to a new network, and you should understand that most people do not do this, which means your real MAC address is already logged in dozens or hundreds of databases connected to timestamps and locations.

They do not need your VPN logs if they can subpoena the wifi logs from every Starbucks in your city and correlate your device showing up at locations that match your pattern of life. They do not need to break your encryption if they can prove your specific device was in a specific place at a specific time and cross-reference that with other data points until your identity falls out of the analysis.

Your Phone Is A Tracking Device You Pay For Monthly

The original article mentioned using a VPN on your phone. That is almost laughably inadequate. Your phone is the single greatest threat to your privacy that exists, and no amount of VPN usage or app deletion is going to change that.

Your phone has a unique IMEI number that identifies the physical device. It has a SIM card with a unique identifier that connects to cell towers. Every time your phone is powered on, it is pinging towers and those pings are logged with timestamps and location data. Your carrier knows where you are at all times. They sell this data to brokers. Law enforcement can access it with a warrant or sometimes without one depending on jurisdiction. Even if you use a burner phone paid for in cash, the moment you power it on near your home or work or any location associated with your identity, pattern analysis can connect it to you.

If you want actual phone privacy, you need a device running a de-Googled operating system like GrapheneOS or CalyxOS. You need to disable all location services and understand that this does not stop cell tower triangulation, it only stops apps from accessing GPS data. You need to use the phone only in locations not associated with your identity. You need to understand that the baseband processor, the chip that handles cellular communication, runs proprietary firmware that you cannot audit and that has been demonstrated to contain backdoors. There is no such thing as a secure smartphone. There are only degrees of insecurity.

Serious privacy practitioners use phones in airplane mode with wifi disabled except when needed, and they connect only through networks they do not own using spoofed MAC addresses. Some use Faraday bags that block all signals when they are traveling and do not want their location tracked. Some do not carry phones at all. The idea that you can download a VPN app and achieve meaningful privacy on a device designed from the ground up to track you is fantasy.

Browser Fingerprinting Makes Your VPN Irrelevant

The original article mentioned using DuckDuckGo, which is a search engine that does not track your queries. Good start. But the author did not mention browser fingerprinting, which is a technique that can uniquely identify you across the internet without using cookies or IP addresses at all.

Every time you visit a website, your browser sends information about itself. Screen resolution. Installed fonts. Browser plugins. Timezone. Language settings. Hardware configuration. Individually these data points mean nothing. Combined, they create a fingerprint that is unique to your specific device and browser configuration. Studies have shown that browser fingerprints are unique for over ninety percent of users. You can use a VPN and clear your cookies every five minutes and websites can still track you across sessions because your fingerprint does not change.

The Tor Browser exists specifically to defeat fingerprinting by making every user look identical. It standardizes window sizes, spoofs data points, and routes traffic through multiple encrypted relays so no single node knows both who you are and what you are accessing. If you are not using Tor or a similarly hardened browser, your VPN is giving you privacy theater while you leak identifying information with every page you load.

Intelligence agencies have demonstrated the ability to deanonymize Tor users through traffic analysis, timing attacks, and compromised exit nodes. The FBI took down an entire dark web hosting provider by exploiting a vulnerability in the Tor Browser. Nothing is bulletproof. The question is always about your threat model and how motivated your adversary is.

SOCKS5 Proxies And Proxy Chains

The original article did not mention SOCKS5 proxies at all, which tells me the author has never done serious privacy work. A SOCKS5 proxy is a server that routes your traffic without modifying it, supporting any type of traffic including UDP which most VPNs do not handle properly. You can chain multiple SOCKS5 proxies together so that your traffic bounces through several servers in different jurisdictions before reaching its destination.

Proxy chains add latency but they also add complexity for anyone trying to trace your connection. If you route through a proxy in Romania, then Switzerland, then Iceland, each paid for separately with cryptocurrency, an investigator has to serve legal process in three different countries with three different legal systems to trace you back. Most investigations do not have the resources or motivation to do this for anything less than serious federal crimes.

Combine this with Tor and a no-log VPN and you have layered your traffic through enough intermediaries that casual surveillance becomes impractical. But understand that state-level actors with global visibility into internet traffic can potentially correlate your connections through timing analysis even across multiple proxies. The NSA has been doing this for decades. There is no technical solution to an adversary that can see all traffic on all networks simultaneously.

Your Metadata Is More Valuable Than Your Content

Most people think about privacy in terms of content. They worry about someone reading their emails or seeing their messages. What they do not understand is that metadata, the data about your data, is often more valuable to surveillance than the content itself.

Metadata includes who you communicate with, when, how often, and for how long. It includes what websites you visit and in what order. It includes your patterns of behavior over time.

You can encrypt your messages end-to-end but if an adversary can see that you contacted a specific person at a specific time from a specific location, they often do not need to know what you said.

Minimizing metadata leakage requires operational security that goes far beyond installing a VPN. It means using services that do not log metadata. It means not establishing predictable patterns of communication. It means understanding that every action you take online generates metadata somewhere, and that somewhere is probably a server you do not control in a jurisdiction that does not protect you.

Data Brokers Have Already Sold Your Life

The original article focused on deleting your accounts and removing yourself from Google. That is useful but it ignores the fact that data brokers have been buying, selling, and aggregating information about you for decades. Companies like Acxiom, LexisNexis, and hundreds of smaller players have files on you that include your address history, employment history, family relationships, purchasing habits, political affiliations, health conditions, and thousands of other data points harvested from public records, loyalty programs, credit applications, and the endless stream of services that sell your information the moment you agree to their terms of service.

You can request removal from these databases. Many are required by law to honor opt-out requests. But there are hundreds of these companies and removing yourself from all of them is a full-time job that never ends because new brokers pop up constantly and the ones you removed yourself from may have already sold your data to ten others. Services like DeleteMe will do this work for you but they charge money and they cannot catch everything.

The uncomfortable truth is that if you have lived a normal life in the modern world, your information is already out there in databases you do not know exist, owned by companies you have never heard of, being sold to buyers you will never be able to identify. You can minimize future damage but you cannot delete the past.

The CIA Could Find You In Ten Minutes

Here is the part that nobody wants to hear. If a state-level actor with real resources decides they want to find you, they will find you. The techniques I have described will stop casual surveillance, corporate tracking, and low-level adversaries. They will not stop the NSA or CIA or FBI if you become a priority target.

These agencies have capabilities that are not public. They have zero-day exploits for every major operating system and browser. They have agreements with telecommunications companies that give them access to traffic at the backbone level. They have the ability to correlate anonymized data across multiple sources until your identity emerges from pattern analysis. They have been doing this for longer than most people have been alive and they have budgets in the billions to perfect these techniques.

Does this mean privacy is pointless? No. It means you need to understand your threat model. If you are hiding from an abusive ex, the techniques in the original article are probably sufficient. If you are hiding from corporate surveillance and data brokers, the techniques I have described will help significantly. If you are hiding from a nation-state intelligence agency, you need to disappear physically, not just digitally, and even then history is full of people who thought they had vanished and were found anyway.

Share

What Actual Privacy Requires

Real digital privacy is not a product you can buy or a guide you can follow one time. It is an ongoing practice that requires constant vigilance, technical knowledge, and a willingness to sacrifice convenience for security. Here is what it actually looks like:

You compartmentalize your identities so that your real name is never connected to your sensitive activities. You use separate devices for separate purposes, ideally purchased with cash and never connected to your home network. You use operating systems like Tails that leave no trace on the machine after shutdown. You route traffic through Tor and proxies paid for in Monero. You spoof your MAC address on every connection. You use a Faraday bag for your phone when traveling. You assume every network is hostile and every service is logging. You verify the integrity of your software and keep everything updated. You understand that one mistake can unravel months of careful operational security.

Most people are not willing to do this because it is inconvenient and exhausting. That is fine. Most people do not need this level of protection. But do not fool yourself into thinking you have achieved real privacy because you deleted your Facebook account and installed a VPN that was advertised on a podcast. You have not. You have done the digital equivalent of putting a lock on your diary while leaving your windows open and your address published in the phone book.

The original article is not wrong. It is incomplete in a way that gives people false confidence about their actual level of exposure. If you followed that guide and think you are a ghost, I am sorry to tell you that you are still visible to anyone who cares enough to look. The difference between that guide and real privacy is the difference between locking your front door and building a bunker.

Know your threat model. Understand what you are actually protecting against. And stop believing that five thousand likes on Substack means someone knows what they are talking about, because in my experience the posts that go viral are usually the ones that tell people what they want to hear rather than what they need to know.

Get 20% off forever

Share