Personal Privacy

Sept 2025

I recently had a friend go through a nightmare scenario. His Gmail and iPhone were fully compromised. From there, malicious actors gained access to his social media, online accounts, bank accounts, credit cards, and business. Even after he began to fight back, they kept trying to find a way in. He asked for help. Because of the deep level of compromise he faced, I put together a set of best practices that some might call paranoid; I know this seems like a lot, but it's the level of security he needs right now. I'm providing it here exactly as it was written.

You need to remember this maxim: Treat Everything as a Threat Until Proven Otherwise.

First and foremost, get a new router for your house. Do not use the Wi-Fi router provided by your internet provider, as bad actors may have a foothold on the default provider equipment, not to mention that internet providers tend to open wireless to the world as part of their "always find internet anywhere".

Second, begin to use 1Password for everything. Set crazy long passwords and use 2FA (two-factor authentication) on everything. If a service doesn't support 2FA, consider dropping it for something better. If, like banks, the 2FA is a text to a phone, set up Google Voice or get a burner phone (a dumb phone) and have the text be sent there. If you want to go all the way, use a Yubikey for the second factor. Use passkeys where available.

Use 1Password, Duo, or Proton Authenticator to keep your 2FA codes in a secure place, if you don't use a Yubikey. But DO NOT enable cloud sync. That's another attack vector.

DO NOT REUSE PASSWORDS and USERNAMES.

Use a service like Fastmail for email, where you can create endless random and anonymous emails and use a different one for each service. The good thing about this is that both Fastmail and 1Password work well together. Discard Gmail, or just leave it hanging. Do not use it for anything secure anymore.

Next: iPhone security. (note: there might be similar things on Android, but in his case, he is using an iPhone)

Get a brand new device. Do not reuse the old one, even with a factory reset. Get a new numnber too, your old one is gone.

Once you get a new phone, get these basic iPhone security and privacy settings:

  1. Set a strong passcode (alphanumeric) and enable Face ID/Touch ID for biometric authentication.
  2. Enable two-factor authentication for your Apple ID from Settings > [your name] > Sign-In & Security > Two-Factor Authentication.
  3. Turn on Stolen Device Protection in Settings > Face ID & Passcode.
  4. Set up Find My iPhone for remote location, lock, or erase; never share Apple ID credentials.
  5. Review and limit location services: Go to Settings > Privacy & Security > Location Services. Turn off for unnecessary apps or set to “While Using”.
  6. Revoke Bluetooth permissions for apps that don’t need it, accessed via Settings > Privacy & Security > Bluetooth. In fact, disable Bluetooth all together until you need to use it, then disable it again after use. It's a great way to get into your phone.
  7. Disable lock screen access to Control Center and other sensitive features by editing “Allow Access When Locked” in Face ID & Passcode settings.
  8. Only download apps from the official App Store to avoid malware.
  9. Limit notification previews when the device is locked (Settings > Notifications > Show Previews > When Unlocked or Never).
  10. Disable read receipts on SMS (green text messages) and iMessage (blue text message.)
  11. Don’t geotag or share photos with location data on social media. Turn off location tagging in the Camera app settings or Photos privacy options.
  12. Delete or limit use of tracking apps (like Facebook or TikTok) and choose privacy-focused alternatives.
  13. Avoid connecting to insecure public Wi-Fi; consider using a VPN for additional privacy. I recommend Proton VPN

Next, Lockdown Mode. For the time being, since you've been penetrated and they might try to get back in, I'd recommend that you enable Lockdown Mode on iPhone. This provides extreme security by limiting device functions to protect against sophisticated attacks and malware. It can be quickly enabled in your settings, but comes with several feature restrictions aimed at maximizing safety for potential high-risk targets, like you are right now.

  1. Open the Settings app.
  2. Tap Privacy & Security.
  3. Scroll down and select Lockdown Mode.
  4. Read the information detailing what features will be limited.
  5. Tap Turn On Lockdown Mode.
  6. Tap Turn On & Restart; enter your phone passcode if prompted. Your device will restart with Lockdown Mode active.

What happens in "Lockdown Mode":

  1. Messages: Most attachments are blocked except for basic image, video, and audio types. Link previews and some features are disabled.
  2. Web Browsing: Some advanced web technologies are blocked, causing certain sites to load improperly or slowly; web fonts and some images may not appear.
  3. FaceTime: Incoming calls are only allowed from contacts you've recently called; features like SharePlay, Live Photos, and Continuity Handoff are disabled.
  4. Photos: Location info is stripped from shared images; Shared Albums are removed, and new invitations to Shared Albums are blocked.
  5. Device Connections: The device must be unlocked for connecting to computers or accessories; connection approval becomes a manual step.
  6. Wireless Connectivity: Your phone won’t join insecure Wi-Fi networks; 2G cellular support is disabled for safer connectivity.
  7. Configuration Profiles: Profiles can't be installed, and device management enrollments are disabled.
  8. Apple Services: Invitations for services such as managing a home in the Home app are blocked unless you've recently invited that person; Focus and Game Center are disabled.
  9. Other Minor Changes: Features like autofill for SMS codes are disabled, link previews removed, and certain apps may display banners indicating Lockdown Mode is active.

Data and account protection:

Now for the more labor intensive part. Personal privacy, the paranoid way -> Digital footprint management.

This is what we will have to do for a white:

  1. Do not project more than you must.
  2. Strip away what does not serve security.
  3. Exploit the adversary’s reliance on data by polluting their feed.

It's hard work but you need to leave your old self behind and create fake info that can throw them out of your scent.

Here's how, the same framework I use for high level execs that are targets: privacy as raw digital reduction + controlled misinformation. It treats personal data as infrastructure. Either load-bearing (necessary) or fluff (dangerous).

Everything fluff must be destroyed. Everything that can’t be removed must be polluted. This creates a privacy architecture of noise: attackers either see nothing, or they see too much of the wrong thing.

1. Minimal Projection (reduce attack surface)
If it doesn’t exist, it can’t be exploited.

Remove old accounts, scrub inactive profiles, delete unnecessary posts. Use deletion services to handle data brokers. Manual purges are prone to miss things. Try DeleteMe or Optery. Use them! Avoid over-sharing on platforms (family details, job info, location, etc). In fact, delete all but the essentials.

Ideal outcome: A flat, uninteresting digital wall. Nothing for attackers to grip.

2. Structural Necessity (keep only what’s required/needed)
Keep the things that are functional, discard everything else.

Retain only accounts/services necessary for work or essential services. Use alias emails*, pseudonyms, and compartmentalized identities. Configure privacy settings to maximum restriction, but assume they leak anyway.

Ideal outcome: A minimal, hardened skeleton. Digital presence reduced to critical load-bearing elements only.

* An alias is an alternative email address that automatically forwards messages to your main inbox.

3. Obfuscation over Illusion (brutalist security and privacy countermeasures)
Do not pretend to be invisible; instead, be structurally "confusing".

Use privacy tools (VPNs, Tor, encrypted comms) not as “cool privacy tools", but as baseline infrastructure. Make sure data is encrypted, both at-rest and in-transit. Use Signal whenever possible. Vary behavioral patterns (different logins, device fingerprints, browsing habits). Ensure no single “you” exists online: only fragments, some real, some manufactured. Once a week logout of everything, clear cookies, cache, and other data on the ALL browsers.

Ideal outcome: Adversaries see raw structures but cannot distinguish signal from noise.

4. Family and Corporate Protection
The perimeter extends beyond the individual.

Extend minimization practices to family members (kids, spouses, relatives) and immediate support staff (EAs, protective security detail, deputies). Remove identifiable company associations from personal accounts. Encourage leadership and employees to follow the same privacy framework. Do not post on LinkedIn.

Ideal outcome: Attackers cannot use personal data as leverage against the company or family.

Advanced (bonus): Successful data pollution requires ongoing attention and ownership; it cannot be done casually.

5. Counterintelligence via Data Pollution
If erasure is impossible, dilute the value of what remains.

Seed false or misleading information (alias profiles, fake interests, incorrect personal details). Plant decoy trails: alternative names, throwaway accounts, conflicting metadata. Pollute automated scrapers, OSINT collectors, and data brokers with contradictions.

Ideal outcome: When adversaries attempt profiling, they face noise and false patterns, making targeting cost more money and unreliable, and forcing them to move to a different target.

In short:

  1. Minimal Projection → Delete unnecessary accounts, stop broadcasting.
  2. Structural Necessity → Retain only essential, hardened digital elements.
  3. Counterintelligence via Data Pollution → Flood OSINT channels with false flags.
  4. Obfuscation over Illusion → Don’t hide; confuse and fragment.
  5. Family and Corporate Protection → Extend practices beyond yourself.