I’ve created a highly specific and actionable privacy guide, sorted by importance and venturing several layers deep into the privacy iceberg. I start with the basics (password manager) but also cover the obscure (dodging the millions of Bluetooth tracking beacons which extend from stores to traffic lights; anti-stingray settings; flashing GrapheneOS on a Pixel). I feel strongly motivated by current events, but the guide also contains a large amount of timeless technical content. Here’s a preview.
Digital Threat Modeling Under Authoritarianism by Bruce Schneier
Being innocent won’t protect you.
This is vital to understand. Surveillance systems and sorting algorithms make mistakes. This is apparent in the fact that we are routinely served advertisements for products that don’t interest us at all. Those mistakes are relatively harmless—who cares about a poorly targeted ad?—but a similar mistake at an immigration hearing can get someone deported.
An authoritarian government doesn’t care. Mistakes are a feature and not a bug of authoritarian surveillance. If ICE targets only people it can go after legally, then everyone knows whether or not they need to fear ICE. If ICE occasionally makes mistakes by arresting Americans and deporting innocents, then everyone has to fear it. This is by design.
This guide will help you protect your communications and information so you can think and speak freely. The privacy won’t be perfect, but it should give you breathing room. As more people reclaim their privacy, their networks grow more secure and resistant to authoritarian punishment.
Obligatory disclaimer: I work on AI alignment at Google DeepMind but am only expressing my own views.
What should I read?
This guide is long. Don’t try to complete it all at once. My website has long-lasting checkbox functionality (my site hosts the article you are previewing). As you complete items, check them off to remember your place in the guide.
| Tier | Time for tier | Cost of tier | Protection level |
|---|---|---|---|
| Quick start | 50 minutes | $0 | Online accounts secured against most hacking. Limited private communication ability. |
| Privacy basics | 90 minutes upfront + 45 minutes for YubiKey setup when it arrives | $110 + $13/month | Significant privacy against mass surveillance. Govt. has a harder time seeing who you talk to and can’t easily monitor what you say on the Signal app. |
| End-to-end encrypt your data | At least 4.5 hours | $14/month | Mass surveillance unlikely to capture your important data or communications. |
Each tier builds on the previous, so do them in order.
Something is better than nothing. Even a few hours can transform your privacy.
If money is hard to come by, don’t worry—many of the best interventions are free.
If you find this subject distressing, you’re not alone because I do as well. Do what you can.
What’s your risk level?
| Your situation | Threat level | Recommended sections |
|---|---|---|
| Living in a stable democracy, a Trump supporter who does not belong to any marginalized groups | Low | Quick Start & Privacy Basics |
| US citizen who does not support Trump | Medium | This guide and the sequel, all sections |
| Immigrant, journalist critical of regime, opposition politician | High | Both guides & consult security professionals |
| Facing imminent arrest or deportation | Critical | This guide is insufficient—seek legal counsel immediately |
This guide is about protecting yourself, but it’s not necessarily about hiding. I personally think what’s going on right now is horrible and that most citizens should act. At the same time, you should take intelligent risks via intentional public statements—not avoidable risk because the government spies on your private communications.
⚠️ Warning: These posts do not suffice to protect you against targeted surveillance. If you’re at risk of that, read this guide and the more advanced sequel but also refer to a more hardcore guide with targeted surveillance in mind and consult a security professional.
What information this guide will and won’t help you protect
If your phone is connected, cell towers track your approximate location. License plate readers track your car. Facial recognition identifies you in public spaces and others’ photos. You will be hard-pressed to turn invisible while participating in modern society.
This guide will teach you to protect a limited selection of your data:
Content of your communications (Signal E2EE),
What you’re researching and reading (VPN hides websites),
Your organizing documents and plans (E2EE cloud storage),
Your network and contacts (E2EE contact storage & calendar),
Correlation across identities (pseudonymity, email aliases).
In high-risk situations, leave wireless-enabled devices at home, in airplane mode, or in Faraday bags for truly sensitive meetings. Otherwise, pessimistically assume the government knows where you are at all times. Also, financial privacy is hard and this guide only helps a bit on that front.
Overview of the technical recommendations in each post
Privacy Despite Authoritarianism
Tier 1: Quick-start essentials (50 minutes, free) Bitwarden password manager, Proton Authenticator for 2FA (not SMS—exploited by China), Signal for E2EE messaging, iOS Advanced Data Protection, strong device passwords.
Tier 2: Privacy basics (90 minutes + 45 min, $110 + $13/month) ProtonVPN with kill switch (though iOS breaks VPNs), Brave browser, privacy search engines, two YubiKeys for hardware 2FA, minimize app permissions, disable geotagging.
Tier 3: End-to-end encrypt your data (4+ hours, $14/month) Migrate to Proton Mail, Proton Drive, Proton Calendar, Ente Photos, EteSync contacts, OsmAnd maps—all E2EE. Commercial tracking feeds government surveillance via data brokers.
Advanced Privacy Despite Authoritarianism
Harden your hardware (12+ hours, $900+ or free) GrapheneOS on Pixel, Linux Mint (free) replacing Windows, GL.iNet router with OpenWrt for whole-home VPN & DNS-level adblock, optional Apple TV and Home Assistant.
Secure your digital footprint (3 hours, $15/month) Pseudonyms via Bitwarden, SimpleLogin email aliases, Privacy virtual credit cards, delete PayPal, opt out financial data sharing, local LLMs or Apple Private Cloud.
Advanced mobile & travel security (1 hour, free) LibRedirect privacy frontends, disable Bluetooth/Wi-Fi scanning (beacon tracking), disable 2G (stingrays), disable AirDrop, turn off devices at borders, generic device names.
Medium-term strategic shifts Emergency cash reserves (the regime threatens financial warfare), migrate Slack to Element (E2EE Matrix protocol), gradually leave X for Bluesky/Mastodon (federated censorship resistance).
The rest of the post is on my website. The main reason is that my site offers checkboxes to track progress on the many detailed recommendations. Continue reading here.
Another great resource for privacy is https://privacyguides.org. I assume most of the recommendations there are approximately the same, but they may list additional private alternatives for some software.
I used to be pretty active in the online privacy community (PrivacyGuides, GrapheneOS, etc.) and I’ve seen a LOT of absolutely terrible misinformed privacy advice. Your guide doesn’t seem to parrot any of that, which is really refreshing to see.
From a quick glance, there are only two (pretty minor) issues I can find in your guides:
Your VPN section explains how VPNs hide your activity from the ISP, but it doesn’t seem to mention the fact that they just shift the trust from your ISP to the VPN provider. Yes, Proton is definitely more trustworthy than ISPs in authoritarian countries, but I think it should still be mentioned that VPNs don’t make you anonymous and you still need to trust a third-party with your traffic.
You recommend F-Droid for app downloads, which is fine, but it has some fundamental security issues and it’s considered better nowadays to use things like Obtainium. See here and here for more information.
Thanks so much. I’ll update the guides on both counts. I’ll also add in a section on Tor.
Furthermore, Proton claims to keep no logs of your activity and has its no-logs implementation independently audited.
Yeah, of course, all trustworthy VPNs will do that, and I do generally believe that Proton actually doesn’t keep your traffic logs. It’s just that a lot of other VPN companies, like Nord or ExpressVPN, have very aggressive online marketing campaigns where they push false claims, like the claim that using a VPN can make you completely anonymous or even somehow protect you from getting hacked. This leads to most people’s understanding of VPNs being “it’s an app that changes my Netflix country and protects me from all evil”.
So I think it’s good to clarify that there is still trust involved in using a VPN, even if that trust is unlikely to be broken.
Good work.
I do really mean that it’s good stuff. Most people would be a lot better off if they did it. But of course it’s traditional to whine.
On contacts, do you want to remind people that their associations can still be identified through the associates’ contact lists? People give out their contact information like it’s going out of style. Not to mention doing things like uploading metadata-laden pictures with your face in them, and probably other things that would come to mind without too much searching. It’s really hard to keep people from leaking information about you.
I know it’s hard to tell people not to use so many damned cloud services, but jeez do people use too many damned cloud services these days. Not only is whatever you put on one of them exposed to anybody who can infiltrate or pressure the operator, but, since they tend to get polled all the time, each of them is another opportunity to get information about what you’re up to.
Calling Proton Mail “E2EE” is pretty questionable. Admittedly it’s probably the best you can do short of self-hosting, but there’s a lot of trust in Proton. Not only do they handle the plaintext of most of your mail, but they also provide the code you use to handle the plaintext of all your mail.
Signal is surely the best choice for centralized messaging, and in the past I wouldn’t have said that normal people (in the US) needed to be worried about traffic analysis… but it’s not the past and I’m not sure normal people in the US don’t need to be worried about traffic analysis. The legal protections that have (mostly) kept traffic analysis from being used for civilian mass surveillance look a lot less reliable now. Using a centralized service, with a limited number of watchable servers, makes it relatively easy to do that, even if you do it via a VPN and even if the servers themselves are out-of-country. Session, Briar, or Jami might be alternatives. Of course, the reality is that you can only move to any of these if the people you communicate with also move.
Migrating from X to Mastodon or Bluesky gets you some censorship resistance (although note that Bluesky isn’t really effectively federated). Nostr would get you more, at the cost of a worse experience and, in my opinion, a much worse community. But, especially since this is a privacy guide, maybe what most people should really be doing is thinking hard about what they really need to trumpet to the world.
I think there are probably occasions when even relatively normal people should be using Tor or I2P, rather than a trustful VPN like Proton or Mullvad. [And, on edit, there is some risk of any of those being treated as suspicious in itself].
I’d be careful about telling people to keep a lot of cash around. Even pre-Trump, mere possession of “extraordinary” amounts of cash tended to get treated as evidence of criminality.
Yeah. The original article addressed the issue but buried the lede. Will update:
.
IMO—Not Proton’s fault, just how email works sadly. I also warn that most emails will be read by authorities via other access points.
Yes, but the code is open source and independently audited. I don’t see why I should call this out as a trust deficiency in particular.
Yeah, I agree. I’m adding a section on Tor.
Thank you. I’m now planning to advise that people keep a small amount of cash (< $2,000) in a fireproof safe with receipts of legitimate withdrawal. High-risk individuals should ultimately consult with asylum experts.
… which is as good as it gets in most cases. I am not saying I have a better alternative for most people.
But the thing is that supply chains are hard. When you use Proton webmail, do you actually verify that the JavaScript they serve to you is actually the same JavaScript they had audited? Every time? And make sure it doesn’t get changed somehow during the session? If you use the Proton proxy, do you actually rebuild it from source at every update? Even with reproducible builds (which I don’t know whether they use or not), how many people actually check? Another person’s checking does add some value for you, but there’s a limit, especially if it’s possible to guess who will check and who won’t.
Worse, how many “normal” people can actually check? How many can even keep all the issues straight in their minds? Lots of professional programmers get simple PKI issues wrong all the time. PKI is a strict subset of what you have to worry about for supply chain.
So, yeah, you can use that stuff, but by the time you get to the point where you’re actually getting much assurance out of the source code access or the audits, I think it’s more complicated than self-hosting a mail server (which I’ve done for probably about 30 years). Of course, with self-hosting your deliverability goes to hell, and you’re still relying on an incredible amount of software, but you get some protection from the sheer chaos of the environment; it’s usually not so easy for the Bad Guys to actually get the data back reliably and inconspicuously, especially for untargeted surveillance.
If I added hedges about every similar possibility of supply chain attacks due to e.g. non-formally verified build signatures, the guide would grow bloated for reasons outside the comprehension and threat model of the vast majority of my readers. So while I agree with you about the possibility, I don’t think it’s relevant for me to note in the text. (Maybe you agree?)
Yep.
Slight format stumble: upon encountering a table with a “Cost of tier” column immediately after a paragraph whose topic is “how to read this guide”, my mind initially interpreted it pretty strongly as “this is how much it will cost me to obtain that part of the guide”. Something like “Cost of equipment & services” would be clearer, or “Anticipated cost” (even by itself) to also suggest that the pricing is as observed by you at time of writing (assuming this is true). You could also add a sentence like “The guide itself is free of charge, but some of its recommendations involve purchasing specific equipment or services.” to the previous paragraph.
I am a US citizen who opposes Trump. I follow the political situation closely and I would consider my threat-level to be low to very low. Why do you think the threat-level is medium?
btw I appreciate the privacy guide.
I’m guessing you think “I’m a citizen. I don’t break laws. I’m not in a directly targeted group. I’m low risk.”
You might be thinking about risk as binary—either you’re targeted for arrest/elimination, or you’re safe. The thesis isn’t “you might get swept up.” The thesis is: “The ‘medium risk’ assessment is based on the principle of ‘authoritarian creep.’” The tools and tactics normalized against one group (immigrants, protesters) invariably get turned against the next, less-popular group.
Disclaimer: This comment is AI-written but human-composed. I spent over an hour thinking about your question, articulating my views, dialoguing with the AI, fact-checking its claims, and adding new content. It’d be a big pain to rewrite everything myself and I want to finish up thinking about this for now, so posting as-is.
Authoritarian regimes exert control in two ways:
Targeted threat against actively persecuted groups (you aren’t here yet), or
Widespread fear against all who disagree with the regime (you absolutely belong to this).
You say you oppose Trump and follow politics closely. That means you have political awareness and opposition. Under ambient fear tactics, you don’t need to be individually hunted down—you just need to know that your legal status won’t protect you if you’re inconvenient.
The infrastructure for widespread fear already exists
Citizen status doesn’t ensure protection
Over 170 US citizens have been wrongly detained by ICE, including George Retes, an Iraq war veteran whose ID was in his car mere feet away but who spent three days in jail with pepper spray burns, unable to make a phone call or speak to a lawyer. He wasn’t charged with anything. He was just released with no explanation.
And how hard would it be for ICE to flip an entry in a database?
Court orders don’t ensure protection
Trump has threatened to invoke the Insurrection Act to override judicial rulings. In Chicago, ICE continues to tear gas protestors and not wear identification in violation of a court order.
Congressional oversight doesn’t doesn’t ensure protection
Twelve Democratic members of Congress filed a lawsuit after being denied entry to detention facilities in violation of federal law explicitly granting Congress the right to conduct unannounced inspections. Rep. LaMonica McIver was charged with “assaulting law enforcement” for trying to enter—charges she calls “purely political.”
Why this matters for you
ICE ignoring court orders in Chicago shows contempt for the judiciary. The Congressional blockade shows a contempt for the legislature. This creates an unchecked executive. An unchecked executive means all citizens have a higher risk profile, because the legal systems designed to protect you have been proven to be ignorable.
As Bruce Schneier notes: “If ICE targets only people it can go after legally, then everyone knows whether or not they need to fear ICE. If ICE occasionally makes mistakes by arresting Americans and deporting innocents, then everyone has to fear it. This is by design.”
You’re meant to be chilled. Maybe you won’t be put in a camp. Maybe you’ll never be arrested. But maybe:
You’ll lose your job for expressing political views online
You’ll face legal harassment even if charges are eventually dropped
You’ll self-censor because you know opposition has consequences
This is what 1950′s McCarthyism looked like—most people weren’t jailed, but thousands lost jobs, were blacklisted, had their lives destroyed. The threat didn’t need to be execution; it just needed to be real enough to make people shut up.
Medium risk means: You probably won’t be individually hunted down. But you absolutely could face consequences—detention, job loss, legal harassment, having to lawyer up even for bullshit charges—for being a visible Trump opponent. The goal isn’t necessarily to arrest you. The goal is to make you wonder if sending that frustrated text message, or writing that Google Docs comment, or making that donation will put you on a list. The goal is to make you self-censor.
You’re politically aware enough to understand what’s happening. You openly oppose Trump. The system has demonstrated it will ignore your legal protections when convenient. That’s not low risk, that’s medium risk—the infrastructure exists to grab you if you’re inconvenient, and your citizenship won’t stop them.
I don’t know if it’ll get to camps. I don’t know if it’ll get to purges. But I know the ambient fear infrastructure is already functioning, and you’re in the category of people it’s designed to intimidate.
That’s why I recommend taking precautions now, as listed in the article.
I read this as government actions will be taken to persecute me and/or government actions will be taken to make me afraid. I only care about the first category. Whether or not I’m afraid is entirely within my power. I could be actively persecuted and still choose to not be afraid.
News is really bad right now and LLMs don’t help.
That link description is misleading. That article does not claim that. The article states that they found 170 citizens that have been factually detained by ICE. ICE may detain US citizens without a warrant for searches and arrests if conditions are met (see Powers without warrant section a4 and a5 as well as Searches without warrant). If you hit an ICE agent then they may detain you. Some people in that article were wrongfully detained but 170 is not the number.
That is misleading. He was not arrested under suspicion of being an illegal alien so the ID part is irrelevant. ICE was in the process of clearing a protest. He may have been detained for BS reasons but its still important to distinguish between arresting someone under suspicion of being an illegal alien and other suspicions.
I wish you were more specific here. It could actually be pretty hard for ICE to flip an entry in a database depending on the database we’re talking about. Mobile Fortify draws from several databases and I don’t think ICE has overwrite access to any of them.
If this claim is true then there would be direct evidence of that happening. There should be no need to rely on word of mouth. From what I’ve read they only run the app when a suspect does not provide an ID.
I won’t go over everything. I agree with the fact that checks on the executive are under attack.
A chilling effect may be the intention but its not the reality.
The No Kings Protest on October 18th may have been the largest protest since 1970. There were at least 5 million people in it. I have a lot of uncertainty about the future but the environment is not breeding a lot of docility or much of any of the psychological conditions necessary for a successful authoritarian.
Not knowing about security or threat modelling, something I’ve wondered is how much does engaging in privacy protection makes you “stand out”. Maybe someone knowledgeable can comment about it. At what point does it make sense to worry that using a vpn “flags you” to an authoritarian government? If government surveillance can tell there are individuals engaging in privacy enhancement, either by reduction of activity on non-private things or by the use of private services themselves, what is left to do?
This guide is incomplete and probably focuses on the wrong things.
The best privacy/security guide I am aware of is Michael Bazzells book. Michael Bazzell is a former computer crimes investigator, and his methods are red teamed at least in the sense that he works with e.g. people with extremely determined stalkers, and possesses interesting failure stories.
Some things that book goes over that this doesn’t:
How to buy your home/car/P.O. box with LLCs and keep them out of your name, how to get a SIM card not tied to you personally.
The who/what/where of how your personal information (incl. address, phone number, etc.) gets collected in the first place, and ends up in public databases (which of course the government also leverages). What you can do about data already there, to the extent that you can do something.
(For people in really advanced situations) How to disinform in a way that actually works & ends up poisoning records, for example by taking up an electricity bill inside a building you don’t own.
Obviously the government has capabilities that private individuals don’t, so maybe the threat model here is different. For the most part though I would say that peoples’ biggest privacy/security risk is that there are infinity public databases with all of their personal information, and anybody with a credit card can pull up their address. Stopping the inflow to those should be priority #1 and the solution isn’t even really that digital, it’s just arcane legal procedures.
Very interesting and actionable guide.
I have two questions (maybe I’ll have more later):
Is it possible that the government shuts down bitwarden, or the country where someone who uses bitwarden blocks it, and then the user loses accessto all passwords?
Why proton authenticator and not bitwarden authenticator?
See also: US govt whistleblower guide, US govt whistleblower database
How did you find all of this out?
I don’t know about others, but I was a little put off by the mention of “password managers” in the beginning since that’s handling over the keys of your privacy to external powers. This hurt my expectations of the rest of the essay. It might be good, but I don’t think it could teach me anything new. By the way, at first I thought reading your essay would cost money. You might want to reword the tier list.
I also don’t like the political tone as the examples aren’t general enough that readers from any country would agree with it, it seems to assume that the reader is an American liberal who cares deeply about recent issues and has similar values to yourself. The assumptions are also wrong—low threat level if you support Trump? Try asking 8chan users if they think the government is on their side.
Your guide recommends Brave—do you know that Brave uses Google and Cloudflare and that it has built-in telemetry? To anyone who valued their privacy on the internet 15 years ago, modern privacy-focused software is a joke. There’s also more advances topics you might want to research, like using software to rewrite ones messages to get rid of ones personal ‘fingerprint’. If somebodies grammar is wrong, the manner in which it’s wrong can hint at their country of origin. Do you know of that one famous geoguessr guy? What he’s doing is possible with more than just locations
You fundamentally misunderstand the nature of Bitwarden password management. Bitwarden is zero-knowledge end-to-end encrypted:
They are also open source and regularly audited. You can also self-host.
Bitwarden does seem more local than I initially assumed. I modeled it as trusting another entity with ones master key. Ideally, all reliance on external services shouldn’t require you to trust them, it should be mathematically impossible for them to betray you by design. A purely mechanical lock, for instance, cannot be hacked remotely. Self-hosting is superior to trusting other services, and the open source nature reduces the chance that it’s backdoored by quite a lot.
Mathematically, If I have one unique password that nobody else knows or can know (because it’s never used on any websites), and I use that to generate other passwords in an irreversible manner, then I can get away with remembering just one password, while still using hundreds of unique passwords on different websites. This might be what bitwarden does, in which case the only causes of concerns left are hardware backdoors and quantum computers. Doesn’t get much better than that
Password managers are absolutely best practice and have been for at least a decade. Humans can’t remember that many good passwords, which means that the alternative to a password manager is basically always password reuse, which is insane. I will admit that I use keepass variants, and that I myself wouldn’t recommend any password manager (or much of anything else) with a cloud component, but some password manager is necessary. You can also use many of them for 2FA tokens.
I don’t use Brave either, and don’t know specifically what it uses Google or Cloudflare for… but an awful lot of the Web goes through Cloudflare nowadays regardless of your browser, and unless you’ve added a bunch of technical and easy-to-screw-up stuff, probably at least as high a proportion will cause your browser to download stuff from Google (and other places) at every visit, allowing them to track at least what “major” sites you’re hitting. Ad tracking is definitely a big deal, and the guide doesn’t address it, but browser choice is kind of down in the noise unless you’re going to go all the way and resort to Tor plus a whole bunch of this and that blockers.
The problem is that such software isn’t very widely used, may or may not actually remove your “style”, and tends to add its own “style” that makes you stand out as a user of it. And the content of what you say can also give you away. Really the right answer there is not to say anything you don’t need to say, or at least not anything you wouldn’t want to sign your name to, package up with everything else you’ve ever said, and mail to the worst possible people. Or at least not to anybody who doesn’t (a) need to hear it and (b) have the capacity and inclination not to leak it. Which is going to be a pretty short list.
I’d counter that you can in fact memorize ~arbitrarily many good passwords if you:
Use a procedure that generates passwords that are high-entropy but memorable.
A memorability-enhancing improvement on the common “generate N random words” is “generate N random words, then add more words until the passphrase is grammatically correct”. (Important: don’t rearrange or change the initial random words in any way!)
E. g., “lamp naval sunset TV” → “the lamp allows the naval sunset to watch TV”.
This doesn’t reduce entropy, since this is at worst an injective approximately deterministic function of the initial string.[1] But, for me at least, it makes it significantly easier to recall the password (since that makes it “roll off the tongue”).
Use spaced repetition on them. Like, literally put “recall the password for %website%” in an Anki deck. (Obviously don’t put the actual password there! Just create a prompt to periodically remind yourself of it.)
I’m not actually doing that for all my passwords, only for a dozen to the more important stuff.[2] But I expect this scales pretty well.
Well, technically, this is only approximately injective: the worst case is that adding words to two random sequences would map them to the same phrase. E. g.:
“lamp naval sunset TV” → “the lamp allows the naval sunset to watch TV”
“lamp naval watch TV” → “the lamp allows the naval sunset to watch TV”
But I posit that this would never happen in practice.
I also use KeePass for the rest, sync’d through ProtonDrive. The fewer cloud services you have to trust, the better.
I have more than 200 passwords now I think, and I’m starting to forget some of them. A password manager would probably be ideal if it could run completely locally, so that it’s not an online service, but rather a cryptographic program which uses a master key to generate sub-keys.
There’s an article with some criticism of Brave here. It looks like it’s written by somebody who has been on the internet too long and who doesn’t trust anyone or anything, but that’s exactly what I like about it.
Speaking of which, I don’t like the mindset “Oh well, you can’t avoid all these tech giants, so you might as well give up and let them collect whatever they want”. Almost all “alternative browsers” are just Chromium or Firefox under the hood, and almost all “alternative search engines” are just Google proxies (metasearch engines).
There’s enough information out there to uniquely identify like 95% of users across almost all services, but our footprints are just considered noise, the FBI doesn’t care if somebody downloads a song without paying for it. Now, consider what will happen once AIs can process all of it, and each person can be assigned a “digital FBI agent” to watch over them
Bitwarden encrypts all data on-device with a key derived from your master password. The plaintext of your passwords is never sent to their servers. See their security whitepaper for a good detailed explanation.
The guide also recommends Arkenfox/Librewolf, and there is a checklist on how to disable all optional telemetry in Brave. I’m not really sure what you mean by Brave “using Google and Cloudflare”.
Yes, the appendix of the second article discusses geoguessing. Especially with powerful base models, authorial fingerprinting is concerning but out of scope for most of my readers.
EDIT: Whistleblowers should probably mask their writing, on second thought. Thanks—I’ll add this.
I should have been more clear what I meant here. “It’s possible with more than just locations” means that, just like you can uniquely identify any location on the planet if you can extract enough bits of information out of a picture, one can uniquely identify people if they can find log2(human population) ≈ 33 unique bits of information on them. Gender, for instance, is one bit of information