Threats

Three threats. Plain language. No fearmongering. Each one paired with a concrete move.

1. Data harvesting

Big Tech's business model is your data. Gmail, Drive, Photos, Maps, Search, the keyboard on your phone — the value flows from observing you, not from the software itself. The software is the bait.

This is the threat most people are most exposed to and least worried about. Not because it's small — it's huge — but because it doesn't feel like a threat. It feels like convenience.

What it actually does: builds a behavioral profile of you, sells targeting access to advertisers, trains models on your private content, and keeps the profile even if you delete the account. Some providers also legally hand the profile to law enforcement on request, sometimes without notifying you.

What we offer: migration paths to providers whose business model isn't your data — Proton, Tuta, Infomaniak, Murena, EU-jurisdiction storage. See deGoogle flows.

2. Structural surveillance

Governments dragnet everyone. The U.S. CLOUD Act lets U.S. authorities compel U.S. providers to hand over data even when that data sits in Frankfurt. The provider often can't tell you it happened.

This is not about whether you personally are interesting to a state. It's about whether the data flows you depend on are sitting in jurisdictions that respect your rights when you're not in the room.

Switzerland, Germany, France, Iceland, and Norway are the jurisdictions we lean on. Not perfect — nowhere is — but materially better than the U.S. for non-citizens.

What we offer: EU-jurisdiction-first stack, end-to-end encryption where possible, open-source clients you can audit (or pay someone to audit), and a grading rubric that takes jurisdiction seriously.

3. Hackers and theft

Someone steals your laptop. Someone picks up your phone in a café. Someone breaks into a service you use and your password ends up in a dump. This is the boring, non-political threat — and it's the one most likely to actually happen to you.

What we offer: bundled defaults, not a 40-item checklist:

Disk encryption on every device. It's a checkbox now — FileVault, BitLocker, LUKS.
2FA on email, banking, and one or two keystone accounts. Hardware keys if you can.
A password manager. Bitwarden or 1Password. Stop reusing passwords.
Backups for the few files you couldn't reconstruct — not for everything.

Who you're protecting against — the four-tier adversary model

The three threats above are what. This section is who. The same defensive move that frustrates one tier of adversary is invisible to another — so it helps to be honest about which tier you're actually buying protection from when you make a change.

We use four tiers, ordered from hardest to defend against to easiest. Most readers should be aiming squarely at tiers 3 and 4; tier 1 is a different conversation and tier 2 is somewhere in between.

Each tier requires a meaningfully different defence. A move that crushes tier 4 (a password manager) does nothing against tier 1 (NSA-tier collection). A move against tier 1 (libreboot RISC-V on a Swiss colo) is wildly disproportionate against tier 4. The art is matching defences to the tier you actually face on a given file.
Tier	Who they are	What they want / can do	What materially helps
1 — State actors	National intelligence services. NSA-tier signals collection, allied services with reciprocal access, peers in adversarial states.	Bulk dragnet metadata, targeted plaintext interception, supply-chain implants, compelled-disclosure orders against providers in their jurisdiction. They can coerce many of the layers below them.	Honestly — jurisdiction more than tooling. EU jurisdiction, open hardware, open source, and a threat model that assumes the cloud is hostile. If you are a deliberate target, you need Advanced — not v1 of this site.
2 — Corporate espionage & cloud providers with legitimate access	Competitors, contractors-of-competitors, U.S. ad-tech infrastructure, AI vendors training on your private content, cloud providers whose ToS lets them read for moderation / abuse / "service quality" purposes.	Read whatever sits in plaintext on a system they control or have a vendor relationship with. Aggregate behavioural profiles. In some cases, sell access to third parties under a different label.	Provider choice. Move workloads to providers whose business model is not your data; insist on E2EE where the data type allows; minimize how much sits on infrastructure you don't trust. This is where the grading rubric spends most of its energy.
3 — Law enforcement (lawful process)	Police, prosecutors, regulatory bodies operating through subpoena, court order, MLAT requests across friendly jurisdictions.	Compel a provider in their jurisdiction to hand over what that provider can see. Critically, this is bounded by the judicial system above the request. In jurisdictions with multiple-judge oversight and adversarial process, this stays narrow. In jurisdictions with venue-shopping or rubber-stamp courts, the bound is much weaker.	E2EE limits what the provider can hand over, even under a valid order. Jurisdiction choice (EU over U.S.) shifts which legal system gets to compel. We do not aim to make lawful process impossible — see the note below on targeted-individual balance.
4 — Lazy opportunists	Phishing kits, credential-stuffing botnets, laptop thieves, the friend who borrows your unlocked phone, casual snooping by service-side employees.	Whatever is easy. They don't have a model of you; they have automation against the path of least resistance and weakly defended targets.	The boring fundamentals: disk encryption, 2FA, hardware keys, password manager, locked screens, encrypted backups. This is tier 3 of the three threats above — the threat most likely to actually happen.

Plaintext visibility — what privacy moves don't do. Most "privacy" tools (proxies, VPNs, anonymization) protect against traffic-level observers — tier 1 dragnet collection or tier 4 network snoops. They do not hide your content from the service you're sending it to. Without end-to-end encryption, the email provider, the cloud transcriber, the document app all read your plaintext directly. This is why the methodology insists on E2EE where the data type allows it — jurisdiction and provider choice are the controls that bound plaintext exposure once you're already a customer.

A note on the targeted-individual balance

We are deliberately not building a stack that makes all lawful process impossible. That position is unusual among hardcore privacy guides, and it's worth saying out loud.

Targeted-individual surveillance under a sound judicial system — multiple judges, adversarial process, narrow scope, named subjects — is part of how a society stops terror, organized crime, and abuse cases. We don't want to build infrastructure that treats that as the same threat as bulk dragnet collection or ad-tech behavioural profiling. The two require different defences and call for different political stances.

What we are clear on: jurisdictions where venue-shopping, rubber-stamp courts, or single-judge ex-parte orders are routine do not meet that bar, and we treat them as closer to tier 1 (state actor) than tier 3 (lawful process). That distinction is the live wire under most of our jurisdiction recommendations. See About · Personal stance for the longer version.

What we don't address

The v1 site is honest about what's out of scope:

Targeted state-level attack. If a nation-state is after you specifically, you need a different stack. See Advanced.
Supply-chain compromise. Important, deep rabbit hole, scares people away. We mention it on Methodology and link out.
Hardware management engines (Intel ME, AMD PSP). Real concern, deferred to Advanced.
Tor / mixnets / strong anonymity. Different tool, different audience.

Done with threats? See what we're building →