Consumer Privacy & Opsec
What surveillance actually looks like in 2026, what data is collected about you, and what you can do about it.
37 posts in this cluster
Active Directory Tier Zero in 2026: The Privilege Boundary Every AD Audit Must Check
Microsoft's Active Directory administrative tier model turns 10 years old in 2026. Most enterprise AD environments still have not implemented it properly. Here is what Tier 0 means, why it matters, and the specific audit procedure that finds the gaps before attackers do.
DNS-over-HTTPS for Corporate Networks: The 2026 Tradeoffs
DoH in consumer browsers was the 2020-2023 story. DoH in enterprise networks is the 2026 story. A different set of tradeoffs between user privacy, security monitoring, and content filtering. Here is how defenders should think about it.
How 200 Companies Learn Everything About You in 100 Milliseconds
Real-Time Bidding broadcasts your browsing data to hundreds of companies in under 100ms per page load. A deep dive into browser fingerprinting, cross-device tracking, and online profiling with data privacy implications.
iCloud Forensics: What Apple Actually Gives Law Enforcement
Your iPhone is the most private consumer device ever built. Your iCloud backup is not. A practical walkthrough of what Apple does. And doesn't. Hand over when law enforcement subpoenas your account, why Advanced Data Protection changes everything, and the one-click setting most iPhone users still haven't enabled.
Ad Blockers That Actually Work in 2026 (and the Ones That Don't)
Google's Manifest V3 killed most ad blockers in 2024. Chrome now ships with gutted tracker-blocking capabilities. The good news. The good ones still work, they just aren't on Chrome anymore. A 2026 guide to the ad blockers that still meaningfully block ads and trackers, the ones that have been quietly neutered, and the DNS-level approach that works everywhere.
Google Takeout: The Full Audit of What Google Actually Has On You
Go to takeout.google.com and request all of your data. The archive will typically run 50 to 500 GB. It contains things you did not know Google was storing. Including 10+ years of location history, every Google Assistant voice command, and a complete index of what you've watched, searched, purchased, and typed. A practical walkthrough of what's in there and what to delete.
Corporate VPN vs Personal VPN: What Your Employer Can Actually See
When your company has you connect to a VPN for remote work, that VPN isn't for your privacy. It's for your employer's visibility. Every DNS query, every HTTPS connection, every packet going through a corporate VPN can be logged and inspected. A practical walkthrough of what corporate VPNs actually do, what your employer sees, and why you should never run personal activities through them.
Your Kid's School Is Monitoring Everything: Gaggle, Bark, GoGuardian Explained
Your kid's school likely runs software that reads every email, monitors every Google Doc, scans every search, and uses AI to flag 'concerning' content. Gaggle, Bark, GoGuardian, and Securly are deployed in US K-12 schools covering roughly 20 million students. What the tools actually do, what they've gotten wrong, and what parents can (and cannot) opt out of.
Workplace Monitoring Software: What Your Employer Can Actually See
If you work remotely, there's a 70%+ chance your employer runs monitoring software on your work device. Hubstaff, Teramind, Veriato, ActivTrak, Time Doctor, and dozens more capture screenshots, log keystrokes, track location, and measure your productivity in ways most employees don't fully understand. What these tools actually see, what's legal, and how to know if you're being monitored.
Smart Home Threat Model: Every Device On Your Network, Every Attack Surface
The average American home now has 22+ connected devices. TVs, doorbells, thermostats, cameras, light bulbs, appliances, fitness trackers. Each one a tiny computer with varying security postures. A practical walkthrough of smart home attack surfaces in 2026, the devices most commonly compromised, and the network segmentation approach that actually works for consumers.
Strava Heat Maps: How Fitness Data Exposed Every Secret Military Base
In 2018, a 20-year-old student noticed Strava's global heat map glowed in places it shouldn't. Remote deserts, Arctic ice, supposedly-unoccupied Pacific atolls. He had found every classified military base on Earth by following soldiers who ran laps. Eight years later, Strava still leaks. A deep dive into fitness-data OSINT and what it means for your threat model.
Your Voice Is 3 Seconds From Being a Weapon: AI Voice Cloning in 2026
AI voice cloning scam success rates tripled in two years. The FTC logged 250,000 complaints in Q1 2026 alone, averaging $12,500 per victim. Three seconds of your voice is all it takes. A plain-English guide to how the attack works, who's being targeted, and three defenses that actually stop it.
AirTag Stalking in 2026: What Apple Fixed, What They Didn't, How to Detect One on You
Apple's AirTag launched in April 2021 and became the most efficient stalking tool in consumer technology history. Five years and several rounds of 'safety improvements' later, AirTags remain a significant personal-safety threat. Particularly to women, domestic abuse survivors, and anyone whose address a stalker wants to find. What Apple fixed, what they refused to fix, and what to do if you think you're being tracked.
Your Ring Doorbell Gave Police Your Footage 11 Times Without Asking
Amazon Ring's integration with Axon and 2,500+ US police departments turned consumer doorbells into a warrantless surveillance grid. A data privacy and consumer cybersecurity investigation with opsec guidance.
Data Broker Opt-Out Guide 2026: Removing Your Personal Information From the Industry
The data broker industry is $200+ billion annually. Hundreds of companies compile your name, address, phone number, email, relatives, employer, court records, and more. Then sell to anyone with a credit card. Most people can remove themselves from major brokers, though the process is tedious. A practical guide to manual opt-outs, commercial removal services, and ongoing monitoring.
Facebook Built a Profile on You Even If You Never Signed Up
Facebook maintains detailed shadow profiles of non-users through contact uploads, pixel tracking, and data broker feeds. You can't opt out of profiles you never agreed to create. A data privacy and consumer cybersecurity investigation.
Password Managers 2026: The Honest Comparison After LastPass
LastPass's 2022-2023 breaches cost users an estimated $438M in stolen cryptocurrency. Three years later, which password manager should you actually use? A practical comparison of 1Password, Bitwarden, Dashlane, Proton Pass, Keeper, KeePass, and Apple Passwords. Ranked by threat model, architecture, audit history, and real-world usability.
Deepfake Detection in 2026: How to Spot AI-Generated Faces, Voices, and Video
Deepfakes cost companies $25M+ per incident. Here is what actually works for detection in 2026, what fails, and the step-by-step verification playbook we use on executive protection engagements.
Crypto Wallet Security in 2026: Hardware Wallets, Seed Phrases, and the $6.75B Lesson
North Korea stole $6.75 billion in crypto from 2021-2025 by targeting wallets, exchanges, and individuals. The attacks keep working because crypto wallet security has unforgiving failure modes. Lose the seed phrase, funds are gone; leak the seed phrase, funds are gone; keep keys online, funds are gone. A practical guide to wallet architecture, hardware wallet selection, seed phrase handling, and the operational security that actually keeps funds safe.
20 Billion Scans a Month: The Camera Network Watching Every Car
Flock Safety ALPR networks cover 4,000+ US municipalities. Your car's movement is logged without a warrant and shared across jurisdictions. A data privacy and surveillance explainer with opsec guidance.
Your Car Knows Where You Went Last Tuesday at 3:47 PM
Modern cars collect driving data, location history, voice recordings, and biometric data. Insurance companies buy it through telematics brokers. A consumer cybersecurity and data privacy deep dive into automotive surveillance.
Terraform State Files: The IaC Secret Store That Keeps Getting Leaked
A Terraform state file is a JSON document that contains the entire cloud infrastructure plus every secret Terraform touched while provisioning. Database passwords, API keys, private certs, cloud credentials. Often stored in plaintext. State files are being found in public S3 buckets, in Git repositories, in CI/CD artifacts, and in developer laptops on a weekly basis. A practical walkthrough of the exposure patterns and how to actually harden state handling.
Your Smart TV Takes a Screenshot Every Half Second
Smart TVs run Automatic Content Recognition (ACR) that fingerprints every frame on your screen, including content from HDMI inputs. Samsung, LG, Vizio, and Roku all face lawsuits over this surveillance. A consumer cybersecurity and data privacy explainer.
Helm Chart Secrets: Why Kubernetes Secrets Aren't Secret (And What To Do)
Kubernetes Secrets are base64-encoded, stored as plaintext in etcd by default, readable by anyone with namespace read access, checked into git as part of Helm charts, and leaked to CI/CD pipeline logs. 'Secret' is a misleading name. A practical walkthrough of what's wrong, how attackers exploit it, and the production patterns that actually protect secrets in Kubernetes.
VPN Reality Check: Who Actually Logs, Who Actually Protects
VPN marketing claims "military-grade encryption" and "complete anonymity." The reality is much narrower. A ranked breakdown of audited providers (Mullvad, Proton, IVPN, OVPN), providers caught lying in court, sketchy parent companies, and what a VPN can and cannot protect against in your actual threat model.
HashiCorp Vault Sidecars: When Your Secret Manager Becomes the Attack Vector
HashiCorp Vault's Kubernetes sidecar injector is the recommended pattern for fetching secrets in pods. It's also a consistent source of compromise paths. Pod compromise extracts Vault tokens from the sidecar. Token auth methods with over-broad role bindings let attackers pivot across the cluster's entire secrets store. A deep dive into the Vault sidecar attack surface and the hardening that actually prevents it.
Encrypted Messengers Ranked: Signal vs WhatsApp vs iMessage vs Telegram vs Matrix
Not every 'encrypted messenger' is actually encrypted. A practical comparison of Signal, WhatsApp, iMessage with ADP, Telegram, Matrix, Session, and SimpleX. Including metadata exposure, jurisdiction, open-source status, and E2EE default behavior for data privacy decisions.
Appwrite Attack Surface: Anonymous Sessions, Bucket Enumeration, and the Mistakes Developers Make
Appwrite is the open-source alternative to Firebase and Supabase. Over 100,000 developers, self-hosted deployments at thousands of companies. Also: a recurring finding on our platform audits. Projects commonly ship with permissive defaults, anonymous session access, enumerable buckets, and readable collections that expose user data. A practical walkthrough of the attack patterns.
Seven Government Surveillance Powers You Have Never Heard Of
Geofence warrants, keyword warrants, tower dumps, Stingrays, NSLs, and Section 702 are the surveillance mechanisms that don't require a classical warrant. A comprehensive data privacy and opsec investigation into modern government surveillance.
ICE Built a $300 Million Surveillance Machine
ICE's $22 billion surveillance apparatus integrates DMV records, utility data, Palantir Gotham, and data broker feeds. A data privacy and surveillance investigation with consumer cybersecurity implications.
Digital Forensics: Exactly What They Can Pull From Your Devices
Cellebrite and GrayKey extract every message, location, authentication token, and deleted file from your phone. When the device is in AFU state. A digital forensics deep dive into mobile security, BFU/AFU extraction, and GrapheneOS hardening.
What Police Can Actually Extract From Your Phone in 2026
Cellebrite and GrayKey extractions pull every message, photo, location, and authentication token from your phone. A digital forensics and consumer cybersecurity guide with opsec hardening tips.
Your iPhone Remembers Your Signal Messages Even After You Delete Them
Signal notifications on iOS expose message previews that survive device extraction even with disappearing messages enabled. A mobile security and digital forensics hardening guide.
Apple's Secret Feature That's Breaking Police Forensic Tools
Apple's iOS 18.1 Inactivity Reboot feature automatically returns iPhones to BFU state after 72 hours, blocking Cellebrite extractions. The biggest blow to mobile forensics since Secure Enclave. A mobile security and digital forensics analysis.
Your Government Buys Your Data Instead of Getting a Warrant
When the Fourth Amendment doesn't apply, government agencies buy your data from brokers. A comprehensive investigation into government surveillance workarounds and data privacy.
Passkeys vs Hardware Keys vs SMS 2FA: The Real Comparison
SIM swap attacks have stolen over $200 million from SMS 2FA users. Passkeys and hardware security keys are unphishable. A ranked comparison of every 2FA option: SMS, email, TOTP, push, passkeys, and FIDO2 hardware keys. For consumer and enterprise authentication security.
MinIO: When Your S3-Compatible Storage Lists Everything
MinIO is S3-compatible object storage widely used in self-hosted cloud deployments. Misconfigured anonymous access policies expose entire buckets to listing and download. We walk through detecting and remediating this during S3 and object storage penetration testing.
Jump to another topic
Apply this research to your environment
Our engagements apply the same research methodology surfaced in these posts to your specific stack. Start with a free security check.