This article applies to you if:

• You are concerned about mass surveillance

• You are concerned about your phone getting tracked by ICE during protests and in general

• You use an iPhone

• You use an Android, in which case, do the following below

  • disable 2G/3G connectivity on your Android

  • check app permissions for location, contacts, bluetooth, local network, photos

  • Before skipping past “Must dos (quick and easy for your iPhone)”, read the bullet point “iOS green text bubbles and phone calls over cellular network”

• You have a publicly viewable social media

• You either have a weak password, reuse passwords, or store them in plaintext

• You use Chrome, or a browser without adblock (such as Safari)

• You receive unknown calls and are unsure what to do

• You occasionally publicly post pictures of yourself online

• You haven’t frozen your credit with the three credit agencies

• You want to boost your technology security in general

I live with the settings shown in this article, and aim to balance practical use with privacy. In a nutshell, it tries to follow these principles:

• It must be invisible (you don’t notice it)

• It must be practical (you don’t need to babysit a setting more than once)

• If it’s painful, it’s only painful once (setup once, cry once, enjoy the benefits for the rest of your technology life)

• If it’s annoying, it’s annoying because there is no other way

Must dos (quick and easy for your iPhone)

• Privacy & Security -> Safety Check

  • Contacts - disable entirely. Typically, apps (usually messaging/platforms) have a “well-intentioned” way to “discover” others but almost always they upload your entire contact list to their servers. Only Signal makes a good intentioned effort to keep it secure but I personally don’t need nor allow

  • Location - only turn on for apps that are essential like navigation maps. Never turn on for one-off uses like Instagram posts. If it’s really necessary, always opt to use non-precise location and never allow location access in the background unless you absolutely trust the app

  • Bluetooth - avoid turning on as this can be used to fingerprint your location

  • Local Network - avoid turning on unless the app needs to connect to something on your wifi, or a gadget that has its own wifi

  • Photos - Never allow full access unless you trust the app completely. You can always enable partial access, and allow apps like Instagram to still add photos

• Privacy & Security -> Lockdown Mode -> Turn on

  • Android users: find a way to disable 2g/3g completely

• Privacy & Security -> Tracking -> turn all off

• Privacy & Security -> Analytics & Improvements -> turn everything off

  • especially do this if you use Siri or Dictation. Otherwise, your audio data gets sent and stored to Apple servers

• Screen Time -> Content & Privacy Restrictions -> Apple Advertising -> Don’t Allow

• Settings -> Face ID/Touch ID & Passcode

  • Stolen Device Protection, turn on to at least “Away from Familiar Locations” (to prevent anyone knowing your passcode from changing your Apple ID password immediately)

  • Under “Allow access when locked”, turn off everything but Notification Center and Lock Screen Widgets

  • If you have “Unlock with Apple Watch”, turn that off

  • If your phone has Face ID, turn on “Require Attention for Face ID”

  • Important note: gaining access to your phone passcode needs a warrant, but your Face ID and Touch ID do not. To quickly disable Face ID/Touch ID to unlock, hold side and power button to bring up power off menu. Afterwards, you’d need a passcode to sign-in. You can also do this by clicking power button 5 times, but make sure you have Emergency SOS turned off for “Call with 5 Button Presses” to prevent calling by accident.

• General -> Background App Refresh, and turn everything off

  • Almost always you won’t need it and almost all the time it’s a liability to your privacy and battery life

  • Notifications don’t use background app refresh so don’t worry about that

  • If you choose to selectively turn on, only do it to fix something broken, not because an app wants you to, and remember to turn it off for new apps you install

• (if you use iOS’s Mail app) Apps -> Mail -> Privacy Protection, then:

  • turn off “Protect Mail Activity”

  • turn on “Hide IP Address” and “Block All Remote Content”

  • This is to protect you from unknowingly sending read receipts to sender that you’ve received the email and opened it. When reading emails, there will be a prompt allowing you to choose to load images, but just remember you’re also letting the sender know you’ve opened it

• Turn off notifications for any app that is not needed

• iOS green text bubbles and phone calls over cellular network—all are wiretapped, saved, and analyzed by somebody (such as the government). Therefore, please do it over Signal, and do it as a habit, because:

  • SMS (green bubble) is incredibly insecure, and can be read by your cellular provider (or anyone that hacked into the cellular provider, such as China)

  • Government doesn’t even need a warrant—most likely the government has a secret NDA data-sharing agreement that the government pays the cellular network to simply hand over all your messages

  • Or somebody can simply hack their way in

    • Chinese Hackers Infiltrated US Telecom Networks, Dec 6, 2024

      • “Salt Typhoon hacking campaign [affects] more than 8 US telecom networks and is allowing Chinese hackers to spy on Americans text messages and phone calls”

    • For this reason also, avoid setting up 2FA using your phone number SMS, and use an Authenticator app instead (or your password manager’s OTP)

• iOS blue text bubbles—guarantee iMessage messages are encrypted only for you and the recipient

  • Settings->Apple Account->Contact Key Verification->Turn on (both of you have to do this)

  • Go verify each other by going to Message->a DM with your friend->Clicking on their profile on top bar, and go through process under “Advanced Message Security”

Notes about lockdown mode

• The what

  • disables 2G/3G connectivity which makes it more difficult for police to use “Stingray” to ID your phone from their car without approaching you

  • reduce ways which hackers can hack into your phone

• The why:

  • this might seem overkill but remember the US federal government approved a contract with Israel to develop sophisticated spyware for the US.

  • All it would take is a single zero-day zero-click exploit and you won’t even know they hacked into your phone

  • Turning on lockdown mode reduces what parts of iOS they are able to exploit

  • In the event something feels sus and you think malware is in the phone, rebooting your phone should clear it

  • With this in mind, always update your phone so discovered exploits can be blocked

  • For more info, search “ice israel spyware”

• side effect 1: some websites/apps will be broken (like special fonts not loading) because there are real instances of attackers using seemingly innocuous things like font files or calendar invite files to hack into computers and phones

  • For sites that are broken under lockdown mode, assuming you’re on Safari, click left of url bar, then three dots, then scroll down until you see “Lockdown Mode” and turn it off

  • For apps: Privacy & Security -> Lockdown Mode -> Configure Web Browsing

  • For Brave browser (which I use), try clicking on the shield icon, and turning on “Block Scripts” or use Safari.

• side effect 2: so far, on iOS 18, I’ve found I can’t search for Messages, view attachments other than images, and add favorites in the Phone app

  • To remediate: temporarily turn lockdown mode off to do those tasks. Should take 2-3 mins in total

• side effect 3: so far, on iOS 18, Airdrop between my Mac (Sequoia 15.5) and iPhone (iOS 18.7.2) doesn’t work

  • To remediate: use iCloud Drive to copy files, Notes app to copy text. If needed, you can always temporarily turn lockdown mode off.

Must dos (general)

• If you read emails on your browser or in an app like Gmail, find the setting for disabling loading remote images. The instructions below are gmail specific:

  • Gmail iOS app: click on top left hamburger button, then Settings->Email preferences->Images->choose “Ask before displaying external images”

  • Gmail web: Top right, click on gear icon, then “See all settings” and under General, Images->Ask before displaying external images

• If you have Signal and only use it for friends/family:

  • Signal->Settings->Privacy->Phone Number->Click on “Nobody” for both

  • Enable it briefly when someone adds you

• Personal social media accounts - set to private

  • Your personal Instagram: set to private

  • Your personal Reddit: https://www.reddit.com/settings/profile -> Curate your profile -> Content and activity -> Hide all

  • Repeat for Snapchat, Facebook, etc…

  • Why: search for “usa border social media screening”

  • How: specialized companies can scrape public information on your profile, tie it to your identity, then sell it to the government. All it would take then is an AI search like “search for social media accounts that criticize ICE”

• For Ring users, (please also share with anyone you know who has a Ring camera):

  • If you can afford to, unplug your Ring camera, and replace it with a closed-circuit surveillance instead. I personally use Ubiquiti Protect with Remote Access turned off, and use Tailscale to access it

  • Why: Flock and Ring signed an agreement on Oct 2025 to share data

    • Flock’s CEO pushes for a techno-surveillance state

    • Despite local/state police mandating that Flock data not be shared outside of the police’s jurisdiction, Flock has shown that they are more than willing to violate that to share data with federal law enforcement, such as ICE.

• Avoid regularly sending text messages/images over Facebook Messenger, Instagram, Snapchat. Since there is no end-to-end encryption, every text message, every picture/video you send, is analyzed by their servers. If you have to use it to communicate, use it with the assumption that the company and government can see it. Otherwise, use Signal instead

• If you can, switch away from WhatsApp to Signal. Below is why:

  • Signal only has two pieces of information: when you registered, and when you last connected. This has been proven with subpoenas from the FBI

  • WhatsApp messages have unencrypted metadata, and usually, that is enough to kill people, according to General Michael Hayden, former director of the NSA and the CIA in 2014

    • This article by EFF goes into great detail why unencrypted metadata (not just WhatsApp) is dangerous to your privacy. Below is the most relevant portion taken from the article:

      • Even a tiny sample of metadata can provide an intimate lens into a person’s life. Let’s take a look at how revealing metadata can actually be to the governments and companies that collect it. A telecommunications company may know:

        • You called the suicide prevention hotline from the Golden Gate Bridge.

        • You got an email from an HIV testing service, then called your doctor, then visited an HIV support group website in the same hour.

        • You received an email from a digital rights activist group with the subject line “Tell Congress: KOSA Will Censor the Internet But Won’t Help Kids” and then called your elected representative immediately after.

        • You called a gynecologist, spoke for a half hour, and then called the local abortion clinic’s number later that day

  • Here is also a simple diagram comparing data collected between Signal, iMessage, WhatsApp, Messenger

• If you still have TikTok, delete your account. That platform was already egregious in data collection, and now under US oligarch leadership, is even more insane.

  • Below are the new privacy policy changes (taken from this reddit post Jan 26th, 2026):

    • Racial or ethnic origin.

    • Religious or philosophical beliefs.

    • Mental and physical health data.

    • Sexual orientation.

    • Transgender or nonbinary status.

    • Citizenship or immigration status.

    • Precise location data.

    • “Under the updated policy, it gathers what you provide, what it observes automatically, and what it receives from third parties. That includes account details and identity verification documents, private messages, drafts and unpublished content, AI prompts and interactions, clipboard content, purchase and payment data, contact lists and social graphs, and an extensive set of technical signals such as device identifiers, keystroke patterns, battery state, audio configurations, and activity tracked across devices.”

    • “TikTok states that it ‘identifies objects and scenery, detects faces and other body parts, extracts spoken words, and collects metadata describing how, when, where, and by whom content was created.’ Post a photo near the Golden Gate Bridge and you are not just sharing a moment. You are generating structured data about place, time, environment, and your body, or body parts.”

    • “Tik Tok will use all of the collected data, and maintains the right to sell all of it to interested third parties, from vendors to the federal government.”

  • They have also started censoring “anti-US” sentiment so the content on there will likely be biased and influenced towards “US-friendly” policies

• Make habit to remove tracking IDs in links. They can use this ID to know who shared it with who, even if you use Signal/encrypted messaging apps. Examples:

  • https://youtu.be/CI1GnF5H568?si=ACdF3B4O3aZdalc2

    • delete "?si=ACdF3B4O3aZdalc2"

  • https://www.youtube.com/watch?v=CI1GnF5H568&si=ACdF3B4O3aZdalc2

    • delete "&si=ACdF3B4O3aZdalc2"

  • https://www.instagram.com/reel/DUgSkSRCedC/?igsh=aXNweXV3aXRobXlpZA==

    • delete "?igsh=aXNweXV3aXRobXlpZA=="

at this point, that’s all the easy ways to quickly clamp down on your exposure. But if you want to greatly enhance your security not just against the federal government, read on

must do (pain once) - freeze your credit

In case you weren’t aware, a bunch of Americans’ SSNs got hacked already. (Search for “ssn hack”). If yours haven’t yet, it is only a matter of when, not if.

For each 3 credit agencies, make account first in the right place, and don’t subscribe to any free trials. The free trials look like “Get your free credit report” or “Subscribe for monitoring”.

I’ve put the links here so you don’t have to hunt for the right places yourself:

• TransUnion: https://members.transunion.com/unifiedlogin

  • Credit freeze: https://service.transunion.com/dss/freezeStatus.page

• Equifax: https://my.equifax.com/membercenter/#/login

  • Credit freeze: https://my.equifax.com/membercenter/#/freeze

• Experian: https://www.experian.com/help/login.html

  • Credit freeze: https://usa.experian.com/mfe/regulatory/security-freeze

good to do - reduce malware risk from browser extensions

• Check your browser extensions (for chrome, it’s “chrome://extensions”)

  • For extensions needing full site access to everything other than ones you absolutely trust (for me I only trust uBlock Origin, 1Password, Tampermonkey), set “Site access” to “On click”

  • If that seemingly innocent extension “QR scanner” or “Page ruler” or “ChatGPT Saver” or “xyz VPN” is requesting permissions to access something invasive like your entire browsing history, delete it. If you have to install it, do it on another browser profile.

  • On this note, I personally find great alternatives by installing “Tampermonkey” and looking up “’thing i need‘ github tampermonkey”

• Why: There was a case where a VPN extension was selling your ChatGPT conversations, claiming to be all part of “analytics”

  • Extension had 4.7 stars, 58.5k ratings, and 6 million users

  • Extension might not be malicious today, but it might become malicious in the future, just like what happened to this VPN extension

  • 6:39, Seytonic - SUED For Screenshotting Your TV (Every Second)

• If you (or know anyone else) have installed Honey, or any other coupon extension, uninstall it, because these coupon extensions:

  • are incredibly invasive on your privacy. They track how you shop across different websites (and who knows what else)

  • known to steal commissions from real YouTubers

  • nobody wins, not you the consumer, not the promoters, not business, except the coupon extension company

  • search “megalag honey” for more info

good to do - avoid google storing your online activity

• https://myactivity.google.com/activitycontrols

  • Web & App Activity -> off

  • Web & App Activity -> Manage all Web & App Activity -> Delete (if you don’t care about your data preservation)

  • Timeline -> off

  • Personalized ads -> off

  • For YouTube, I haven’t found a good alternative for YT algorithm recomendations, so I’m keeping this on for now. If you don’t care, turn this off

  • if you want to archive your data before deleting, do this first: https://takeout.google.com/

good to haves - iOS’s Advanced Data Protection

Although iMessages is encrypted, your iMessage data backup isn’t.

The good news is in the US, police (usually) need a warrant to get this data. The bad news is eventually, sooner or later, some authoritarian government will find a way to force Apple to hand it to them.

You can be rest assured turning this on is effective. Just search for “UK apple advanced data protection” and you will be assured of its effectiveness.

However, you and the ones you message both need to turn this on.

• Settings->Apple Account->iCloud->Turn off Access iCloud Data on the Web

• Settings->Apple Account->iCloud->Advanced Data Protection->Turn On

  • I recommend using a password manager for this

  • if you don’t have a password manager, print a hard copy of this and put it somewhere safe

good to haves - password manager (setup pain once, peace of mind for as long as you live)

If you don’t use a password manager, you likely either:

• reuse passwords

• use a weak predictable “way” to make passwords for each site

• forget your passwords

• store your passwords in a plain text file

• have hyperthymesia

Why not plain text: first thing after hacker gets into your computer is search for your “passwords.txt” or similar. One hack into your laptop, and all your accounts/important details are cooked.

Why not reuse passwords: if you reuse password across 20 accounts, all it takes is 1 account getting breached to breach your other 19 accounts. It’s a matter of when, not if. (you can check if you got hacked here: https://haveibeenpwned.com)

Why password manager: you only need to remember one complicated password. Also, it can auto detect if one of your saved passwords was in a data breach

Why not use iCloud Keychain, or similar:

• not cross platform. If you have iOS phone, and Windows, it won’t work

• doesn’t store notes or files, only passwords

• having a dedicated password manager makes you form the habit of putting all incredibly important sensitive information in one secure place instead of creating another insecure note

What to do:

• Use password manager. I recommend and personally use 1Password. Don’t use LastPass. For the nerds, BitWarden if you want to self-host.

• Print your emergency kit PDF as a hard copy and put it somwhere safe

• Download Google Authenticator on your phone, turn on 2FA OTP, add it to Google Authenticator, export the QR code backup, and print it out as a hard copy

• Destroy those files that you just printed out as a hard copy

• Don’t save your 1Password master password inside of your 1Password. Make sure accessing 1Password, in case of recovery, is accessible only through hard copy

• Change all your passwords. Dive into your iCloud Keychain, Google Password Manager, Samsung Pass, etc...

  • In case you didn’t know, Google Password Manager stores all your passwords in such a way Google (and law enforcement with a warrant) can access it

• Move all your notes with sensitive information to 1Password

good to haves - reduce ad tracking and personalization

Ad tracking and personalization seems useful on paper... until it’s used against you. There are companies buying ad tracking data in bulk, finding a way to link the advertising IDs to you, packaging it nicely, and selling it to someone unsavorable like Palantir and the government (by extension).

…Or companies don’t even need to buy ad tracking data in bulk. A hack exposed a company exploited the ad bidding process to listen in, collecting data. This included location data, so the tool provided historical location data, and enables law enforcement to draw a rectangle at a given area, specify a time/date range, and get all the people that were pinged at that location.

• ditch Chrome,Safari,etc... Use Brave on your phone/laptop/tablet. As a bonus, you get:

  • ad-free youtube

  • ad-free browsing, decreasing chance you accidentally download malware

  • tested protection: https://coveryourtracks.eff.org

• for search engine, there are multiple options each with tradeoffs:

  • Kagi with Kagi Privacy Pass

    • I personally use this, but you need to pay $10/month. I primarily use this because I want a search engine that prioritizes quality results over quantity. They actively find ways to decrease AI slop and ad spam (e.g. listicles) in results and looks to be one of the only search engines that tries to be a good search engine

    • Pros: great search and privacy. better than Google most of the time

    • Cons: cost $10/month

  • DuckDuckGo

    • Pros: Good privacy and free

    • Cons: not so great search

  • Google without AI slop (still has ad tracking, but I’m putting it here for those that don’t mind the tracking for now, but can use an improvement to search)

    • to setup (for chrome): go to your browser settings, under search, disable Google, then add

      • Name: Google (better)

      • Shortcut: google

      • URL: https://www.google.com/search?udm=14&peek_pws=0&q=%s

    • Make sure to go to myactivity.google.com and turn off Web & App Activity

    • Pros: free. Disables search personalization and gets rid of AI and shopping widgets

    • Cons: still tracks you, and still has ads

General tips - receiving calls from unknown numbers

• Turn on Silence Unknown Callers (so they don’t get to interrupt your attention)

• If you’re really curious who calls you, I use https://should-i-call-back.org (I made the site)

• People can spoof numbers, (e.g. phone will say “Dad” but it’s not actually from your dad), so always call back the number if you get suspicious and “Dad” doesn’t sound like your dad. (If you use Signal, you won’t ever have this problem)

• Otherwise, normalize using Signal to text/call among your friends and family. Remember that every phone call you make over cellular network is a phone call wiretapped, recorded, and saved by the federal government (and hackers from China)

General tips - never post your pictures publicly online

• At end of December 2025, creeps online are using Twitter bot Grok’s Imagine tool to undress photos of women publicly. It is still happening as of today Jan 24th, 2026, just that they locked it behind a paywall

• AI deepfake tools are incredibly accessible to the general public. This means they can take a couple of photos of you, and create a video of you saying/doing something you didn’t.

• There are also dedicated AI tools just to undress people in photos

• Also to let you know, voice cloning is a real thing (search ElevenLabs), so make sure to avoid using voice ID on banks to avoid getting hacked, and let your friends and family know about this, so if they hear a person that sounds like you, have other ways to verify it’s you

keeping yourself informed on hacks, current technology scene, how companies are screwing the uninformed

Why you should be informed: develop your technological “sense” so you can develop your “gut” feeling for sus behavior from companies, products, etc...

My criteria for picking out who to follow/listen always boils down to the following. They always:

• Report sources

• Report possible assumptions, biases, and possibilities

• Have a clear vibe that they are always looking to learn

• If there’s clickbait, it’s ONLY in the title and/or thumbnail

Now for my list:

• YouTube: Seytonic - hacking news on major data breaches, exploits, discovered zero-days, etc... I like it mainly for its deep dive into technical details rather than a “data breach XYZ, end of story”, so I can understand how to protect myself.

  • Effects on me: understand the reality of how dangerous and easily technology can be exploited

• YouTube: Louis Rossmann - news on how companies are screwing people with subscriptions, bait-and-switch terms of service

  • Effects on me: understand common consumer traps of companies, importance of offline devices, how low companies can go if you let them, and how to protect myself

• YouTube: Daniel Boctor - my recent subscription. Relevant news on papers, hacking, technology, etc... Does deep dives on important topics

relevant sources

3rd party tracking location leaking

• Seytonic - Hack Exposes Which Apps Leak Your Location

IDing your phone from a distance by downgrading your cellular network to 2g/3g

• Benn Jordan - Gadgets For People Who Don’t Trust The Government

• Seytonic - Phone Surveillance Exposed

Vulnerability that allows you to track when you use Signal/WhatsApp and when you pick up your phone

• Seytonic - Hacking ‘heart emoji’ to Track ANY WhatsApp or Signal User

UK does not like Apple’s Advanced Data Protection

• Seytonic - UK Wants Apple to Ruin Everyone’s Privacy

Flock and Ring affiliation with law enforcement

• Daniel Boctor - Flock & Ring

US government tracking US citizens that protest

• Exclusive: ICE’s Secret Watchlists of Americans