Take back control

Privacy & anti-surveillance

Practical, opinionated, UK-flavoured resources for taking control of your exposure, hardening your everyday tools, and resisting the slow normalisation of surveillance. Written by a working cyber-defence practitioner, not an editor of listicles.

Where I stand

I have been a long-time supporter of the Electronic Frontier Foundation and a long-time user of OpenPGP / GnuPG. I think privacy is a precondition for a free society — not a luxury feature, not "something you only need if you have something to hide", and certainly not a cost centre to be optimised away. I think the steady creep of mass surveillance, undisclosed data brokerage, and "lawful intercept" framed as a national-security imperative is one of the defining harms of our time. I think individuals are not powerless in the face of it.

This page exists because the canonical English-language work on practical privacy — the EFF's Surveillance Self-Defense, Privacy Guides, and others — is excellent but is largely written for an American reader. The UK has its own legal landscape (UK GDPR, the Investigatory Powers Act 2016, the open electoral roll, Companies House's strange position on directors' addresses, the various data-broker regimes), and the resources here are written for that context.

If you only ever do one thing on this page, do the OSINT self-audit. It will surprise you, and it is free.

The guides

UK surveillance self-defence

A British adaptation of the EFF's Surveillance Self-Defense. Threat-modelling, scenarios (survivors, journalists, activists, whistleblowers, at-risk professionals), the toolkit, and UK-specific helplines.

Read the guide

OSINT self-audit

Find what a stranger can find about you in ten minutes — then take it down. UK-specific, exhaustive, with the actual forms and request templates you need to exercise the right to erasure.

Read the guide

PGP / GPG primer

A practitioner's honest take: where PGP earns its keep, where Signal and age beat it, how to install and import properly, and a worked example of sending me an encrypted message.

Read the guide

What I use

Hardware, software, services and the privacy / security trade-offs behind each choice. The whole stack, with reasoning.

See the toolkit

Encrypted contact

Signal, PGP, and other channels — tiered by sensitivity. For ordinary email through to whistleblower-grade contact paths.

How to reach me securely

Privacy on a Tuesday

A weekly-ish blog series. One thing you can actually do this week — set up Signal, audit your browser extensions, get yourself off 192.com, lock down your phone in fifteen minutes.

Browse the series

Surveillance literacy

Long-form notes on how surveillance actually works — DPI, IMSI catchers, the UK ANPR camera network, the IPA 2016, automated facial recognition. Knowing the shape of the threat is half the defence.

Read the series

Where to start

If you are reading this and feeling overwhelmed, here's the smallest possible useful next step depending on what you are most worried about:

  • "I have no idea what's already out there about me." Run the OSINT self-audit. Allow yourself two hours. Take notes. Don't act yet — just look.
  • "I want to send and receive email that nobody else can read." Read the PGP primer, then come back and drop me an encrypted line as a practice run.
  • "I have been the target of harassment, doxxing, or domestic abuse." Don't start with the OSINT audit, start with operational safety. Read the survivors section of UK surveillance self-defence, and use Refuge's Tech Safety service directly. Get in touch if you want to talk through your specific situation in confidence.
  • "I'm a journalist or work with sensitive sources." Start with the journalists section of UK surveillance self-defence for British-specific source-protection issues (Section 49 RIPA, Schedule 7 detention, IPA), then see encrypted contact for ways to reach me. SecureDrop and OnionShare are not optional.
  • "I just want to stop bleeding data." Pick one thing from the Privacy on a Tuesday series and do it this week. Repeat next week.

A note on perfectionism

The biggest enemy of practical privacy is the tendency to do nothing because the perfect setup is hard. You don't need to live on Tails, route everything over Tor, and migrate your family to Signal in a week. You need to remove the most damaging exposures, harden the choke points (email, phone, password manager, browser), and then make better defaults the path of least resistance from there.

None of this is moral — having a Gmail account doesn't make you a worse person, and using GPG for everything doesn't make you a better one. It is operational. Pick the things that matter to your actual life, do them well, and revisit annually.

Need help in your specific situation? If you'd like to talk through your privacy posture in confidence — as an individual, a journalist, an at-risk professional, or an organisation — drop me a line via the contact form or, for sensitive matters, an encrypted channel.