Your privacy settings are decoration.

1. Opening Claim

Privacy as a default state no longer exists in commercial digital systems. What remains is privacy as a configuration outcome, produced by deliberate action against systems designed by default to collect. The asymmetry between collector and subject is structural, not incidental.

The question is not whether you have privacy. The question is which actors hold which records about you, under what retention policy, with what enforcement, and what controls limit secondary use. Anything else is sentiment. Sentiment does not change exposure.

I operated on the offensive side long enough to know what was available for purchase, what was scraped without consent, and what was inferred from behaviour alone. The volume of records in circulation has increased. The cost per record has dropped. The collection surface has expanded into devices and contexts that were not networked ten years ago. Television sets, vehicles, doorbells, point-of-sale terminals, fitness equipment, and home audio devices now act as collection endpoints. None of these were part of the user’s mental model of a connected system. All of them are.

2. The Original Assumption

The early consumer internet operated on an assumption that data exhaust was a byproduct of service delivery, not the product. Users believed that anything they did not actively publish remained private. That assumption was never technically accurate. It was operationally close enough to function as a working model for most users for roughly a decade. It is no longer close enough.

Threat models from that period focused on direct compromise. Stolen credentials. Intercepted traffic. Physical device loss. The defensive posture was perimeter-based. If you secured the endpoint and encrypted the transport, the data was considered protected. Identity was treated as binary. Authenticated or not. Account boundaries were treated as privacy boundaries. The threat actor was modelled as an external intruder attempting to cross a defined edge.

The aggregation problem was not part of the consumer threat model. Combining low-sensitivity records from multiple sources to produce a high-sensitivity profile was framed as an enterprise concern. The fact that the same techniques could be applied at scale to consumer populations, by commercial actors operating within the law, was not addressed in mainstream security guidance. Privacy was framed as a property of individual transactions rather than a property of the system. That framing produced controls that protect single events and ignore correlation across events. It is the wrong unit of analysis.

3. What Changed

Three mechanisms shifted the baseline. First, collection moved from discrete event capture to ambient telemetry. Mobile operating systems, browsers, connected devices, and embedded SDKs emit continuous signals tied to persistent identifiers. The default state is collection. Opting out is a per-vendor configuration task placed on the subject. The control burden was inverted. The user is now responsible for enforcing a boundary that the system was designed to ignore.

Second, the broker market matured into operational infrastructure. Identity resolution providers correlate offline and online identifiers across large numbers of source feeds. A device advertising ID, an email hash, a postal address, and a transaction record resolve into a single persistent profile. The unit economics support resale at low margin and high volume. Access is gated by standard B2B contracts, not by technical capability. The cost to assemble a targeted profile of an arbitrary individual is now within reach of a small commercial operator. It does not require intrusion. It requires a purchase order.

Third, breach frequency made personal data a commodity. Credentials, identity documents, health records, payment data, and behavioural records have been exposed in cumulative volumes that exceed the global adult population. A threat actor does not need to compromise a specific target to obtain data about that target. They acquire a dataset that already contains the target. Credential re-use across services amplifies the consequence at no additional cost to the attacker. The boundary between authenticated and unauthenticated state collapses when the authenticator itself is already in circulation. Identity is the boundary. The boundary has been crossed for most populations already, and the crossing is permanent because the exposed records cannot be recalled.

4. Mechanism of Failure or Drift

The failure is not a single broken control. It is the gradual relocation of the enforcement point away from the subject. Consent was the original mechanism. Consent assumes the subject can read, evaluate, and reject a collection scope at the moment of disclosure. That assumption breaks when the disclosure is delivered through a multi-thousand-word policy referencing third-party recipients whose own policies reference further recipients. The subject is asked to authorise a graph they cannot enumerate. The control exists in form. It does not exist in function. A control that cannot be evaluated by the party it protects is not a control. It is a record-keeping artefact for the collector.

The second drift is the substitution of identifiers. When a regulated identifier is restricted, collection shifts to a functionally equivalent unregulated identifier. Device advertising IDs, browser fingerprints, behavioural biometrics, and probabilistic graph identifiers each serve the same resolution function as a regulated personal identifier. Restriction at one layer does not reduce the resolution capability of the overall system. It moves the resolution to a layer where enforcement is weaker or absent. The boundary the subject believed they were defending has been redrawn around them without notification. This is the predictable outcome when the enforcement point sits with the collector and the audit point sits with the regulator. The party with the operational capability has no incentive to constrain it.

The third drift is the conflation of authentication with authorisation. A subject authenticates to a service to use it. The service then treats that authentication as authorisation for downstream data flows the subject did not specifically approve. Account access becomes a proxy for unrelated commercial use. The session boundary, the data-use boundary, and the identity boundary are collapsed into a single event. Once collapsed, they cannot be separated by the subject after the fact. Continuous validation of trust does not occur. A single authentication event is treated as standing consent for the lifetime of the account, and often beyond it through retention policies the subject cannot inspect.

5. Expansion into Parallel Pattern

The same mechanism is visible inside enterprise environments. Identity providers issue tokens that downstream services accept as evidence of authorisation. Once issued, the token is honoured across services that have no direct relationship with the original authentication event. Lateral movement in modern intrusions does not require credential theft in the traditional sense. It requires acquisition or replay of a valid token. The token is the identifier. The identifier is the boundary. When the boundary is portable, the boundary is not a boundary. The consumer privacy failure and the enterprise lateral-movement failure are the same failure expressed in different vocabularies. In both cases, a single authentication event is over-credited as a continuous authorisation state. In both cases, the system was designed in a period when the issuance environment and the consumption environment were assumed to share a trust context. That assumption no longer holds.

The pattern repeats in supply chain telemetry. A vendor authenticates to a customer environment for a defined integration. The integration emits telemetry to the vendor for support and product purposes. That telemetry is then aggregated across customers, joined with broker data, and used to derive intelligence about customer environments that no individual customer authorised. The collection mechanism is identical to the consumer pattern. The vocabulary is different. The control failure is the same. The subject of collection has no enforcement capability against secondary use because the primary use was bundled with the service contract and the secondary use was not separately gated.

In both the consumer and enterprise cases, the volume of records held by third parties exceeds the volume held by the subject. The party with the largest record of the subject’s activity is rarely the subject. This inverts the historical model in which the individual held the master record of their own life and disclosed selectively. The master record now sits elsewhere. The subject holds a partial copy. Any defensive strategy that assumes the subject controls the canonical record is operating on an outdated map. The defensive strategy must instead assume that multiple canonical records exist, held by parties with varying retention discipline, varying breach history, and varying willingness to honour deletion requests. Most will not honour deletion in a verifiable way. Verification is not provided to the subject. The deletion claim is a representation, not a control.

6. Hard Closing Truth

Privacy is now a configuration outcome produced by sustained operator-grade work against systems that resist that work by design. It is not a setting. It is not a product. It is not a posture that can be achieved and held. It is a continuous process of reducing identifier surface, segmenting identity across contexts, restricting collection at the device and network layer, and accepting that records already in circulation cannot be retracted. Anyone selling a single-purchase solution is selling sentiment. Sentiment does not change exposure.

The operational position is this. Treat every consumer device as a collection endpoint until configuration proves otherwise. Treat every account as a long-lived identifier that will outlive your interest in the service. Treat every authentication credential as already compromised at some point in its lifecycle, and design around that condition rather than against it. Use unique credentials per service with a manager that supports rotation. Enforce multi-factor authentication with hardware-bound factors where the service supports them. Segment identifiers across contexts so that correlation across services requires effort rather than a join key. Reduce ambient telemetry at the operating system and browser level before considering downstream tools. Assume any data shared with a third party will be retained beyond the stated period and will appear in a breach corpus at some future point.

The boundary is identity. The boundary has already been crossed for most populations through accumulated breaches and broker aggregation. The defensive work is not to restore a state that no longer exists. The defensive work is to make further collection expensive, to limit the resolution of any new profile assembled against you, and to ensure that compromise of one identifier does not compromise the others. Controls that are not enforced are not controls. Privacy claims that are not enforceable by the subject are not privacy. Operate accordingly.

See also: NordVPN for tunneled traffic when operating outside controlled networks.

---

#ad Contains an affiliate link.