Devices That Don't Follow You Home

A burner is not a costume phone. A second handset with the same Apple ID is not a burner. A "private profile" on your daily driver is not a burner. The word has been diluted by film and by marketing into anything cheap and disposable. The operational meaning is narrower and unforgiving: a separately provisioned device, with its own identity, its own SIM, its own accounts, no overlap with primary identity, wiped or destroyed on a defined schedule.

Get any of those clauses wrong and you have a second phone, not a burner. The difference shows up immediately in the correlation graphs that Apple, Google, your carrier, and any adversary with court process can run. Two devices that share a Wi-Fi network, a charger, an Apple ID, a contact, or even a Bluetooth proximity pair will be linked within hours.

This guide is the operator-level treatment of burner hardware: what kinds exist, what to buy, how to provision without cross-contamination, the bright lines you do not cross, the wipe and destruction rituals, and the legal frame. It complements Travel Without a Trail (the trip) and sits under OPSEC as a Lifestyle (the default state).

By the end you will be able to choose the right burner archetype for the actual problem, provision it without leaking identity, run it without correlating it to your primary stack, and retire it cleanly.

The burner is the discipline, not the device. The provisioning ritual and the wipe ritual are the product. The hardware is the cheapest part.

Most people who say "burner" mean one specific thing and treat the rest as the same. They are not. Pick the archetype that matches the actual threat before touching a store shelf.

Three categories matter: the phone, the laptop where a laptop is involved, and the small accessories that keep the layers separate.

2.1, Phones.

• Stock iPhone (recent SE or base model) for the privacy-by-defaults posture. iOS 17+ Lockdown Mode, Secure Enclave, automatic security responses, and the App Store sandbox give a usable floor with very little configuration. The right choice for travel and long-life secondary use by most operators.
• GrapheneOS on a Pixel 7, 8, or 9 for the hardened-Android posture. Verified boot, hardened allocator, network and sensor permissions per-profile, and Google Play sandboxed in its own user. Note: the Pixel 6a is past GrapheneOS's hardware support window as of 2026; do not buy old hardware for new builds.
• Avoid "privacy phones" with unverifiable supply chains. Purism Librem 5 has well-documented execution issues. Volla, Pinephone, and the older /e/OS-only handsets are hobbyist territory, not operational hardware.

2.2, Laptops.

• Framework 13 or 16 with coreboot or Dasharo firmware where available. User-serviceable, firmware transparent, no Intel ME blob beyond what is required.
• ThinkPad X1 or T-series with Heads firmwarefor the firmware-paranoid posture. Boot integrity verified by a Yubikey at every boot.
• MacBook for users who value Secure Enclave plus Lockdown Mode plus FileVault over firmware transparency. Acceptable as a travel burner if signed into a burner Apple ID with no iCloud restore.
• Tails on a Yubikey-protected USB for the amnesic posture. No persistent state on disk, RAM cleared on shutdown, Tor by default. Used with any of the laptops above for the highest-sensitivity sessions.

2.3, Accessories that keep the layers separate.

• A small Faraday bag (Mission Darkness, Silent Pocket) for transport. Tested with a phone call to the bagged device; bags that fail this test are decorative.
• A dedicated wall charger and cable for the burner. Never a USB port on a primary device.
• A YubiKey 5 NFC scoped to burner identity accounts only, not the primary key.
• An Apricorn Aegis Secure Key or similar hardware-encrypted USB for cold artifacts that need to move between machines without touching cloud sync.

The connectivity layer is where most "burner" setups actually leak. The phone can be perfect; the carrier relationship undoes it.

• US: AT&T, T-Mobile, and Verizon prepaid retail still accept cash at many physical stores, with light KYC that varies by location. MVNOs (US Mobile, Mint, Tello) bought online require a card; fund with a Privacy.com virtual to limit linkage.
• EU: most jurisdictions require ID for SIM activation. Germany since 2017 (TKG § 111), France since 2006 (L. 34-1 CPCE), Spain since 2007 (Ley 25/2007), Italy since 2005 (Pisanu Decree, DL 144/2005). Cash-anonymous SIMs are no longer a default in the EU. Plan accordingly.
• eSIM-only iPhones (US models since the iPhone 14) make cash anonymity harder. Transit eSIMs from Airalo, Holafly, or Saily are pseudonymous to the local carrier but linked to the card that purchased them; treat as identifiable to anyone with the provider's records.
• Tower density is its own leak. A clean SIM in your home neighborhood still locates the handset to within tens of meters via cell site location information (CSLI, the data class at issue in Carpenter v. United States, 2018). The burner ships airplane mode in transit; cellular only at the use location.

The most common burner failure is not on the use day. It is on the setup day, when the device is briefly signed into a primary identity "to download an app," or first-booted on the home Wi-Fi network. Run the setup ritual in full, every time.

1. STEP 01

   Unbox away from home.

   First contact with mains power and first contact with any radio happens on a venue you do not frequent. Not your home Wi-Fi. Not your office. A cafe, a hotel lobby, a coworking day-pass.

2. STEP 02

   Create the burner identity first.

   On a clean machine, before the device is powered on: create the Apple ID or Google account with a burner email (SimpleLogin, Tutanota, Proton with a paid sub funded by virtual card). Use a name and date of birth that match no other account. Note these in the password manager under a dedicated burner vault.

3. STEP 03

   First boot on a venue hotspot.

   Sign in with the burner identity only. Decline iCloud restore from any previous backup, every time, without exception. The whole point of the device is that it has no history.

4. STEP 04

   Activate carrier on the same venue Wi-Fi.

   Never on the home network. Carrier activation pairs the handset to your home IP if done on home Wi-Fi, and most carriers retain that pairing for years.

5. STEP 05

   Install only the apps the role needs.

   Signal, a 2FA app (Aegis on Android, Raivo or the built-in Passwords on iOS), a password manager scoped to this device, maps, browser. No social, no email client signed into a primary account, no cloud-storage apps signed into primary.

6. STEP 06

   Record the identifiers offline.

   Photograph or write down the IMEI, the eSIM ICCID, the serial number, and the burner identity username. Store in a sealed envelope or an encrypted vault separate from the device. You will need them if the device is lost or seized.

Compartmentalization is the entire product. The list below is short, absolute, and earned in blood by people who violated it once.

Retiring a burner is the second ritual. Skip it and the device carries everything it learned into the next owner's hands, the carrier's logs, or the warehouse trade-in pipeline.

6.1, Logical wipe (default).

Sufficient for travel burners and long-life secondaries with no source-protection requirement. Apple's Secure Enclave and Android's file-based encryption make a factory reset effectively destructive of the keys; the on-disk ciphertext becomes unrecoverable without the (now destroyed) wrapping key.

# before the wipe

[ ] sign out of burner Apple ID / Google account (release device from FMI / FRP)
[ ] remove eSIM profile from device
[ ] cancel the carrier line with the provider (do NOT port the number)
[ ] photograph the about-screen IMEI for records
[ ] note: keep the burner identity email alive for 30 days in case
    of service follow-ups, then close

# the wipe

iOS:     Settings -> General -> Transfer or Reset iPhone -> Erase All Content and Settings
Android: Settings -> System -> Reset options -> Erase all data (factory reset)

# after the wipe

[ ] confirm device boots to setup assistant (proves wipe succeeded)
[ ] device may be resold, donated, or repurposed under a new identity
[ ] burner identity vault entry marked "retired YYYY-MM-DD"

6.2, Physical destruction (high-risk single-use).

Mandatory for journalism source-meeting hardware, appropriate for any device whose continued existence is a liability rather than an asset. Theatrical for ordinary operator use; understand which category you are in.

• Disassemble. Separate the SoC, the flash storage, and the battery.
• Drill the SoC and the flash chip through the silicon die, not the package. A single hole through the chip is sufficient.
• Dispose of the components in separate municipal waste streams, ideally on separate days.
• Lithium batteries to a battery recycling drop-off, never to general waste. This is a fire-safety rule, not an OPSEC one.

Every item below has correlated a "burner" to a primary identity in a published case or a documented investigation. Treat the list as a pre-flight rather than a postmortem.

• Shared Wi-Fi. Burner and primary on the same home SSID. Apple's network analytics correlates within the same Apple ID ecosystem; ISP DHCP logs correlate at the router.
• Photo metadata to primary cloud. iCloud Photos auto-upload is on by default on a fresh iPhone. A single tap and the burner's GPS history is in the primary account.
• Contact graph. Calling or texting someone whose phone stores the number in primary-identity contacts. The receiving device, not yours, is the leak.
• Bluetooth proximity. Burner advertises its MAC, primary scans for it, the home router logs both. iOS MAC randomization helps; it does not solve.
• Same payment instrument. A USD 30 prepaid card bought with a Visa from the same BIN range as your daily card still ties back to the purchase trail.
• Behavioral fingerprint. Typing cadence, app-launch order, sleep-and-wake pattern. Over weeks these re-identify the same user across two devices, even without any direct technical link.

The legality question gets confused because film treats burners as inherently criminal. They are not. The relevant rules:

• Owning multiple phones is legal in every Western jurisdiction.
• Buying a prepaid SIM with cash is legal where the carrier accepts it. In most of the EU, it is no longer accepted; the carrier requires ID.
• Lying to a carrier on KYC is illegal almost everywhere (false statements in commerce, sometimes fraud). Pseudonymity through legal channels (using a forwarding email, a virtual card, a real legal name) is different from identity fraud.
• Using a burner to commit a crime is the crime, plus an obstruction-of-justice enhancement in many jurisdictions if the burner is destroyed after the fact. The discipline buys compartmentalization, not impunity.

The honest panel. Burner discipline raises the floor materially. It is not a defense against targeted state actors who own the supply chain, against the user's own habits, or against the device's broader operating environment.

The two natural follow-ons: the lifestyle that makes the discipline sustainable, and the on-the-ground gray-man practice that the burner sits inside.

• PHYSICAL · ARCHITECT

  OPSEC as a Lifestyle →

  The default state that makes the burner ritual one box on a calendar, not a heroic event each time.

• PHYSICAL · OPERATOR

  Travel Without a Trail →

  The trip-level discipline the burner is one input into. Booking, payment, identity, device, social.

• DIGITAL · INITIATE

  YubiKeys and Hardware 2FA →

  The small physical key that anchors the burner identity's accounts without involving SMS or primary-identity 2FA.

• DIGITAL · INITIATE

  The Gray Man, Online →

  The same compartmentalization principle in the digital layer. A burner is gray man in physical form.