[justin.architect]
← Field Manual
BRIEF · 00101 InitiateDigitalPrivacy & OPSEC· 14 min read· updated 2026-05-29

The Gray Man: Becoming Unremarkable Online

The first discipline of OPSEC is not invisibility, it's being uninteresting. A field primer on shrinking your digital silhouette.

§ BRIEFING

TL;DR

Privacy isn't invisibility, it's becoming uninteresting to the systems that watch by default. Work the three exposure surfaces from the outside in: brokers and breach data first, then platform identity, then runtime. An hour of triage now removes more risk than years of half-measures.

What you'll be able to do

  • A working model of your three exposure surfaces.
  • A prioritized, paper-based map of your visible data.
  • Top brokers opted-out (US) or erased (EU).
  • The five accounts that would actually hurt, locked down.
  • Per-service email aliasing in place.
  • A hardened browser and a disciplined secondary phone number.

Prerequisites

  • ·A laptop and a private browser window.
  • ·One uninterrupted hour for the recon pass.
  • ·A sheet of paper. Not a notes app.

Threat model

Passive data-broker aggregation, ad-tech profiling, breach-corpus credential stuffing, and opportunistic doxxing. Not targeted state-level adversaries, that's a different threat model and a different guide.

The watching is ambient. It is not a person hunched over a screen somewhere deciding to look at you, it is a thousand systems built to look at everyone, by default, all the time, because the cost of looking has fallen to roughly zero. Data brokers buy your courthouse records and your loyalty-card history. Ad networks fingerprint your browser before the page finishes loading. Breach corpora, the downstream remains of the last twenty years of compromised databases, sit in plain text on forums, indexed and searchable.

You are not paranoid for noticing this. You are simply paying the bill that comes with being a default user of the modern internet. The bill is paid in two currencies: leverage that other people quietly accumulate about you, and optionality you lose when an opportunistic attacker finally decides you are worth thirty seconds of effort.

This guide is about reducing that bill. Not to zero, that's a fantasy sold by people with hoodies on their book covers, but to a level where the systems that watch by default lose interest, and the operators who prey on credential reuse move on to easier names.

By the end of an hour with this guide you will have a working mental model of your exposure, a short prioritized list of doors to close, and three concrete actions completed this week. That is the entire promise. It is also enough.

The goal is not to disappear. The goal is to become uninteresting to the systems that watch by default.

§ 01

The three surfaces.

Treat your exposure as three concentric surfaces. Work outside-in. The outer ring is the cheapest to close and the one most operators ignore for years, they jump straight to the inner ring (VPNs, hardened OSes) and leave the front door wide open.

model.sh
# concentric exposure model

[ outer ]  public records · data brokers · breach corpora
[ mid   ]  platform identity · social graph · device IDs
[ inner ]  hardware · network egress · operational habits

priority:  outer → mid → inner     # cheapest wins first
cost:      $       → $$  → $$$
impact:    high    → high → marginal (without the others)
The concentric exposure model. Close the outer ring first.

Outer is everything someone can find about you without ever touching your devices: your name in a broker's database, your old username on a forum from 2011, your email in a breach corpus from a defunct social network. Mid is your standing identity on platforms: the same handle across services, the photo that ties accounts together, the social graph that confirms it's you. Inner is your runtime, what your devices leak when they talk to the network and what your habits leak when you use them.

§ 02

Who actually watches.

Threat-modeling without naming the threat is theatre. There are four broad categories of watcher most readers should care about, in descending order of how much they affect daily life:

WatcherWhat they wantHow they get itReal risk to you
Data brokersSellable profile (name · address · phone · age · relatives)Public records, loyalty programs, app SDKsDoxxing, harassment, social-engineering inputs
Ad-techBehavioral graph for targetingCookies, fingerprinting, SDKs in appsProfile leakage, embarrassment, manipulation
Breach corporaRe-usable credentialsCompromised databases, credential stuffingAccount takeover, the most common real harm
Platform graphCross-account identity confirmationSame handle, same photo, same phonePivot from one account to all of them
Most concrete harm flows from breach corpora and broker data. Start there.

Notice what's not on this list: targeted state-level adversaries with legal process. If that is your threat model, this is the wrong guide, you need compartmentalization, anonymity networks, and a lawyer. For everyone else, the four above are what's actually eating you.

§ 03

Self-recon: see yourself as they do.

You cannot close doors you cannot see. The first move is to run the same lightweight reconnaissance an opportunistic adversary would run. Forty minutes, a private browser window, a sheet of paper. No tools you don't already have.

  1. STEP 01

    Search yourself the obvious way.

    In a fresh private window, search your full legal name, your most common nicknames, and your three most-used usernames. Do it on Google, then on Bing or DuckDuckGo, the rankings differ in informative ways. Look at images. Look at the first three pages.

  2. STEP 02

    Search your email addresses.

    For each address you've used in the last decade, search the address itself in quotes. Then run each through haveibeenpwned.com. Every breach is a door someone has already walked through.

  3. STEP 03

    Search your phone number.

    In quotes, with and without country code, with and without formatting. Phone numbers are the single highest-fidelity link in a broker's database, if it appears anywhere public, write down where.

  4. STEP 04

    Pull breach data programmatically (optional).

    If you want a structured list, the HIBP API returns it. You'll need a low-cost API key.

    recon
    # Get a key at haveibeenpwned.com/API/Key
EMAIL="you@example.com"
KEY="hibp_..."

curl -s "https://haveibeenpwned.com/api/v3/breachedaccount/$EMAIL?truncateResponse=false" \
  -H "hibp-api-key: $KEY" \
  -H "user-agent: self-recon" | jq -r '.[] | "\(.BreachDate)  \(.Name)  \(.DataClasses | join(", "))"'
    One line per breach. Each is a door.
  5. STEP 05

    Audit the data brokers serving your country.

    In the US: search yourself on Spokeo, Whitepages, BeenVerified, Radaris, Intelius, and TruePeopleSearch. In the EU and UK the equivalents are 192.com, Yasni, and the local commercial-register mirrors. Note every entry that contains your real address, phone, or relatives.

§ 04

The closures: outer ring first.

With a map in hand, close doors in the order they actually matter. The sequence below is deliberate, each step makes the next one cheaper.

4.1, Strip the brokers.

Every major broker is legally required to honor an opt-out request, though they make it tedious on purpose. You have two real options: do it yourself using a removal tracker, or pay a service to do it continuously.

ApproachCostTimeCoverage
Manual$0~6 hours, repeated every 6 monthsAs thorough as you are
EFF / Yael Grauer trackers$0 (DIY with checklists)~3 hours initialTop ~30 US brokers
Paid service (DeleteMe, Optery, Kanary)$100–250/yrMinutes to enroll100–500 brokers, continuous re-removal
EU residents$0Hours per controllerGDPR Art. 17 erasure, high success rate
Brokers re-add you. Removal is continuous, not one-shot.

For EU/UK residents, a GDPR Article 17 erasure request sent by email is legally binding and most brokers comply within thirty days. A template is below.

gdpr-erasure.txt
Subject: GDPR Article 17, Right to Erasure Request

To Data Protection Officer,

Under Article 17 of the General Data Protection Regulation (EU 2016/679),
I request the erasure of all personal data your organization holds on me.

Identifiers:
  Full name:      [YOUR NAME]
  Email:          [YOUR EMAIL]
  Postal address: [YOUR ADDRESS or "see prior records"]

Please confirm completion in writing within 30 days as required under
Article 12(3). Where data has been disclosed to third parties, please
inform those recipients per Article 19.

Regards,
[YOUR NAME]
Article 17 erasure request, paste and personalize.

4.2, Triage the five accounts that would actually hurt.

Most people maintain unique passwords for nothing and the same password for everything. The fix is not to fix all of them, that is the advice that has made nobody fix any of them. The fix is to identify the five whose compromise would cause real harm, and harden those first.

§ CHECKLIST, The five accounts to lock down this week

For each: a unique, long, random password from a password manager (Bitwarden, 1Password, or KeePassXC if you prefer local-only), and a hardware second factor, a YubiKey is the canonical choice. SMS 2FA is better than nothing, but it is not a hardware factor; it is a soft target for SIM-swap. (See YubiKeys & Hardware 2FA for the setup that sticks.)

4.3, Email aliasing: stop reusing your address.

Your email address is a primary key in every broker's database. If you sign up for everything with the same address, you have personally funded the join. The fix is per-service aliasing: every service gets a unique, revocable address that forwards to your real inbox.

alias.sh
# pattern: one alias per service
newegg.7f3a@yourdomain.alias  ──►  forwards to you@real.tld
reddit.91kx@yourdomain.alias  ──►  forwards to you@real.tld
that.weird.forum@yourdomain.alias  ──►  disabled

# When an alias starts receiving spam, you know exactly who leaked.
# Disable the alias. The breach can no longer reach you.
Pattern, not literal commands, your aliasing tool's UI does the work.

SimpleLogin (open-source, self-hostable, owned by Proton) and addy.io (formerly AnonAddy) are the two credible providers. Both offer free tiers sufficient to start. If you own a domain, use it, providers come and go.

4.4, Browser hardening: the cheapest mid-ring win.

BrowserDefaultsEffortBest for
Firefox + uBlock Origin + container tabsGood after tuningLowMaximum control with minimal breakage
Brave (default)Strong out of the boxNoneSet-and-forget for non-technical users
Mullvad Browser (desktop)Fingerprint-resistant by defaultLowSensitive sessions without the Tor latency
Safari + iCloud Private RelayAcceptableNoneApple-native users; weakest of the four
Pick one and commit. Switching daily defeats the point.

4.5, Phone-number discipline.

Your real phone number should reach exactly three categories of recipient: people you know, your bank, and your government. Everyone else gets a secondary number. This is the single biggest reduction in broker-graph quality you can make.

  • MySudo

    ref ↗

    Disposable numbers · iOS/Android · paid

    Up to nine numbers per account; clean UI; US/CA/UK numbers.

  • JMP.chat

    ref ↗

    XMPP-routed real number · cross-platform

    Pays out to a Jabber account you control; cheap; Canadian.

  • Google Voice

    ref ↗

    Free US-only secondary number

    Acceptable for low-stakes signups; do not use for 2FA.

  • Travel/secondary eSIM

    A second SIM on your existing phone

    Carry one number for life, one for everything else.

4.6, Social-graph minimization.

§ CHECKLIST, Social profile audit

§ 05

Verification: confirm it worked.

Closure without verification is hope, not engineering. Two weeks after you start, repeat the self-recon from § 03 and diff the results. You are looking for three things:

§ CHECKLIST, Verification pass

cyt-test
# Visit in the browser you've hardened:
$ open https://coveryourtracks.eff.org

# What to look for in the report:
#   Tracker domains blocked:   ✓
#   Fingerprint uniqueness:    "randomized" or "partially protected"
#   Canvas fingerprint:        "spoofed" or blocked
EFF's Cover Your Tracks gives you a one-page browser fingerprint report.

§ 06

What this does NOT protect against.

The most important section. The credibility of any security guide is the honesty of its limits. If a guide does not have a section like this, distrust it.

✓ PROTECTS AGAINST

  • +Passive data-broker aggregation and resale.
  • +Opportunistic credential stuffing from breach corpora.
  • +Casual stalkers, ex-partners, and low-effort doxxers.
  • +Ad-tech behavioral profiling across most of the open web.
  • +SIM-swap attacks (once carrier PIN + hardware 2FA are in place).

✗ DOES NOT PROTECT AGAINST

  • Targeted adversaries with legal process (subpoenas, NSLs).
  • Device compromise, if your laptop is owned, this is the wrong layer.
  • Voluntary disclosure, what you tell a friend who tells a podcast.
  • Biometric and face-graph systems (CCTV, airport, retail).
  • ISP / DNS logging without an upstream you control (VPN, own resolver).
  • Anything you sign with your real name on a public form.

The Gray Man discipline is the outer ring. Once you have a clean baseline, three guides build on it in the order most operators take:

§ REFERENCES

  1. [01]Have I Been Pwned, breach corpus index
  2. [02]EFF, Cover Your Tracks (browser fingerprint test)
  3. [03]NIST SP 800-63B, Digital Identity Guidelines
  4. [04]GDPR Article 17, Right to Erasure
  5. [05]Yael Grauer, Big Ass Data Broker Opt-Out List
  6. [06]SimpleLogin, open-source email aliasing
§ NEXT IN TRACK
00202 Operator

Self-OSINT: Find Yourself Before They Do

Run the same playbook an adversary would. Map your exposure, score the leaks, and shut the doors that matter.

§ RELATED TRANSMISSIONS

↳ last updated · 2026-05-29

Field notes for education. Private engagements: Greyshrine.

§ 00, BOOTING FIELD MANUAL
● LINK · NEGOTIATING
JTA //

JUSTIN · THE · ARCHITECT

> establishing secure channel…

HANDSHAKE004%READY
● STATUS: HANDSHAKE
LAT 00.000 · LON 00.000