Digital Unhacked: The Definitive Manual for Privacy, privacy practice, and Data Sovereignty

You open a new tab at 11pm to look up one quiet, private thing — a symptom, a salary, a name you’d rather no one knew you searched. You type it. You hit enter. And somewhere, in a server you’ll never see, a profile of you gets one entry richer. Not because you did anything wrong. Because the tab itself was built to report on you.

The short version: Digital sovereignty means treating your data as a first-tier asset and building a perimeter you actually control. It rests on five pillars: operational security (a risk signal model that decides what you defend and from whom), compartmentalised identity (separate personas that can’t collapse together), self-hosting your highest-risk data, network obfuscation so your IP stops being a fingerprint, and hardware you can verify. You don’t need all five on day one. You need to stop handing your whole life to one company that profits from watching it. Start with a risk signal model and one separated identity — that single afternoon already shrinks your risk surface more than any app you could install.

Why “free” digital services were the largest data grab ever run

If you don’t pay for the product, you are the product. That phrase gets repeated until it goes numb, so let’s make it concrete. Your search history reveals what you fear and want. Your location data reveals where you sleep, work, and worship. Your message metadata reveals who you trust. None of it is yours once it lands on a centralised server — it’s an inventory item, modelled and sold.

The con worked because it never felt like a transaction. Free email, free storage, free social feeds — you never signed a contract that said in exchange, every behaviour you exhibit becomes a sellable record. You were negotiating the whole time. You just weren’t shown the price.

The reframe is this: you are not a bad, careless person who “has nothing to hide.” You are a profitable person playing a game whose rules were hidden from you. Once you see the rules, you can change how you play. Going from product to sovereign doesn’t mean disappearing. It means deciding, deliberately, who gets which slice of you — and keeping the rest off the market entirely.

How risk signal modeling becomes your first real line of defense

Here’s the part most privacy advice gets backwards. It hands you a shopping list of apps before you’ve decided what you’re protecting or who you’re protecting it from. That’s how people end up with five VPNs and still leak everything that matters.

Operational security isn’t software. It’s a set of decisions you make before you touch a tool. The decision-making frame is a risk signal model, and it comes down to five honest questions:

• Who is the adversary? An ISP selling browsing logs is not a nation-state. A data broker is not an abusive ex. Name yours.
• What is the asset? Communications, financial records, location history, your real legal name — rank them.
• What are the vulnerabilities? Reused passwords, one centralised account that touches everything, an unencrypted laptop.
• What is the risk? Profiling, price discrimination, doxxing, identity theft, targeting.
• What is the cost of failure? Annoyance, money, physical safety — they are not the same and shouldn’t get the same defence.

The point of a risk signal model isn’t paranoia — it’s the opposite. It lets you stop defending against everything so you can actually defend against the thing that would hurt you. Most leaks aren’t exotic technical abuses. They’re behavioural: the same email on every signup, the photo with GPS data still attached, the one account that, once cracked, opens every other door.

Identity separation: why compartmentalisation isn’t paranoia

Never run your whole digital life through a single identity. Your public-facing persona, your financial identity, and your private communications should never touch. When they’re separated, one data incident is a contained fire. When they’re fused, one data incident is a total loss.

In practice, compartmentalisation looks like:

• Email aliases and pseudonyms for public-facing signups, so the address you give a forum never matches the one your bank knows.
• Separate browser profiles for separate roles — one hardened browser for finance, a more anonymous setup for sensitive research.
• A firm rule that accounts in different compartments never get linked, cross-imported, or “conveniently” merged.
• Unique, strong passwords per tier, held in a password manager so the uniqueness is actually maintainable.

The goal is structural: build it so that the worst single failure still leaves most of you standing.

Why self-hosting is data sovereignty made physical

“The cloud” is a marketing word for someone else’s computer. To be unhacked, you bring the most sensitive parts of that cloud home — your mission-critical email, documents, and backups live on hardware you control, encrypted with keys only you hold.

Self-hosting fixes three problems at once. There’s no vendor lock-in — a company changing its terms or getting data incidented doesn’t touch your data. There’s no surveillance layer — no behavioural profile assembled on your activity, no feed tuned to manipulate you. And there’s no permission-asking — you never request access to your own memory.

Open-source stacks for sovereign infrastructure

Build on privacy-hardened, independently auditable open-source tools running on your own hardware. Nextcloud handles files and can anchor email and calendar. Umbrel turns a Raspberry Pi or small NAS into a personal server with a friendly interface. Synapse, the reference server for the Matrix protocol, handles end-to-end encrypted messaging you control. The shared virtue: the code is open, so you — or a third-party auditor — can check that it does what it claims rather than taking a vendor’s word.

Be honest about the trade. The cost is a one-time hardware spend (roughly $300–$1,500 depending on ambition — a Raspberry Pi 5 with storage lands near the bottom of that range), plus your own maintenance time. That last part is the real bill — a self-hosted server you never patch is a liability, not a fortress. The payoff is data ownership that no terms-of-service update can revoke.

Encryption as law: end-to-end is non-negotiable

Treat any unencrypted data as already leaked. The rule for communications is end-to-end encryption (E2EE), and the test for it is brutally simple: if the provider holds the keys, you don’t have the privacy. A service that can read your messages on its servers to “improve” them or scan them is not E2EE, regardless of the marketing.

Tools that pass the test include Signal, Briar, and properly key-managed self-hosted Matrix. Signal’s protocol is open and independently audited — the same protocol WhatsApp licensed for message contents — but the difference is metadata: Signal keeps almost none, while a platform owner can still see who you message and when even when it can’t read the words. Tools where the company can decrypt server-side — most mainstream cloud storage, and messengers that hold the keys — fail outright, no matter what the homepage says. Verify where the keys live before you trust the label.

How to obfuscate your network and stop being a fingerprint

Your IP address is a persistent identifier. Without obfuscation, your ISP logs every destination you visit, third-party trackers stitch your clicks across sites, and your rough location is broadcast constantly. The fix is layered, not magic.

The layered defence: VPN, then Tor where it counts

Start with an audit-verified, no-log VPN — Mullvad, Proton VPN, or IVPN are the commonly vetted options. Never use a “free” VPN: when the VPN is free, the surveillance you’re fleeing is the business model. The VPN moves trust from your ISP to a provider you’ve chosen on the strength of published audits — that’s an upgrade, not invisibility.

For the highest-risk sessions, layer Tor on top, where the anonymity guarantee is strongest and the speed cost is worth it. At the device level, enable MAC address randomisation — iOS and Android have shipped it by default since roughly 2020, but it’s worth confirming it’s on per-network rather than assuming. Point your DNS at a non-logging resolver (Mullvad DNS, or Quad9 at 9.9.9.9) so your roughly thousands of daily lookups stop narrating your day to your ISP.

A workable stack: VPN always on for everyday traffic, Tor reserved for sensitive comms and research, MAC randomisation enabled, and DNS-over-HTTPS to a non-logging resolver. Match the layer to the risk signal — running maximum anonymity on everything just trains you to abandon it.

Why hardware trust is the floor everything else stands on

Trust begins below the operating system. Consumer devices are partly black boxes — firmware, BIOS, and System-on-Chip behaviour you can’t fully inspect, any of which can quietly undermine the careful stack you built above it. You want hardware you can actually verify, and you prioritise it like this:

• De-Googled phones: a Pixel running GrapheneOS, a Fairphone, or a device on LineageOS — stripped of the always-on Google services layer.
• Open firmware laptops: machines that can run coreboot or open BIOS, such as Purism and System76 hardware.
• Physical kill switches: real hardware cut-offs for camera, microphone, and radios — the Librem Key and Purism laptops are built around this idea.

Be realistic about where to start. For most people, a de-Googled Pixel with GrapheneOS is the practical entry point that buys the most privacy per hour invested — GrapheneOS only supports Pixel hardware precisely because those devices expose the verified-boot and secure-element features it relies on. A hardened Linux laptop running Tails OS — which routes everything through Tor and forgets the whole session at shutdown — is the next tier, for genuinely higher-risk signal situations, not a default everyone needs.

How to integrate all five pillars into one perimeter

The five foundations — privacy practice, data sovereignty, network obfuscation, hardware trust, and encryption — are weak alone and strong stacked. Each layer covers the failure mode of the one above it:

• Hardware layer: de-Googled device, open BIOS where possible, physical kill switches.
• OS layer: a privacy-hardened operating system (GrapheneOS, Fedora Silverblue, or Tails for amnesic sessions).
• Network layer: always-on VPN, Tor for sensitive work, MAC randomisation, non-logging DNS.
• Application layer: self-hosted infrastructure (Nextcloud, Matrix, your own email) with E2EE throughout.
• Identity layer: compartmentalised personas held apart by aliasing services.

Read the stack top to bottom and you’ll see the logic: a data incident has to defeat every layer to reach you, and you only had to build each one once. Deeper field guides — privacy practice foundations, self-hosting from Raspberry Pi to rack, and the air-gapped protocol — exist for when you’re ready to go one layer deeper.

Frequently asked questions

Do I really need to self-host everything?

No. Self-host your highest-risk data — communications, financial records, sensitive documents. For lower-risk material, a privacy-focused provider with real E2EE and a no-log policy (Proton, Tutanota) is a reasonable trade. The difference is trust: those services ask you to believe their claims; self-hosting removes the need to believe anyone. Match the effort to the asset.

Is a VPN enough to stay private?

No — a VPN is one layer, not the foundation. It hides your IP from sites and your destinations from your ISP. It does nothing about what you do once you arrive, harmful software, or an unencrypted laptop. Treat it as the network layer of a stack that also includes encryption, compartmentalisation, and hardened hardware.

Can I use Tor for everyday browsing?

You can, but you probably won’t keep it up — it’s slower by design. Reserve Tor for high-risk activity where its stronger anonymity earns the friction. For ordinary browsing, a VPN plus MAC randomisation plus DNS-over-HTTPS is fast and sufficient. The best privacy setup is the one you’ll actually maintain.

What if my self-hosted server gets physically stolen?

Full-disk encryption (LUKS on Linux, BitLocker on Windows) makes stolen hardware useless without your passphrase. Pair it with a genuinely strong password and the data stays locked in an incidenter’s hands. For your most sensitive material, keep a copy on an air-gapped device that never touches a network at all.

How do I know if a tool actually respects my privacy?

Look for three things and ignore the marketing: open-source code you or an auditor can read, published independent security audits, and a clear no-log policy with transparent data retention. Claims are free. Verifiable code and third-party audits are the only signals that cost something to fake.

You started reading this because something private felt slightly exposed — and that instinct was correct. The data was always leaving; you just couldn’t see the door it left through. Now you can. You don’t have to vanish, build a bunker, or learn to code. You have to make a handful of deliberate decisions about who gets which part of you, starting with one risk signal model and one separated identity this week. That’s not paranoia. That’s ownership. You’re not the product anymore — you’re the person who decides.