Privacy Glossary

A 2023 data breach at genetic testing company 23andMe that exposed the genetic ancestry data, personal information, and family connections of 6.9 million users — including sensitive ethnic and health-related information.

A list of permissions that specifies which users or systems can access a resource and what operations they can perform.

A form of identity theft where criminals gain unauthorized access to a victim's online accounts — email, banking, social media, or shopping — by using stolen credentials, SIM swapping, or social engineering to lock out the real owner and exploit the account.

The network of companies, technologies, and data flows that power online advertising — the largest commercial surveillance infrastructure ever built, tracking billions of people across the web.

A proposed comprehensive federal privacy law that would create nationwide data privacy standards for the United States — including data minimization requirements, civil rights protections, and a limited private right of action — but has repeatedly stalled in Congress.

Any entity that poses a threat to your privacy or security, from advertisers and data brokers to hackers and government agencies.

A unique identifier assigned to your mobile device by the operating system, used by apps and advertisers to track your behavior across applications.

Advanced Encryption Standard is a symmetric encryption algorithm adopted by the U.S. government and used worldwide. It's the gold standard for encrypting sensitive data, used in everything from HTTPS to disk encryption.

A mode of AES encryption that provides both confidentiality and authentication in a single operation, widely used in TLS and disk encryption.

Government requirements that websites and apps verify the age of their users — ostensibly to protect children, but creating mass identity verification infrastructure that threatens anonymous internet use.

The privacy risks created by autonomous AI agents that can browse the web, send emails, make purchases, and access files on your behalf — expanding the attack surface far beyond simple chatbots.

The use of AI in hiring processes that can systematically discriminate against candidates based on protected characteristics inferred from resumes, video interviews, social media, and other data.

The large-scale collection of text, images, code, and personal data from the internet by AI companies to train machine learning models — often without consent or compensation.

The use of artificial intelligence to automate and scale surveillance activities including facial recognition, behavior prediction, and communications monitoring.

An AI-powered system that automates tax preparation, filing, and financial analysis — raising serious privacy concerns as it requires access to your complete financial life.

Technology that uses artificial intelligence to create a synthetic replica of someone's voice from just seconds of audio, enabling realistic fake phone calls and audio messages.

Phishing attacks enhanced by artificial intelligence that can generate highly personalized, grammatically perfect social engineering messages at scale — making them far harder to detect than traditional phishing.

A security measure that physically isolates a computer or network from the internet and other unsecured networks. An air-gapped system has no wired or wireless connections to the outside world, making remote hacking virtually impossible.

A computer that is physically isolated from the internet and all other networks, used for handling the most sensitive data and cryptographic operations.

A device setting that disables all wireless radios (cellular, WiFi, Bluetooth, GPS), though not all implementations are equally thorough.

The principle that organizations should be responsible for the outcomes of their automated systems — including bias, discrimination, and harm — and subject to oversight, transparency, and redress.

The practice of always-on microphones in smart devices continuously monitoring audio in your environment — ostensibly waiting for wake words, but creating a persistent surveillance channel in your home.

The tension between Anti-Money Laundering (AML) and Know Your Customer (KYC) regulations — designed to prevent financial crime — and individual privacy rights, as these compliance requirements create vast databases of personal financial information and enable mass financial surveillance.

The state of being unidentifiable or untraceable. In privacy contexts, anonymity means your actions cannot be linked back to your real identity—no one can connect your online activity to who you are.

The group of users among whom an individual cannot be distinguished. The larger the anonymity set, the stronger the anonymity—if you're one of a million identical users, you're hard to identify. If you're one of ten, much easier.

The process of permanently removing personally identifiable information from data so that individuals cannot be re-identified, even with additional data.

Email accounts and services designed to protect the sender's identity — ranging from encrypted email providers that don't require personal information to sign up, to temporary disposable addresses and onion-routed email services accessible via Tor.

A limited liability company formed in a state that does not require member or manager names in public filings, combined with a professional registered agent as the public address — so the real owner's identity is absent from the state's public record from day one.

Ways to pay for goods and services without revealing your identity — including cash, privacy cryptocurrencies, prepaid cards, and gift cards purchased with cash.

Techniques used to prevent, disrupt, or mislead digital forensic investigations by destroying evidence or making analysis difficult.

A unique identifier used to authenticate requests to an API, which if leaked can grant unauthorized access to services and data.

Controls that determine what data and device features an app can access, including contacts, camera, microphone, location, and storage.

The winner of the Password Hashing Competition, designed to be resistant to GPU and ASIC-based cracking by requiring large amounts of memory.

Legal strategies to shield personal and business assets from lawsuits, creditors, and other claims, often using LLCs, trusts, and multi-jurisdiction structures.

Astroturfing is the practice of creating the false appearance of grassroots public support or opposition for a cause, product, or political position, typically by coordinating fake accounts, paid advocates, or front organizations to simulate organic activity.

An encryption method using a pair of mathematically related keys: a public key for encryption and a private key for decryption. This solves the key distribution problem of symmetric encryption.

A peer-to-peer exchange of one cryptocurrency for another without using a centralized exchange, preserving privacy by avoiding KYC requirements.

The total number of points where an unauthorized user could attempt to enter or extract data from a system.

A systematic review or assessment of systems, processes, or data to verify compliance, identify vulnerabilities, or ensure accuracy. In privacy contexts, audits evaluate how an organization collects, uses, and protects personal data.

An encryption method that simultaneously provides confidentiality, integrity, and authenticity, ensuring data hasn't been tampered with.

The process of verifying that someone or something is who or what they claim to be. Authentication answers 'Are you who you say you are?'—distinct from authorization, which answers 'What are you allowed to do?'

A piece of data that proves a user's identity to a system, typically issued after successful login and used for subsequent requests.

The use of algorithms and AI systems to make decisions about individuals — including credit approval, hiring, insurance pricing, benefits eligibility, criminal sentencing, and content moderation — often without human oversight, transparency, or the ability to appeal.

A hidden method of bypassing normal authentication or encryption in a computer system. Backdoors may be intentionally built in (for maintenance or surveillance) or secretly inserted by attackers. In privacy contexts, backdoors refer to deliberate weaknesses that allow authorities to access encrypted data.

The intentional slowing of internet speeds by an ISP, often targeting specific services like streaming or VPN traffic.

A separate processor in your phone that handles all cellular communication, runs its own proprietary firmware, and has direct access to the microphone and GPS.

Data identifying the real individuals who ultimately own or control a legal entity — required by FinCEN under the Corporate Transparency Act (CTA) until March 2025, when all U.S.-formed companies were exempted from reporting.

A comparison of web browsers ranked by their privacy protections, including tracking prevention, fingerprinting resistance, and data collection practices.

An attack where a network falsely announces ownership of IP address ranges, rerouting internet traffic through attacker-controlled infrastructure.

A cultural reference from George Orwell's 1984 describing a government that exercises total surveillance and control over its citizens, now used to describe real-world surveillance overreach.

The dominant technology companies — primarily Google, Apple, Meta, Amazon, and Microsoft — whose products and services collect unprecedented amounts of personal data.

Using physical characteristics like fingerprints, face geometry, iris patterns, or voice to verify identity.

A centralized collection of biometric data (fingerprints, face scans, iris patterns) that once breached cannot be remediated because biometric data cannot be changed.

The deployment of biometric identification systems — facial recognition cameras, gait analysis, voice recognition, and other body-based identification — across public spaces to identify, track, and monitor populations in real time without individual consent.

Authentication using unique physical or behavioral characteristics like fingerprints, facial features, iris patterns, or voice. While convenient, biometrics have a fundamental problem: you can't change them if compromised.

Illinois' groundbreaking 2008 biometric privacy law that requires companies to obtain informed consent before collecting fingerprints, facial scans, or other biometric data — and allows individuals to sue for violations, resulting in billions of dollars in settlements.

An encryption algorithm that processes data in fixed-size blocks, used as the foundation for most symmetric encryption systems.

Techniques for tracing cryptocurrency transactions on public blockchains to identify users, used by law enforcement and compliance firms.

The practice of analyzing public blockchain transactions to identify, track, and de-anonymize cryptocurrency users — conducted by companies like Chainalysis, Elliptic, and CipherTrace that sell surveillance tools to governments, law enforcement, and financial institutions.

A network of compromised devices controlled by an attacker, used for DDoS attacks, spam, cryptocurrency mining, or distributed credential stuffing.

A secret NSA tool revealed by Edward Snowden that tracks and visualizes the billions of phone calls and emails the agency collects worldwide — contradicting the NSA's claims that it couldn't quantify how much domestic data it was collecting.

The privacy implications of neural interface technology (Neuralink, etc.) that can read brain signals — raising unprecedented questions about the privacy of thoughts, emotions, and cognitive processes.

The risks and considerations of browser extensions, which can access your browsing data and potentially exfiltrate sensitive information.

A tracking technique that collects information about your browser, device, and settings to create a unique identifier. Unlike cookies, fingerprints are nearly impossible to delete and can track you across websites without your knowledge or consent.

A security technique that runs web browsing in an isolated environment, preventing malicious websites from accessing your device or local network.

An attack method that systematically tries every possible combination of characters to guess a password or encryption key.

A trial-and-error method of cracking passwords or encryption by systematically trying every possible combination until the correct one is found. While simple in concept, brute force becomes impractical against sufficiently long, random secrets.

A program where organizations pay security researchers for responsibly disclosing vulnerabilities, encouraging ethical hacking rather than exploitation.

A temporary device purchased anonymously and used for a specific purpose, then discarded to prevent it from being linked to your identity.

A prepaid mobile phone intended for temporary use and easy disposal, typically purchased with cash to avoid identity linking. Used for privacy-sensitive communications where the phone and SIM can be discarded after use.

A sophisticated scam where criminals impersonate executives, vendors, or business partners via email to trick employees into wiring money or sharing sensitive data — the FBI's most costly cybercrime category at $2.9 billion in annual losses.

A 2023 California law (SB 362) that creates a single mechanism for consumers to request deletion of their personal data from all data brokers at once — rather than contacting hundreds of brokers individually — through a state-run deletion portal.

The practice of falsifying the phone number displayed on a recipient's caller ID to disguise the caller's identity — used by scammers to impersonate banks, government agencies, and known contacts to trick victims into answering and sharing information.

A privacy-focused Android operating system that includes microG for Google compatibility while removing Google's tracking, easier to use than GrapheneOS.

A political consulting firm that harvested personal data from up to 87 million Facebook users without consent to build psychological profiles and target voters with personalized political advertising during the 2016 US election.

A method for identifying information leaks by providing slightly different versions of sensitive information to each suspected source.

A browser fingerprinting technique that exploits the HTML5 Canvas element to identify users based on how their GPU renders graphics.

A 2019 data breach where a former Amazon Web Services employee exploited a misconfigured web application firewall to steal personal data of over 100 million Capital One credit card applicants, including Social Security numbers and bank account numbers.

A test designed to distinguish humans from bots, which increasingly uses behavioral analysis and tracking that creates privacy concerns.

A web page that forces users to interact with it before granting internet access, commonly used in hotel, airport, and cafe WiFi networks.

An FBI surveillance system designed to monitor internet traffic by tapping into ISP networks, the predecessor to modern mass surveillance programs.

The systematic push to phase out physical currency (cash and coins) in favor of exclusively digital payment systems — removing the last truly private, permissionless form of payment.

A society where physical cash is eliminated in favor of digital payments, removing the last truly anonymous payment method available to citizens.

Central Bank Digital Currency — a digital form of government-issued money that, unlike cash, can be programmed, tracked, and controlled by the issuing authority.

Risks to financial privacy posed by Central Bank Digital Currencies, which could enable governments to track, control, and potentially restrict every financial transaction.

The California Consumer Privacy Act grants California residents rights over their personal information, including the right to know what data is collected, delete it, opt out of its sale, and not be discriminated against for exercising these rights.

The property of a communication system or technology that makes it difficult or impossible for any authority to prevent the creation, transmission, or access of information — a core design goal of technologies like Tor, blockchain, IPFS, and end-to-end encryption.

A digital document that binds a cryptographic key to an identity (person, organization, or device). Certificates enable trusted encryption and verification—they're the foundation of HTTPS and secure communications.

An organization trusted to issue digital certificates that verify the identity of websites, enabling HTTPS encrypted connections.

A security technique where an application only accepts specific TLS certificates for a given server, preventing man-in-the-middle attacks using forged certificates.

A public logging system for TLS certificates that allows domain owners to detect unauthorized certificates issued for their domains.

A modern authenticated encryption algorithm that provides both confidentiality and integrity, widely used as an alternative to AES-GCM.

The use of specialized software tools and techniques to trace cryptocurrency transactions across a public blockchain, link wallet addresses to real-world identities, and reconstruct the movement of funds.

A February 2024 ransomware attack on UnitedHealth Group's Change Healthcare subsidiary that exposed the medical and personal data of over 100 million Americans — the largest healthcare data breach in US history.

An EU legislative proposal that would require messaging services to scan all user communications for child sexual abuse material (CSAM), raising concerns about end-to-end encryption and mass surveillance.

The privacy implications of interacting with AI chatbots — including what data is collected during conversations, how it's stored, who can access it, and whether it's used to train future AI models.

An algorithm for performing encryption or decryption. Ciphers transform plaintext into ciphertext (encryption) and back again (decryption) using a key. Modern ciphers are mathematically designed to resist all known attacks.

A combination of encryption algorithms used together in a TLS connection, specifying the key exchange, authentication, encryption, and integrity methods.

The encrypted, unreadable output produced when plaintext is processed through an encryption algorithm with a key. Ciphertext appears as random data and can only be converted back to plaintext with the correct decryption key.

Government programs that grant citizenship or permanent residency to foreign nationals in exchange for a significant economic contribution — typically a donation, real estate purchase, or business investment.

An attack that tricks users into clicking on something different from what they perceive, by layering transparent or opaque elements over a web page.

Scanning content on a user's device — before or after encryption — to detect prohibited material, often proposed for child safety but criticized as a backdoor that undermines end-to-end encryption.

A US law that allows federal law enforcement to compel US-based technology companies to provide data stored on servers regardless of where the data is physically located.

A Bitcoin privacy technique that combines multiple users' transactions into a single transaction, making it difficult to determine which inputs correspond to which outputs.

A series of covert FBI programs from 1956 to 1971 that surveilled, infiltrated, discredited, and disrupted domestic political organizations — including civil rights groups, anti-war movements, and Black liberation organizations led by figures like Martin Luther King Jr.

A technique for extracting encryption keys from a computer's RAM by physically accessing the memory chips after a shutdown, exploiting the fact that RAM doesn't clear instantly.

Keeping cryptographic keys or digital assets offline, disconnected from the internet. Cold storage prioritizes security over convenience—keys can't be hacked remotely because they're not connected to any network.

A May 2021 ransomware attack by the DarkSide group that shut down the largest fuel pipeline in the United States for six days, causing fuel shortages across the East Coast and demonstrating how cyberattacks can disrupt critical infrastructure.

The Colorado Algorithmic Accountability Act is a state law, effective February 2026, that requires businesses to assess high-risk automated decision systems for algorithmic discrimination before deployment and on an ongoing basis.

A global automatic tax information sharing system created by the OECD that requires participating countries to exchange foreign financial account data with each other.

The practice of separating different activities, identities, or data into isolated compartments so that a compromise in one doesn't affect the others.

A technology that protects data while it's being processed by encrypting it in a hardware-protected area (enclave) that even the system administrator cannot access.

The privacy risks created by modern vehicles that collect and transmit vast amounts of data — including location history, driving behavior, cabin conversations, biometric data, and even your weight.

The exhaustion and desensitization that occurs from being bombarded with privacy consent requests — cookie banners, terms of service, app permissions — leading people to blindly accept everything just to make the prompts stop.

Systems and processes for collecting, recording, and managing user consent for data collection and processing, required by GDPR and similar laws.

Practices for securing containerized applications, ensuring that the isolation, image integrity, and runtime behavior of containers protect against threats.

An HTTP security header that tells the browser which sources of content are allowed to load on a page, preventing cross-site scripting and data injection attacks.

Contextual advertising is a form of digital advertising that targets ads based on the content of the page or app being viewed rather than the user's behavioral profile, browsing history, or personal data.

A foreign corporation where more than 50% of the voting power or value is owned by US shareholders, subjecting its US owners to immediate taxation on certain types of the corporation's income under Subpart F rules.

A small piece of data stored in your web browser by websites you visit. While cookies enable useful features like staying logged in, they're also used extensively for tracking your browsing activity across the web for advertising and analytics purposes.

The requirement under EU law for websites to obtain user permission before setting non-essential cookies, resulting in the ubiquitous consent banners.

A website practice that blocks access to content unless visitors accept all tracking cookies — effectively making consent mandatory rather than voluntary, which privacy regulators increasingly consider illegal under GDPR.

Small text files that websites store on your device. Cookies can remember login state, preferences, or shopping carts (first-party) — or track you across sites for advertising (third-party). They're one of the primary ways you're followed online.

The Children's Online Privacy Protection Act, a US federal law that regulates the collection of personal information from children under 13.

Dummy data transmitted alongside real communications to prevent traffic analysis from revealing when you're actually communicating.

A 2020 California ballot measure that significantly strengthened the CCPA by creating a dedicated enforcement agency, adding rights to correct and limit data use, introducing the concept of 'sensitive personal information,' and establishing the California Privacy Protection Agency.

The practice of collecting login credentials through phishing pages, data breaches, malware, or social engineering.

An automated attack that uses stolen username/password pairs from one breach to try logging into other services, exploiting password reuse.

Services that watch your credit reports and alert you to changes—new accounts, inquiries, or suspicious activity. Essential after a data breach when your information may be used for identity theft.

Technologies that link your activity across multiple devices — phone, laptop, tablet, smart TV, and smart speakers — creating a unified identity profile even when you use different browsers, apps, or networks.

The study of analyzing and breaking cryptographic systems. Cryptanalysts seek to find weaknesses in encryption algorithms, protocols, or implementations that would allow recovering plaintext or keys without authorization.

An OECD framework designed to make crypto-asset transactions reportable across borders by requiring participating service providers to collect and share user and transaction information.

The ability of a system to quickly switch between cryptographic algorithms without major redesign — critical for transitioning to post-quantum encryption and responding to algorithm breaks.

A widely-used elliptic curve for key agreement, designed by Daniel Bernstein for high security, speed, and resistance to implementation errors.

A movement advocating for the widespread use of strong cryptography and privacy-enhancing technologies as a route to social and political change.

The EU's eighth Directive on Administrative Cooperation, expanding automatic tax reporting to crypto-asset service providers and certain digital platform activity.

Deceptive user interface designs that trick people into giving up privacy, making purchases, or agreeing to terms they didn't intend — such as hiding opt-out buttons, using confusing language, or making cancellation deliberately difficult.

The portion of the internet accessible only through anonymizing networks like Tor, hosting both legitimate privacy services and illegal marketplaces.

A network overlay that requires specific software or configurations to access, providing anonymity for users and operators of hidden services.

Data stored on a device or server that is not actively being transmitted or processed, requiring encryption to protect against unauthorized access.

A security incident where protected, sensitive, or confidential data is accessed, stolen, or exposed by unauthorized individuals. Data breaches can result from hacking, insider threats, lost devices, or misconfigured systems.

A company that collects personal information from various sources, aggregates it into detailed profiles, and sells it to third parties. Data brokers operate largely in the shadows, compiling information about people who often don't know they exist.

The process of requesting that data brokers delete your personal information from their databases — either manually through individual opt-out forms or through automated removal services that handle hundreds of brokers simultaneously on your behalf.

The process of categorizing data by sensitivity level to determine appropriate protection measures and access controls.

An encrypted, controlled environment where two or more parties can combine and analyze their first-party data without exposing raw data to each other — a privacy-enhancing technology for secure data collaboration.

A systematic process of reducing your digital footprint by deleting old accounts, removing personal information from the internet, and changing habits that expose your data.

The unauthorized transfer of data from an organization's network, the primary goal of most data breaches.

Data actively moving between locations over a network, protected by transport encryption like TLS/SSL.

Government regulations requiring that personal data collected within a country must be stored and processed on servers physically located within that country's borders — driven by concerns about foreign surveillance, sovereignty, and government access to citizens' data.

A privacy principle that organizations should collect only the minimum amount of personal data necessary for a specific purpose, and retain it only as long as needed. This reduces privacy risks by limiting exposure in case of breaches or misuse.

A technique where individuals or groups deliberately feed incorrect, misleading, or adversarial data to AI training datasets, surveillance systems, or data brokers to corrupt their models, reduce their accuracy, or pollute personal profiles as a form of privacy defense.

The right to receive your personal data from a service in a structured, commonly used format, and to transfer it to another service.

A process required under GDPR for evaluating the privacy risks of new projects or technologies that process personal data at scale.

Laws requiring telecommunications companies and ISPs to store user metadata for a specified period, enabling retroactive surveillance.

Rules that define how long an organization keeps personal data and when it must be deleted, a key requirement under privacy regulations.

The invisible collection of data about you that you never directly provided — inferred from your behavior, derived from other people's data, purchased from data brokers, or generated by algorithms analyzing your patterns.

The principle that data is subject to the laws and regulations of the country where it is stored or processed.

The denial or removal of banking services — closing accounts, refusing applications, or restricting features — often without explanation, affecting individuals and businesses deemed 'high-risk' by financial institutions.

A smartphone running an Android-based operating system with Google services removed, offering app compatibility while eliminating Google's pervasive data collection.

The process of removing Google services from your digital life to reduce data collection, replacing them with privacy-respecting alternatives.

A method of passing information between two parties without them ever meeting or communicating directly, originally a spy technique now adapted for digital use.

A cryptocurrency exchange that operates without a central authority, allowing peer-to-peer trading without KYC requirements or custodial risk.

An identity model where individuals control their own credentials without relying on centralized authorities, using cryptographic proofs.

The process of converting encrypted data (ciphertext) back into readable form (plaintext) using the correct key. Decryption is the inverse of encryption—only those with the proper key can decrypt.

AI-generated synthetic media that convincingly replaces a person's likeness or voice in video or audio, enabling sophisticated impersonation and misinformation.

The use of AI-generated synthetic video or audio to impersonate real people for financial fraud — including fake video calls with executives to authorize wire transfers, fabricated evidence in legal proceedings, and identity verification bypasses.

The process of permanently removing your accounts and data from social media platforms — a growing movement driven by privacy concerns, mental health research, and the understanding that social media platforms are surveillance systems that monetize personal information.

An encryption scheme where the existence of encrypted data cannot be proven, or where decryption can produce different plausible plaintexts.

A privacy-focused blockchain platform that uses homomorphic encryption for fully encrypted transactions and supports private smart contracts.

An encryption scheme where the same plaintext always produces the same ciphertext, enabling exact-match searches on encrypted data at the cost of some security.

Identifying a device (and thus its user) by collecting unique characteristics—screen size, fonts, plugins, hardware specs, behavior. Unlike cookies, fingerprints can't be easily cleared and persist across sessions.

A mathematical framework for sharing aggregate information about a dataset while provably protecting the privacy of individual entries.

The comprehensive process of removing or minimizing a person's presence from the internet, including data broker listings, social media, search results, and public records.

The passive trail of data generated by your everyday digital activities — WiFi connections, cell tower pings, Bluetooth broadcasts, DNS queries, and metadata — even when you're not actively using a service or app.

The trail of data you leave behind when using the internet — every search, click, post, purchase, and login creates a record that can be collected and analyzed.

A government-issued electronic identity credential stored on a smartphone or card, increasingly being mandated for accessing services, travel, and financial transactions.

Government requirements to use digital identity systems for accessing services, which centralize personal data and create comprehensive tracking capabilities.

An EU regulation targeting Big Tech 'gatekeepers' — including Apple, Google, Meta, Amazon, and Microsoft — requiring interoperability, prohibiting self-preferencing, and giving users more control over their data, apps, and default services.

A philosophy of intentionally reducing your digital presence, online accounts, and technology usage to minimize data exposure and reclaim control over your attention and privacy.

A person who works remotely while traveling, often across multiple countries, creating unique privacy, tax, and jurisdictional considerations.

A special visa or residency permit that allows remote workers to legally live in a foreign country while working for employers or clients outside that country.

An EU regulation that holds online platforms accountable for content moderation, algorithmic transparency, and user safety — requiring platforms to explain how their recommendation algorithms work and giving users the right to opt out of profiling-based content.

A cryptographic mechanism that proves the authenticity and integrity of a message or document, confirming it was created by the claimed sender and hasn't been altered.

The ability of an individual, organization, or nation to control their own digital infrastructure, data, and online presence without dependence on foreign entities.

A messaging feature that automatically deletes messages after a set time period, reducing the risk of data exposure if a device is compromised.

The process of encrypting an entire storage device so that all data is protected when the device is powered off or stolen.

An attack that overwhelms a service with traffic from many sources simultaneously, making it unavailable to legitimate users.

The Digital Millennium Copyright Act, which among other provisions, criminalizes circumvention of digital rights management systems, affecting security research and privacy tools.

Domain Name System—the internet's phone book. DNS translates human-readable domain names (example.com) into IP addresses (93.184.216.34) that computers use to connect. Every website visit triggers DNS lookups, which can reveal your browsing to your ISP or DNS provider.

A security flaw where DNS queries bypass your VPN or proxy and are sent through your normal ISP connection, revealing the websites you visit even when your other traffic is protected.

A protocol for performing DNS resolution via the HTTPS protocol. It encrypts DNS queries, preventing ISPs, network administrators, and attackers from seeing which websites you're trying to visit.

A protocol that encrypts DNS queries using TLS, preventing ISPs and network observers from seeing which websites you're looking up.

An attack that corrupts a DNS resolver's cache, redirecting users to malicious websites even when they type the correct address.

An attack that manipulates DNS responses to make a web browser access resources on a victim's local network, bypassing same-origin security policies.

An HTTP header that requests websites not to track the user, which is almost universally ignored and can actually make you more identifiable.

The DOJ Bulk Data Rule is a US regulation, effective April 2025, that restricts the bulk transfer of sensitive personal data of Americans to countries of concern — including China, Russia, Iran, North Korea, Cuba, and Venezuela — by US companies and individuals.

A technique that hides the true destination of a network connection by routing it through a major cloud provider, making it appear as traffic to the cloud provider.

A cryptographic protocol that provides end-to-end encryption with forward secrecy and break-in recovery. Used by Signal and adopted by WhatsApp, Facebook Messenger, and Google Messages. Each message gets a unique key; compromising one doesn't expose past or future messages.

The malicious act of publicly revealing someone's private information — such as home address, phone number, or workplace — without their consent, often to enable harassment.

The mass collection of data on entire populations rather than targeted surveillance of specific suspects, enabled by modern technology.

The use of unmanned aerial vehicles (drones) by law enforcement, intelligence agencies, and private entities to conduct surveillance from above — including real-time video monitoring, facial recognition, license plate reading, cell phone tracking, and crowd analysis.

Proposed US legislation (Eliminating Abusive and Rampant Neglect of Interactive Technologies Act) that would undermine end-to-end encryption by making platforms liable for encrypted content they cannot see.

The Electronic Communications Privacy Act, a US law that governs government access to electronic communications and stored data, widely considered outdated.

Former NSA contractor who in 2013 leaked classified documents revealing the scope of global mass surveillance, fundamentally changing the privacy landscape.

A nonprofit digital rights organization that defends civil liberties in the digital world through litigation, policy analysis, and technology development.

A public-key cryptography approach based on the algebraic structure of elliptic curves. ECC provides equivalent security to RSA with much smaller key sizes, making it ideal for mobile devices, IoT, and performance-critical applications.

A forwarding address that routes email to your real inbox without revealing your actual email address, enabling compartmentalization and spam control.

Examining the metadata in email headers to trace the path of a message, identify the true sender, and detect spoofing attempts.

AI systems that claim to detect human emotions from facial expressions, voice patterns, body language, or physiological signals — used in surveillance, hiring, education, and advertising.

Messaging services that use end-to-end encryption to ensure only the sender and recipient can read messages, protecting against eavesdropping by anyone including the service provider.

A portable storage device with built-in hardware encryption that protects data even if the drive is lost or stolen.

The process of converting information into a code to prevent unauthorized access. Encryption transforms readable data (plaintext) into an unreadable format (ciphertext) using a cryptographic algorithm and key. Only those with the correct key can decrypt and read the original data.

Encryption applied to data stored on disks, databases, or other storage media. When data is 'at rest' (not actively being transmitted), encryption protects it from unauthorized access if storage devices are stolen or compromised.

A deliberately created vulnerability in encryption that allows a third party (usually government) to bypass the encryption and access protected data.

Government efforts to outlaw, weaken, or mandate backdoors in end-to-end encryption — arguing that law enforcement needs access to encrypted communications, while security experts warn that any backdoor weakens security for everyone.

Cloud storage where files are encrypted on your device before upload and can only be decrypted by you, not the storage provider.

A method of secure communication where only the communicating users can read the messages. In principle, it prevents potential eavesdroppers – including telecom providers, Internet providers, and even the provider of the communication service – from being able to access the cryptographic keys needed to decrypt the conversation.

A measure of randomness or unpredictability in data, particularly important in cryptography for generating secure keys and passwords.

A Washington D.C.-based nonprofit research and advocacy organization focused on emerging privacy and civil liberties issues — filing lawsuits, FOIA requests, and amicus briefs, and providing expert testimony on surveillance, AI, consumer privacy, and government data collection.

An EU directive that regulates electronic communications privacy, including requirements for cookie consent and restrictions on unsolicited marketing.

A 2017 data breach at credit bureau Equifax that exposed the personal and financial data of 147 million Americans — including Social Security numbers, birth dates, and addresses — making it one of the most damaging breaches in history.

The European Union's comprehensive regulation on artificial intelligence — the world's first major AI law — that categorizes AI systems by risk level and bans certain uses including real-time biometric surveillance, social scoring, and emotion recognition in workplaces and schools.

A European Union regulation effective September 2025 that extends data access and portability rights to industrial and non-personal data, giving users and businesses more control over data generated by connected products and services.

A WiFi attack where an attacker creates a fake access point that mimics a legitimate network, tricking devices into connecting and exposing their traffic.

A 1981 presidential executive order signed by Ronald Reagan that provides the primary legal framework for US intelligence collection activities abroad — and has been used to justify the bulk collection of non-Americans' data, which routinely sweeps up Americans' communications.

The final relay in a Tor circuit that connects to the destination server, the point where traffic leaves the Tor network and enters the regular internet.

A tax imposed on citizens who renounce their citizenship or long-term residents who abandon their green card, calculated as if all worldwide assets were sold at fair market value the day before expatriation.

The formal process of renouncing citizenship or permanent residency in one's home country, often motivated by tax obligations, privacy concerns, or the desire for greater personal freedom.

An app store for Android that exclusively distributes free and open-source software, providing a privacy-respecting alternative to Google Play.

Technology that identifies or verifies individuals by analyzing facial features from photos or video footage, increasingly used for mass surveillance.

Legislative and regulatory actions to prohibit or restrict the use of facial recognition technology — particularly by law enforcement and in public spaces — driven by accuracy concerns, racial bias, mass surveillance risks, and the fundamental threat to anonymity in public life.

An enclosure made of conductive material that blocks electromagnetic fields, used in privacy to prevent wireless signals from reaching or leaving a device.

A US federal law requiring foreign financial institutions to report accounts held by US persons to the IRS, and requiring US taxpayers to report foreign financial assets exceeding certain thresholds.

A mandatory annual report (FinCEN Form 114) that US persons must file if they have foreign financial accounts with an aggregate value exceeding $10,000 at any point during the year.

A machine learning approach where the model is trained across multiple devices without raw data leaving each device, preserving data privacy.

A US tax provision allowing qualifying Americans living abroad to exclude up to $126,500 (2024) of foreign earned income from US federal income tax.

An open authentication standard that combines WebAuthn and CTAP protocols to enable passwordless and phishing-resistant login.

The blocking, restricting, or reversing of financial transactions based on the identity of the sender/receiver, the purpose of the transaction, or political pressure — without a court order or legal process.

The ability to transact, save, and manage money without surveillance, censorship, or dependence on institutions that can freeze or restrict access to your funds.

The ability to conduct financial transactions — earning, saving, spending, and investing — without your activity being monitored, recorded, analyzed, or used against you by governments, corporations, or third parties.

The systematic monitoring of financial transactions by governments, banks, and third parties — from bank account activity and credit card purchases to cryptocurrency transactions and peer-to-peer payments.

The security of low-level software embedded in hardware devices, which runs before the operating system and can be compromised to create persistent, undetectable backdoors.

A browser feature that separates website data (cookies, cache, storage) so that one website cannot access data set by another.

The Foreign Intelligence Surveillance Court — a secret US federal court that approves surveillance warrants against suspected foreign intelligence agents. It operates in near-total secrecy, approves over 99% of government requests, and has been called a 'rubber stamp' court.

An intelligence alliance between the United States, United Kingdom, Canada, Australia, and New Zealand that shares surveillance data and signals intelligence. Privacy advocates consider Five Eyes countries higher risk for hosting privacy-focused services.

An intelligence-sharing alliance between the US, UK, Canada, Australia, and New Zealand that cooperates on signals intelligence and mass surveillance.

A strategy of distributing your life across multiple countries — citizenship, residency, banking, business, and assets — so that no single government has complete control over your freedom or wealth.

The scientific examination of digital devices and data to recover evidence, used by law enforcement and incident responders.

A property of messaging protocols where each message uses a unique encryption key, so compromising one key doesn't expose past or future messages.

An extended intelligence-sharing alliance consisting of the Five Eyes plus Denmark, France, Netherlands, Norway, Germany, Belgium, Italy, Spain, and Sweden. These countries share surveillance data through various agreements.

The US Constitutional amendment protecting against unreasonable searches and seizures, which forms the legal basis for many digital privacy rights.

A legal order that prevents a company from disclosing that it has received a government request for user data, often accompanying National Security Letters.

The General Data Protection Regulation is a comprehensive data protection law in the European Union that gives individuals control over their personal data. It establishes strict requirements for how organizations collect, process, store, and transfer personal information.

The penalties imposed under the EU's General Data Protection Regulation, which can reach up to 4% of a company's global annual revenue — with over €4.5 billion in total fines issued since 2018, including record penalties against Meta, Amazon, and Google.

A court order that compels companies like Google to provide data on every device that was within a defined geographic area during a specific time period — casting a surveillance net over everyone in the area, not just suspects.

A technology that creates a virtual boundary around a geographic area and can trigger actions when a device enters or exits that boundary.

A database that maps IP addresses to geographic locations, used for content localization, fraud detection, and unfortunately, user profiling.

A browser signal that tells websites you don't want your personal data sold or shared, legally enforceable under CCPA and recognized by some GDPR implementations.

Privacy-respecting replacements for Google products — including search, email, maps, cloud storage, browsers, and more — that don't track your activity or build advertising profiles.

Google's initiative to replace third-party cookies in Chrome with new tracking technologies (Topics API, Attribution Reporting, Protected Audiences) that Google claims protect privacy while preserving targeted advertising — critics call it a way for Google to consolidate tracking power.

GNU Privacy Guard—a free, open-source implementation of the OpenPGP standard. GPG provides encryption, digital signatures, and key management. It's the most widely used tool for PGP-compatible email encryption and file signing.

A privacy and security-focused mobile operating system based on Android, designed to minimize data collection while maintaining app compatibility.

A physical switch that electrically disconnects a component like the camera, microphone, WiFi, or cellular radio, providing a hardware guarantee that it cannot be activated.

A physical device used for authentication that provides the strongest form of two-factor authentication. Hardware keys are immune to phishing attacks because they cryptographically verify the legitimacy of the website before responding.

A tamper-resistant physical device that manages and protects cryptographic keys, performing encryption operations in a secure environment.

A surveillance strategy where intelligence agencies intercept and store encrypted communications today, planning to decrypt them in the future when quantum computers become powerful enough to break the encryption.

When two different inputs produce the same hash output, potentially allowing an attacker to forge digital signatures or bypass integrity checks.

A mathematical function that converts any input data into a fixed-size string of characters (hash). Cryptographic hash functions are one-way, meaning you cannot reverse the process to recover the original data.

The Health Insurance Portability and Accountability Act establishes national standards for protecting sensitive patient health information in the United States, requiring safeguards for electronic health data and giving patients rights over their medical records.

A mechanism for verifying both the integrity and authenticity of a message using a cryptographic hash function combined with a secret key.

A form of encryption that allows computations to be performed on encrypted data without decrypting it first, preserving privacy during processing.

A decoy system designed to attract attackers, allowing security teams to study attack methods and detect intrusions.

Steps to determine if your accounts, devices, or personal information have been compromised in a data breach or security incident.

A comprehensive guide to reducing or eliminating your digital presence — removing personal information from data brokers, deleting old accounts, minimizing new data creation, and establishing privacy-first alternatives for essential online services.

A practical guide to reducing your digital footprint by opting out of data brokers, deleting old accounts, removing search results, and minimizing future data exposure.

Hypertext Transfer Protocol Secure is the encrypted version of HTTP, the protocol used to transfer data between your browser and websites. HTTPS uses TLS encryption to protect the confidentiality and integrity of data in transit, preventing eavesdropping and tampering.

The Invisible Internet Project is an anonymous network layer designed for internal services (eepsites) rather than accessing the regular internet. I2P uses garlic routing to provide strong anonymity for both users and services.

A system that allows users to use a single identity across multiple organizations without each organization managing separate credentials.

The fraudulent use of someone's personal information — such as Social Security number, credit card details, or login credentials — to commit crimes or financial fraud.

A unique 15-digit number assigned to every mobile device, used by carriers to identify devices on the network and track them globally.

A deployment model where servers are never modified after deployment — changes require building and deploying a new server, reducing the risk of persistent compromise.

A device that impersonates a cell tower to intercept mobile phone communications and track the location of nearby devices.

The organized approach to handling security breaches and cyberattacks, including preparation, detection, containment, eradication, and recovery.

The Digital Personal Data Protection Act (DPDPA) is India's comprehensive data protection law, enacted in 2023, that governs how digital personal data of Indian residents is collected, processed, and transferred.

Managing and provisioning computing infrastructure through machine-readable configuration files rather than manual processes, enabling reproducible and auditable deployments.

The principle that all people should be able to access, use, and share information on the internet without government censorship, surveillance, or corporate gatekeeping — encompassing net neutrality, freedom of expression online, privacy, and resistance to internet shutdowns.

The security challenges posed by billions of internet-connected devices that often have minimal security, no update mechanism, and extensive data collection capabilities.

A unique numerical identifier assigned to every device connected to a computer network. Your IP address reveals your approximate geographic location and can be used to track your online activity, link your actions across websites, and identify your internet service provider.

A feature that generates temporary, randomized IPv6 addresses to prevent tracking based on your device's permanent hardware address.

An attack that compromises devices through public USB charging stations by transferring malware or stealing data through the power cable.

A cryptographic function that derives one or more secret keys from a master secret, password, or other source of entropy. KDFs add security through computational cost and produce keys of the required length and format.

A cryptographic protocol that allows two parties to establish a shared secret key over an insecure channel. This shared key can then be used for symmetric encryption, enabling secure communication without prior contact.

A technique that makes a short password harder to crack by passing it through a computationally expensive hashing function many times.

A technique for encrypting cryptographic keys using another key, protecting keys at rest and during transport.

Malicious software or hardware that records every keystroke typed on a device, capturing passwords, messages, and sensitive information. Keyloggers can be installed through malware, physical access, or malicious browser extensions.

Proposed US legislation (KOSA) requiring platforms to protect minors from harmful content online — raising concerns about age verification mandates, content censorship, and the creation of new surveillance infrastructure.

Regulatory requirements that force financial services to verify their customers' identities, creating data collection obligations that conflict with financial privacy.

Privacy risks associated with AI language models that may memorize, regurgitate, or be trained on personal data from their training corpus.

The legally authorized interception of telecommunications by law enforcement or intelligence agencies, built into communications infrastructure by design.

The Lei Geral de Proteção de Dados (LGPD) is Brazil's comprehensive data protection law, modeled closely on the GDPR, that governs how the personal data of Brazilian residents is collected, processed, stored, and transferred.

Automated cameras that capture and store license plate numbers, timestamps, and locations of every vehicle they see — creating a massive searchable database of where every car has been.

A private legal agreement created during your lifetime that holds assets under a trustee for the benefit of named beneficiaries — used primarily to avoid probate, plan for incapacity, and keep the disposition of your estate out of the public record.

A system that determines your device's location using GPS, WiFi, cell towers, and Bluetooth, often shared with apps and service providers.

Strategies and tools to prevent or limit the collection of your physical location. Location data is among the most sensitive—it reveals where you live, work, worship, and who you're with. Defense involves both device settings and behavioral changes.

An extreme security setting on Apple devices that disables many features to protect against sophisticated state-sponsored spyware like Pegasus.

A unique hardware identifier assigned to every network interface, which can be used to track devices across WiFi networks.

Systematic errors in AI systems that produce unfair or discriminatory outcomes. Bias can come from skewed training data, flawed algorithms, or feedback loops. In privacy contexts, biased systems may disproportionately surveil or deny services to certain groups.

A passwordless login method that sends a unique, time-limited link to your email address, granting access when clicked.

Malicious software designed to damage, disrupt, or gain unauthorized access to computer systems. Malware includes viruses, ransomware, spyware, trojans, and worms—each with different infection methods and objectives.

An attack where the adversary secretly intercepts and potentially alters communications between two parties who believe they're communicating directly with each other. MITM attacks can capture credentials, inject malware, or modify data.

A legacy term for the contract used in broader nominee-manager arrangements to define authority, compensation, liability limits, and termination conditions. Default Privacy's current nominee signing model relies on transaction-specific authorization documents rather than a standing management agreement.

A series of data breaches at Marriott International, the largest exposing 500 million Starwood guest records in 2018 — including passport numbers, credit cards, and travel histories — with attackers having undetected access for four years.

The systematic monitoring of entire populations' communications, movements, and activities by governments, enabled by modern technology and justified as necessary for national security.

A network topology where devices connect directly to each other without relying on centralized infrastructure, enabling censorship-resistant communication.

Data about data. In the context of communications, metadata includes information like who you contacted, when, for how long, and from where—everything except the actual content of your message. Metadata can reveal intimate details about your life even when content is encrypted.

The collection and analysis of communication metadata — who contacted whom, when, where, and for how long — which often reveals more than message content.

A service that pools cryptocurrency from multiple users and redistributes it, breaking the link between the original sender and the final recipient.

A routing protocol that mixes messages from multiple users, making it extremely difficult to trace which input corresponds to which output. Mixnets provide stronger anonymity than onion routing by adding delays and shuffling.

A resettable identifier assigned by mobile operating systems that enables cross-app tracking for targeted advertising.

The massive datasets of text, images, code, and other content used to train AI models — often containing personal information scraped from the internet without individual consent.

The most widely-used privacy cryptocurrency, using ring signatures, stealth addresses, and RingCT to make transactions untraceable by default.

A security method that requires two or more different types of verification: something you know, something you have, or something you are.

A bilateral or multilateral agreement between countries that allows their law enforcement and judicial authorities to request and share evidence, witnesses, and other legal assistance across borders.

A technique that maps multiple private IP addresses to a single public IP address, providing a basic layer of privacy by hiding internal network structure.

Cyber threats from government-sponsored actors—intelligence agencies, military units, or state-backed groups. Nation-state attackers have resources, patience, and legal authority that exceed typical criminals. They target dissidents, journalists, corporations, and critical infrastructure.

A 2024 data breach at background check company National Public Data that exposed up to 2.9 billion records including Social Security numbers, names, and addresses — potentially affecting nearly every American, Canadian, and British citizen.

An administrative subpoena issued by U.S. federal agencies (primarily the FBI) for national security investigations. NSLs come with gag orders preventing recipients from disclosing their existence, making them controversial tools of surveillance.

The capture, recording, and analysis of network traffic to detect intrusions, investigate incidents, and monitor for data exfiltration.

Dividing a network into separate zones to contain breaches and limit lateral movement by attackers.

The new cryptographic standards published by the US National Institute of Standards and Technology (NIST) to replace vulnerable RSA and ECC algorithms before quantum computers can break them.

A person who appears as the named director of a company — typically an offshore entity — on behalf of the real beneficial owner, a structure that was once central to offshore anonymity but has become a standard AML risk indicator as UBO transparency requirements have forced look-through to real ownership.

A legacy term for an older nominee model in which an attorney or other professional was named as the manager of an LLC on public-facing documents. Default Privacy's current source of truth is the nominee signing service — a consultation-gated, per-document authorized signatory arrangement rather than an ongoing management role.

A category of privacy services in which a professional acts in a limited representative role so the real owner's name does not appear on certain public-facing or counterparty documents. In Default Privacy's current model, this primarily means nominee organizer at formation and nominee signing for specific accepted contracts.

A person who holds shares in a company on behalf of the true beneficial owner, appearing on share registers and corporate filings so the real owner's name does not appear in public records — an arrangement that was once widely used for offshore anonymity but has been significantly weakened by global UBO transparency requirements.

A cryptocurrency wallet where only you hold the private keys, giving you full control over your funds without trusting a third party.

A 'number used once'—a random or sequential value that ensures cryptographic operations produce unique results even with the same key. Nonces prevent replay attacks and are critical for secure encryption modes.

The NSA's elite hacking unit (now called Computer Network Operations) that conducts targeted cyberattacks against specific high-value targets — implanting surveillance tools in routers, servers, and devices, and intercepting hardware shipments to install backdoors.

An Israeli cyber intelligence company that developed the Pegasus spyware, which can silently compromise any iPhone or Android phone — sold to governments worldwide and used to target journalists, activists, lawyers, and heads of state.

An open standard for authorization that allows users to grant third-party applications limited access to their accounts without sharing passwords. OAuth powers 'Login with Google/Facebook' buttons and API access delegation.

An authorization framework that allows third-party applications to access user accounts without sharing passwords, using access tokens instead.

Techniques for disguising encrypted traffic to look like normal, unencrypted traffic, used to bypass censorship systems that block VPNs and Tor.

Protecting data and systems that are not connected to the internet. Offline security addresses physical access, device theft, and local attacks. When data never touches a network, it can't be hacked remotely—but it can be stolen, seized, or compromised in person.

A legal arrangement where assets are transferred to a trustee in a foreign jurisdiction for the benefit of designated beneficiaries, providing asset protection, privacy, and estate planning benefits.

A technique for anonymous communication over a computer network where messages are encapsulated in layers of encryption, analogous to layers of an onion. Each relay decrypts one layer to reveal the next destination, but no single relay knows both the origin and final destination.

A website or service hosted within the Tor network that is only accessible through Tor, providing anonymity for both the server and its visitors.

The use of the internet and digital technology to monitor, harass, or intimidate a specific person, often escalating from online behavior to real-world threats.

The privacy risks created by open banking APIs that allow third-party apps to access your bank account data — including transaction history, balances, and account details — with a single authorization.

Software whose source code is made freely available for anyone to view, modify, and distribute. In privacy tools, open source allows independent security researchers to verify that the software does what it claims and contains no backdoors or hidden surveillance capabilities.

A US Department of Justice initiative (and its successors) that pressured banks to deny services to legal-but-disfavored industries — weaponizing the financial system as a tool of policy enforcement without legislation.

The practice of protecting sensitive information by thinking like an adversary to identify vulnerabilities in your own behavior and communications. OPSEC goes beyond technical tools to address human factors that could expose you.

The process of identifying, controlling, and protecting information that could give an adversary insight into your activities, intentions, or capabilities.

A 2015 breach of the US Office of Personnel Management that exposed the personal data, security clearance background investigations, and fingerprints of 22.1 million current and former federal employees — attributed to Chinese state-sponsored hackers.

Common operational security failures that compromise privacy or anonymity, often involving small details that link a protected identity to a real one.

Two fundamentally different approaches to privacy consent — opt-in requires your explicit permission before data is collected (the GDPR model), while opt-out assumes consent by default and puts the burden on you to find settings and refuse (the US model).

The practice of examining data packets as they pass through a network checkpoint, ranging from basic header analysis to deep content inspection.

A controversial data analytics company that builds surveillance and intelligence platforms for governments and corporations, processing vast amounts of personal data.

Economic activity conducted outside mainstream corporate and financial infrastructure, using alternative payment systems, decentralized services, and privacy-preserving tools.

A passwordless authentication method using public-key cryptography, typically stored on your device and protected by biometrics or device PIN. Passkeys are phishing-resistant and designed to replace passwords entirely.

A sequence of words used as a password, typically longer and more memorable than traditional passwords. Passphrases like 'correct horse battery staple' provide strong security while being easier to remember than random character strings.

Software that securely stores and manages passwords and other credentials. Password managers generate strong, unique passwords for each account and encrypt them with a single master password, eliminating password reuse and the need to remember multiple complex passwords.

The dangerous practice of using the same password across multiple accounts — meaning that when one service is breached, attackers can access all other accounts sharing that password through automated credential stuffing attacks.

A business model where websites and platforms give users two choices: accept tracking and targeted advertising for free, or pay a monthly subscription for a tracking-free experience — effectively putting a price tag on privacy and making it a luxury good.

Direct value transfer between individuals without a centralized intermediary — from handing someone cash to sending privacy cryptocurrency — each method with vastly different privacy implications.

A sophisticated spyware tool developed by NSO Group that can silently compromise smartphones through zero-click exploits, giving full access to the device.

A surveillance device or order that records the numbers dialed from a specific phone line, analogous to modern metadata collection.

Authorized simulated attacks on a system to evaluate its security and identify vulnerabilities before real attackers find them.

Websites that aggregate and sell personal information including addresses, phone numbers, relatives, and criminal records, making anyone's details available for a small fee.

A feature of key-agreement protocols that ensures session keys cannot be compromised even if the server's long-term private key is compromised. Each session uses unique keys, so past communications remain secure even if future keys are exposed.

An HTTP header that allows websites to control which browser features (camera, microphone, geolocation, etc.) can be used on the page.

Pretty Good Privacy (PGP) is an encryption program that provides cryptographic privacy and authentication for data communication. It's used for signing, encrypting, and decrypting texts, emails, files, and directories, and is the gold standard for email encryption.

A decentralized trust model where PGP users verify each other's identities and sign each other's public keys, creating a network of trust without a central authority.

A social engineering attack where attackers impersonate legitimate entities through fake emails, websites, or messages to trick victims into revealing sensitive information like passwords, credit card numbers, or personal data.

A pre-packaged set of tools that allows anyone to quickly deploy convincing phishing websites to steal credentials.

Multi-factor authentication methods that cannot be intercepted or replayed by phishing attacks, specifically FIDO2/WebAuthn hardware keys and passkeys.

The essential privacy configurations on iOS and Android devices that most people never change — controlling what data apps can access, what your phone broadcasts, and what gets sent to Apple or Google.

A sophisticated long-con fraud where criminals build a trusting relationship with victims over weeks or months — typically through romance or friendship — then manipulate them into investing in fake cryptocurrency or trading platforms, stealing their life savings.

Any data that can be used to identify a specific individual, including name, address, phone number, email, Social Security number, and biometric data.

The Personal Information Protection Law (PIPL) is China's comprehensive data protection law, effective November 2021, that governs the collection, processing, and cross-border transfer of personal information of individuals in China.

The location where a company's key management and commercial decisions are actually made, regardless of where the company is incorporated. Used by tax authorities to determine which country has the right to tax a company's income.

Unencrypted, readable data before it undergoes encryption. Plaintext can be any form of data—text, files, images—that hasn't been cryptographically protected. The goal of encryption is to protect plaintext from unauthorized access.

The ability to credibly deny knowledge of or responsibility for something, especially when encrypted data could be explained as random noise or when hidden volumes within encrypted containers cannot be proven to exist.

Encryption that produces ciphertext indistinguishable from random data, preventing adversaries from proving that encryption was used at all.

A technique used to discover which network ports are open on a target system, often used in reconnaissance before an attack.

Cryptographic algorithms designed to resist attacks from both classical and quantum computers — the next generation of encryption being standardized to replace RSA, ECC, and other vulnerable algorithms.

The use of algorithms and data analysis to predict where crimes will occur or who will commit them, raising concerns about bias, surveillance, and civil liberties.

A classified NSA surveillance program revealed by Edward Snowden in 2013 that collects data directly from major tech companies including Google, Apple, Facebook, and Microsoft.

The right to control access to your personal information and to be free from unwanted observation or surveillance. Privacy is not about having something to hide—it's about autonomy, dignity, and the ability to choose what you share and with whom.

A comprehensive assessment of your digital privacy posture, examining browser exposure, website security, email configuration, data broker presence, and overall threat model.

The principle that systems, services, and technologies should ship with the most privacy-protective settings out of the box — requiring users to opt in to less private options rather than opt out of invasive ones. It means privacy is the starting point, not a hidden toggle.

An approach to systems engineering that takes privacy into account throughout the entire engineering process. Rather than bolting privacy protections onto existing systems, Privacy by Design builds privacy into the architecture from the ground up.

A practical, step-by-step list of actions anyone can take to significantly improve their digital privacy, from quick wins to advanced measures.

A lawsuit filed on behalf of a large group of people whose privacy was violated by the same company or practice — enabling individuals who suffered small individual losses to collectively hold corporations accountable for data breaches, illegal tracking, and privacy violations.

A cryptocurrency designed with built-in privacy features that hide transaction amounts, sender and receiver addresses, or both.

Strategies for entrepreneurs and small business owners to protect personal information while operating a business that requires some public presence.

Privacy strategies specifically designed for YouTubers, streamers, podcasters, and social media creators who face unique risks from public exposure.

Protecting the digital privacy of your entire family — including children who can't consent to data collection, teens navigating social media, and elderly family members vulnerable to scams.

Essential privacy protections for small business owners — separating personal and business identities, protecting customer data, and using privacy infrastructure to reduce legal exposure and competitive risk.

A systematic evaluation of how a new project, policy, or technology will affect the privacy of individuals whose data is involved.

The technical and legal systems that enable individuals and organizations to conduct activities without unnecessary exposure — VPNs, encrypted messaging, anonymous entities, private hosting, and related tools.

A London-based human rights organization founded in 1990 that investigates and challenges government surveillance and corporate data exploitation worldwide — filing legal actions, publishing research, and advocating for privacy as a fundamental right.

A physical screen filter that narrows the viewing angle of a display, preventing shoulder surfing and visual eavesdropping.

A former framework for transferring personal data from the EU to the US, invalidated by the EU Court of Justice in 2020 due to US surveillance concerns.

A curated database of software, services, and hardware that help protect digital privacy, categorized and evaluated for their privacy practices.

The practice of companies marketing themselves as privacy-friendly while continuing to collect, share, or exploit user data — similar to 'greenwashing' in environmentalism, where the appearance of privacy is used as a marketing tool without meaningful protection.

Email services that protect your communications through end-to-end encryption, zero-access encryption, and privacy-respecting policies — unlike Gmail, Outlook, and Yahoo which scan emails for advertising and AI training.

A smartphone configured or purpose-built for maximum privacy — either running a de-Googled Android operating system like GrapheneOS or CalyxOS, or an iPhone with strict privacy settings enabled, minimizing data collection by the OS vendor and apps.

Running AI models locally or in a confidential computing environment so that your prompts and outputs never leave your device or an encrypted enclave — distinct from sending data to cloud AI APIs.

A browser mode that doesn't save history, cookies, or form data after the session ends. Despite its name, private browsing only provides local privacy—it doesn't hide your activity from websites, ISPs, or network administrators.

A browser feature that doesn't save browsing history, cookies, or form data after the session ends, but does NOT hide your activity from websites, ISPs, or employers.

A search engine that doesn't track your searches, build a profile based on your queries, or personalize results based on your identity — providing the same results regardless of who is searching.

Digital currency that can be programmed with rules controlling how, when, where, and on what it can be spent — a core feature of CBDCs that enables unprecedented financial control.

A security vulnerability in AI systems where an attacker manipulates the input to override the AI's instructions, potentially extracting private data or making the system perform unintended actions.

Privacy and safety practices for protecting minors from online threats including data collection by apps and platforms, social media exploitation, sextortion, cyberbullying, and predatory content targeting — a growing concern as children's screen time and digital exposure increase.

A server that acts as an intermediary between you and the internet. Your requests go to the proxy, which forwards them to the destination. Proxies can hide your IP, bypass geo-restrictions, or filter content—but the proxy operator sees your traffic.

A technique of routing traffic through multiple proxy servers in sequence, making it harder to trace the connection back to the original source.

An intermediary server that sits between your device and the internet, forwarding requests on your behalf. Proxies can provide privacy by hiding your IP address, but unlike VPNs, they typically don't encrypt traffic.

The state of using a consistent fake identity rather than your real name. Unlike anonymity, pseudonymity allows building reputation and history while protecting real-world identity from casual observers.

A cryptographic system that uses pairs of keys: public keys (which may be disseminated widely) and private keys (which are known only to the owner). This enables secure communication between parties who have never met and forms the basis for digital signatures, key exchange, and encrypted communication.

Security practices for protecting your data when using public WiFi networks in cafes, airports, hotels, and other shared spaces — where unencrypted traffic can be intercepted, fake hotspots can steal credentials, and your device may be exposed to other users on the network.

A phishing technique (also called 'quishing') that uses malicious QR codes to redirect victims to fake websites, trigger malware downloads, or steal credentials — exploiting the fact that people can't visually verify where a QR code leads before scanning.

The risk that sufficiently powerful quantum computers will break widely-used encryption algorithms, potentially exposing all currently encrypted data.

A method of using quantum mechanics to securely distribute encryption keys, where any eavesdropping attempt physically disturbs the quantum state and is detectable.

A security-focused desktop operating system that uses hardware virtualization to isolate different activities in separate virtual machines.

A modern transport protocol developed by Google that combines features of TCP and TLS into a single encrypted connection, reducing latency.

Malware that encrypts a victim's files and demands payment (usually cryptocurrency) for the decryption key. Modern ransomware also threatens to publish stolen data if ransom isn't paid (double extortion).

Strategies and practices for preventing, detecting, and recovering from ransomware attacks that encrypt your data and demand payment.

An automated auction system where your personal data is broadcast to hundreds of advertisers in milliseconds every time you load a webpage — creating the largest data leak most people have never heard of.

A DNS server that resolves domain names on behalf of clients by querying the DNS hierarchy, creating a log of every website you visit.

An HTTP header that controls how much URL information is shared when navigating from one page to another, affecting cross-site tracking.

A person or company designated to receive legal documents and official state correspondence on behalf of a business entity, whose address appears on the public filing in place of the owner's — making the registered agent the first and most foundational layer of address privacy for any LLC or corporation.

An attack where valid data transmission is maliciously repeated or delayed. The attacker captures legitimate encrypted data and retransmits it later to trick the system into unauthorized actions, even without decrypting the content.

A software build process that guarantees anyone can independently verify that the compiled binary exactly matches the published source code.

A legal right under GDPR and similar laws that allows individuals to request a copy of all personal data an organization holds about them.

A legal right, primarily under GDPR Article 17, that allows individuals to request the deletion of their personal data from organizations and search engine results when it's no longer necessary or was processed without proper consent.

A cryptographic technique that allows someone to sign a message on behalf of a group, making it impossible to determine which group member actually signed.

A confidence scheme where criminals create fake romantic relationships through dating apps, social media, or messaging platforms to manipulate victims emotionally and financially — stealing an average of $14,000 per victim with total US losses exceeding $1.3 billion annually.

A secret room in AT&T's San Francisco internet hub where the NSA installed fiber optic splitters to copy all internet traffic passing through — revealed by AT&T technician Mark Klein in 2006, providing the first physical evidence of mass domestic surveillance.

One of the first public-key cryptosystems, RSA is based on the mathematical difficulty of factoring large prime numbers. Named after its inventors Rivest, Shamir, and Adleman, it's still widely used for key exchange and digital signatures.

A euphemism for extracting cryptographic keys through physical coercion or torture, highlighting that the weakest link in any encryption system is the human holding the key.

A standard for public key encryption and signing of email messages, supported natively by most email clients.

Random data added to a password before hashing to ensure identical passwords produce different hashes. Salting defeats rainbow table attacks and prevents attackers from identifying users with the same password.

An XML-based standard for exchanging authentication data between an identity provider and a service provider, commonly used in enterprise single sign-on.

The growing intersection of financial sanctions enforcement and cryptocurrency — where governments use OFAC sanctions, exchange regulations, and blockchain surveillance to extend traditional financial controls to digital assets, often at the expense of legitimate privacy.

A memory-hard key derivation function designed to make brute-force attacks expensive by requiring large amounts of RAM.

A messaging feature where the server cannot see who sent a message to whom, protecting sender identity metadata even from the service provider.

A provision of the Foreign Intelligence Surveillance Act that allows the NSA to collect communications of non-US persons abroad — but in practice sweeps up vast amounts of Americans' data through 'incidental collection.'

A firmware security feature that ensures only cryptographically signed software can run during the boot process, preventing rootkits and boot-level malware.

An isolated, hardware-protected area within a processor that handles sensitive operations like biometric data and encryption keys, separate from the main operating system.

A cryptographic technique that allows multiple parties to jointly compute a function over their combined data without revealing their individual inputs to each other.

Best practices for configuring your home WiFi network to prevent unauthorized access, reduce surveillance, and protect all connected devices — including router hardening, encryption settings, DNS configuration, and network segmentation.

A physical hardware device used for two-factor authentication that provides phishing-resistant proof of identity. Security keys use cryptographic protocols (FIDO2/WebAuthn) that verify both the user and the website, preventing credential theft.

The flawed practice of relying on secrecy of design or implementation as the primary security mechanism, rather than proven cryptographic methods.

A series of 12-24 words that serves as the master backup for a cryptocurrency wallet, from which all private keys can be regenerated.

Running software and services on your own hardware or server instead of using third-party SaaS. Self-hosting gives you control over your data, no reliance on corporate privacy policies, and the ability to customize—at the cost of maintenance and expertise.

The principle that individuals should have complete ownership and control over their own identity, data, finances, and digital life without dependence on centralized authorities.

Server-side tracking is a method of collecting user behavior data by processing it on the web server rather than in the user's browser, allowing organizations to bypass ad blockers, browser privacy settings, and third-party cookie restrictions.

An attack that forces a user to use a known session ID, allowing the attacker to hijack the session after the user authenticates.

An attack where an attacker steals or predicts a valid session token to gain unauthorized access to a user's authenticated session. Once hijacked, the attacker can act as the legitimate user without knowing their password.

A form of blackmail where criminals threaten to share intimate images, videos, or sexual information about a victim unless they pay money, provide more explicit content, or comply with other demands. It affects adults and minors and is one of the fastest-growing cybercrimes.

A cryptographic hash function that produces a 256-bit (32-byte) hash value. Part of the SHA-2 family, it's widely used for data integrity verification, digital signatures, password hashing, and as the backbone of Bitcoin's proof-of-work.

The unauthorized use of AI tools by employees within an organization — uploading sensitive company data to ChatGPT, Gemini, or other AI services without IT approval or security review.

A hidden data profile that platforms like Facebook/Meta build about people who have never created an account — assembled from contact lists uploaded by other users, tracking pixels on third-party websites, and data purchased from brokers.

A cryptographic method for splitting a secret into multiple parts so that a defined threshold of parts are needed to reconstruct it.

Observing someone's screen or keyboard to steal passwords, PINs, or other sensitive information, one of the simplest and most effective attacks.

An attack that exploits indirect information leakage from a system — such as timing, power consumption, or electromagnetic emissions — rather than breaking the cryptography directly.

Installing applications from sources outside the official app store, which can enhance privacy by avoiding store tracking but requires caution about malware.

A cryptographic protocol that provides end-to-end encryption for voice and instant messaging conversations. Developed by Open Whisper Systems, it combines the Double Ratchet Algorithm, prekeys, and a triple Diffie-Hellman handshake to provide forward secrecy and future secrecy.

Creating a duplicate of a SIM card to intercept calls and messages intended for the original, potentially bypassing SMS-based authentication.

A social engineering attack where an attacker convinces a mobile carrier to transfer your phone number to their SIM card, hijacking SMS-based authentication.

An authentication method allowing users to access multiple applications with one set of credentials. While convenient for users and administrators, SSO creates a single point of failure—compromise one account, compromise them all.

A browser security feature that runs each website in its own process, preventing malicious sites from accessing data from other open sites.

The integration of IoT sensors, cameras, facial recognition, license plate readers, and data analytics into urban infrastructure — creating cities that can monitor every person, vehicle, and movement within them.

The privacy risks created by internet-connected home devices that collect audio, video, and behavioral data, often shared with manufacturers and third parties.

The data collection practices of internet-connected televisions that track what you watch, when you watch, how long you watch, and increasingly capture audio and visual data from your living room.

Phishing attacks delivered via SMS text messages — fake delivery notifications, bank alerts, toll notices, and government messages designed to trick recipients into clicking malicious links or sharing personal information.

A server that forwards email on behalf of the sender, which can either protect the sender's identity or be exploited for spam and spoofing.

A TLS extension that reveals which website you're connecting to in plaintext, even when the connection is encrypted.

A system that assigns citizens a score based on their behavior, determining their access to services, travel, loans, and opportunities — currently implemented in China.

Psychological manipulation techniques used to trick people into revealing confidential information or performing actions that compromise security. Social engineering exploits human trust rather than technical vulnerabilities.

A systematic review of your social media accounts to identify and fix privacy exposures — including public posts, tagged photos, connected apps, location data, and information visible to strangers.

Fake or alternate online identities used to create the illusion of grassroots support, manipulate discussions, or evade bans — a form of identity deception for influence or harassment.

The latest version of the SOCKS protocol, which routes network traffic through a proxy server. SOCKS5 supports authentication, UDP traffic, and IPv6, making it more versatile and secure than previous versions or HTTP proxies.

A sophisticated 2020 supply chain attack where Russian-linked hackers compromised SolarWinds' Orion software update mechanism, infiltrating 18,000+ organizations including US Treasury, Commerce, Homeland Security, and major corporations.

Evidence showing where the money for a specific transaction came from, such as salary, business income, an asset sale, inheritance, or documented crypto gains.

A VPN feature that lets you route some traffic through the VPN while other traffic goes directly to the internet.

Security flaws in the SS7 telephone signaling protocol that allow attackers to intercept calls, read SMS messages, and track phone locations globally.

Standard Contractual Clauses (SCCs) are pre-approved contract terms issued by the European Commission that allow organizations to legally transfer personal data from the EU to countries that lack an adequacy decision, by binding the recipient to EU-level data protection obligations.

US state-level data privacy legislation that fills the gap left by the absence of a comprehensive federal privacy law — with California, Virginia, Colorado, Connecticut, and others creating a patchwork of consumer privacy protections.

A technique where the sender generates a unique, one-time address for each transaction, preventing observers from linking transactions to the receiver.

The practice of hiding secret data within ordinary files like images, audio, or text, so that the existence of the hidden data is not apparent.

A secret NSA warrantless surveillance program authorized by President George W. Bush after 9/11 that collected Americans' phone records, email metadata, and internet activity without court approval — operating outside legal oversight from 2001 to 2007.

A brand name for cell-site simulators manufactured by Harris Corporation, commonly used by law enforcement to intercept cellular communications.

Methods and tools for reducing unwanted robocalls, scam calls, and telemarketing calls — including carrier-level blocking, third-party apps, Do Not Call registration, and the root cause solution of removing your phone number from data broker databases.

An encryption algorithm that encrypts data one bit or byte at a time using a continuous keystream, suitable for real-time encryption of streaming data.

The statistical analysis of writing style to identify or verify the authorship of text, potentially de-anonymizing pseudonymous authors.

A legal order requiring a person or company to provide testimony, documents, or other evidence in legal proceedings. Service providers may receive subpoenas demanding user data, which is why privacy-focused services minimize data collection.

Legal and regulatory standards requiring that a business entity or tax resident demonstrate genuine economic activity — physical presence, local employees, real office space — in the jurisdiction where they claim benefits.

A tracking mechanism that is more persistent than regular cookies — surviving browser clearing, private browsing mode, and even device resets — including HSTS supercookies, ETags, and ISP-injected tracking headers.

An attack that compromises a target by infiltrating a trusted supplier, vendor, or software dependency in their supply chain.

The ability to verify the origin, integrity, and security of every component in a technology product, from hardware manufacturing to software dependencies.

The monitoring of behavior, activities, or information for the purpose of influence, management, or control. Surveillance can be government (law enforcement, intelligence), corporate (advertising, data brokers), or interpersonal (stalking, domestic abuse).

An economic system where personal data is systematically collected, analyzed, and sold to predict and influence human behavior for profit.

The practice of using personal data — browsing history, location, device type, purchase history, and behavioral profiles — to show different prices to different people for the same product or service.

A government that exercises extensive monitoring of its citizens through technology, law, and institutional power, often justified by national security or public safety.

A dangerous form of harassment where someone makes a false emergency report (bomb threat, hostage situation, active shooter) to send armed police or SWAT teams to a victim's address — potentially resulting in injury or death.

A Sybil attack is a security exploit in which a single adversary creates many fake identities to gain disproportionate influence or control over a decentralized network, voting system, or trust mechanism.

An encryption method where the same secret key is used for both encrypting and decrypting data. While fast and efficient, the challenge lies in securely sharing the key between parties.

Synthetic data is artificially generated data that statistically mirrors the patterns and characteristics of real data without containing any actual records about real individuals, enabling machine learning, testing, and analysis while reducing privacy risk.

A type of identity theft that combines real and fictitious information to create entirely new fake identities, making detection extremely difficult.

Any media — video, audio, images, or text — that is generated or substantially modified by artificial intelligence, including deepfakes, AI-generated voices, and fabricated photographs.

A series of major data breaches at T-Mobile between 2018 and 2024, collectively affecting over 100 million customers — with the 2021 breach alone exposing names, Social Security numbers, and driver's license data of 76.6 million people.

A portable operating system that routes all traffic through Tor and leaves no trace on the computer it runs on, designed for maximum anonymity.

Legal strategies to minimize tax liability through proper business structuring, jurisdiction selection, and use of available deductions — distinct from tax evasion, which is illegal.

A bilateral agreement between two countries that determines which country has the right to tax specific types of income, prevents double taxation, and establishes rules for information exchange.

The fundamental protocol suite of the internet that defines how data is addressed, transmitted, routed, and received across networks.

Government demands to technology companies for user data — including emails, messages, location history, account information, and stored files — issued through subpoenas, court orders, search warrants, and national security letters, with most major companies receiving hundreds of thousands per year.

A secret mass surveillance program operated by British intelligence agency GCHQ that taps undersea fiber optic cables to intercept and store vast quantities of global internet and phone communications — revealed by Edward Snowden in 2013.

A legal agreement between a service provider and user that defines the rules, rights, and responsibilities of both parties, often containing privacy-relevant clauses.

A tax system where a country only taxes income earned within its borders, leaving foreign-sourced income untaxed — the holy grail for digital nomads earning income from clients worldwide.

The industry-wide shift away from third-party tracking cookies — already blocked by Safari and Firefox, and being phased out in Chrome — that is reshaping online advertising, forcing the ad tech industry to find new ways to track users across the web.

The third-party doctrine is a United States legal principle stating that individuals lose their Fourth Amendment expectation of privacy for information they voluntarily share with third parties, such as banks, internet service providers, or telecom companies.

The practice of monitoring user behavior across multiple websites using embedded scripts, pixels, cookies, and fingerprinting techniques.

A systematic analysis of what you're trying to protect, from whom, the consequences of failure, and what resources you can apply. Threat modeling helps prioritize security efforts by focusing on realistic threats rather than theoretical ones.

The systematic process of identifying potential threats, vulnerabilities, and attack vectors to determine appropriate security and privacy measures.

A two-factor authentication method that generates temporary codes based on the current time and a shared secret, used by apps like Google Authenticator.

Transport Layer Security is a cryptographic protocol designed to provide secure communication over a computer network. TLS encrypts the connection between your browser and web servers, ensuring privacy and data integrity. It's the technology behind HTTPS.

A data security technique that replaces sensitive data with non-sensitive placeholder tokens while storing the original data in a secure vault.

The Onion Router—a free network that routes your traffic through multiple layers of encrypted relays. No single relay knows both your identity and your destination. Tor enables anonymous browsing, access to .onion sites, and censorship circumvention.

An unlisted Tor relay that helps users in censored regions connect to the Tor network when direct access is blocked.

The protocol by which Tor onion services establish and maintain their hidden network presence, using introduction points and rendezvous points.

A free, open-source software and network that enables anonymous communication by directing Internet traffic through a worldwide volunteer overlay network of thousands of relays. Tor conceals users' locations and usage from surveillance and traffic analysis.

The nonprofit organization that develops and maintains the Tor anonymity network and Tor Browser — providing free, open-source tools for anonymous internet access used by journalists, activists, whistleblowers, and anyone seeking to browse the web without surveillance.

A decentralized cryptocurrency mixing protocol on Ethereum that was sanctioned by the US Treasury in August 2022 — the first time the US government sanctioned a piece of open-source software rather than a person or entity, raising fundamental questions about code as speech.

The collection and correlation of data about your behavior across devices, sites, and time. Tracking enables targeted advertising, analytics, and surveillance. It's how companies and data brokers build detailed profiles of who you are and what you do.

The process of examining patterns in communication metadata—who talks to whom, when, how often, and how much—to extract intelligence without accessing content. Even encrypted communications leak metadata that can reveal sensitive information.

A Transfer Impact Assessment (TIA) is a legal analysis required under GDPR to evaluate whether a cross-border data transfer to a country outside the EEA adequately protects personal data despite the destination country's laws and surveillance practices.

Openness and accountability—making processes, policies, and practices visible to those affected. In privacy, transparency means disclosing what data is collected, how it's used, and who has access. It's a prerequisite for informed consent and meaningful choice.

A periodic publication by a company disclosing the number and types of government data requests received, and how many were complied with.

A financial regulation requiring cryptocurrency exchanges and virtual asset service providers to collect and share sender and recipient identity information for transactions above a certain threshold — effectively extending banking surveillance rules to the crypto ecosystem.

A specialized security chip built into most modern computers that provides hardware-based cryptographic functions and secure key storage.

A security method requiring two different types of identification to access an account: something you know (password) plus something you have (phone, hardware key) or something you are (biometric). This significantly reduces the risk of unauthorized access even if your password is compromised.

A security principle requiring two authorized people to complete a critical action, preventing any single person from causing harm.

Registering domain names that are common misspellings of popular websites to capture traffic from users who mistype URLs.

The real person who ultimately owns, controls, or benefits from a company or legal arrangement, even if other names appear on public filings or account records.

A series of documents published by WikiLeaks in 2017 revealing the CIA's extensive cyber weapons arsenal — including tools to hack iPhones, Android phones, smart TVs, Windows, macOS, Linux, and even connected cars.

A phone number that isn't tied to a physical SIM card or phone line — used for privacy-conscious communication, separating personal and business identities, protecting your real number from data brokers, and providing a layer of anonymity for online signups.

A technology that creates a secure, encrypted connection over a less secure network, such as the public internet. VPNs mask your IP address, encrypt your internet traffic, and can make it appear as though you're browsing from a different location.

A VPN feature that blocks all internet traffic if the VPN connection drops, preventing accidental exposure of your real IP address.

A plain-language guide to understanding what a VPN does, when to use one, what it doesn't protect against, and how to choose a trustworthy provider.

The set of rules and encryption methods that determine how a VPN tunnel is established and how data is transmitted through it.

A legal document issued by a judge authorizing law enforcement to conduct a search, seizure, or surveillance, requiring probable cause.

A method by which a service provider can inform users that they have NOT received a secret government subpoena. If the canary statement is removed or not updated, it signals that the provider may have received such an order and is legally prevented from disclosing it.

A targeted attack that compromises a website frequently visited by a specific group of people, infecting visitors with malware.

The privacy risks of fitness trackers, smartwatches, smart rings, and health wearables that collect intimate biometric and behavioral data — heart rate, sleep patterns, location, stress levels, and menstrual cycles.

A security tool that monitors and filters HTTP traffic between a web application and the internet, protecting against common web attacks.

A web standard that enables passwordless authentication using hardware security keys, biometrics, or platform authenticators.

A browser technology for real-time communication (video calls, file sharing) that can accidentally reveal your real IP address even when using a VPN.

A browser vulnerability where WebRTC (used for video calls and peer-to-peer communication) reveals your real IP address even when using a VPN, because WebRTC can access your network interfaces directly.

A rating that evaluates how well a website respects visitor privacy, based on trackers, cookies, security headers, third-party requests, and fingerprinting.

A breakdown of exactly what information your internet service provider can monitor about your online activity, and what tools prevent this surveillance.

A person who exposes information about wrongdoing within an organization, often at great personal risk, requiring strong privacy and security measures to protect their identity.

A modern, lightweight VPN protocol with approximately 4,000 lines of code, designed for simplicity, speed, and strong cryptography.

A limited liability company formed in Wyoming, which offers the strongest privacy protections, lowest fees, and most favorable laws for business owners seeking anonymity.

An extended-nonce variant of ChaCha20 that uses a 192-bit nonce, making it safer for situations where random nonce generation is necessary.

An NSA surveillance system that enables analysts to search and analyze global internet data including emails, browsing activity, and social media content in near real-time.

Two massive data breaches at Yahoo — one in 2013 affecting all 3 billion accounts and another in 2014 affecting 500 million accounts — making them the largest data breaches in history by number of affected users.

A security model that replaces traditional VPNs by granting access to specific applications rather than entire networks, based on continuous identity verification.

An attack that exploits a previously unknown software vulnerability, giving defenders zero days to prepare a patch before it's used in the wild.

A cryptographic method by which one party can prove to another party that they know a value, without conveying any information apart from the fact that they know the value. This allows authentication and verification without exposing sensitive data.

A blockchain scaling technique that bundles hundreds of transactions into a single proof, improving throughput while maintaining privacy through zero-knowledge proofs.

Data that consumers intentionally and proactively share with a brand — preferences, intentions, and context they volunteer — distinct from first-party (collected) and third-party (acquired) data.

A security model that assumes no user, device, or network is inherently trusted, requiring continuous verification for every access request.