The Sovereign Dossier, Part 3: Privacy Practices — The Operational Stack That Actually Works

Part 1 mapped who the brokers are. Part 2 walked through where the dossier ends up and the regulatory floor now coming into force.

No defensive practice reduces the dossier to zero. The broker graph is sticky, the re-ingest runs quarterly, and a few of the most useful tools require either money, a credit card, a working knowledge of a Raspberry Pi, or some combination. What a maintained defensive stack does do is shrink the surface, raise the price of attaching new data to your existing record, force the brokers to re-derive identifiers they used to get for free, and give you statutory levers that did not exist eighteen months ago. Done well, the dossier on you next year is materially thinner than the dossier on you this year — and the next NPD-scale breach hits the people who didn’t bother before it hits you.

The Threat Surface in Operational Terms

Five vectors do most of the work of feeding the dossier.

DOM harvesting and tracking pixels. When you type your email or phone number into a form on a retailer’s site, the major ad pixels — Meta, TikTok, Google, several others — read the field directly from the page’s Document Object Model before you ever press submit. The script computes a SHA-256 hash of what you typed and exfiltrates the hash. Because SHA-256 is deterministic, the same email address produces the same hash on every site that runs the pixel, which means brokers can stitch your behavior across hundreds of unrelated domains without needing a third-party cookie at all. This is what “Advanced Matching” and “Automatic Events” mean in the Meta and TikTok pixel docs, and they are on by default.

Plaintext DNS leakage. Every time your device tries to reach a hostname, it asks a DNS resolver for the IP. By default, that query goes out in plaintext on port 53 to whichever resolver your ISP or router hands you. The query happens before any TLS handshake, which means the resolver — and by extension the ISP — sees every domain you attempt to reach, with a precise timestamp. That feed is monetized. ISPs sell or share it. Public resolvers like Google’s 8.8.8.8 and Cloudflare’s 1.1.1.1 are better than your ISP for privacy posture but still concentrate query logs at a third party.

WHOIS scraping. ICANN requires domain registrants to publish accurate contact information in the WHOIS registry. Brokers’ bots index every new registration within hours. If you registered your-real-name.com with your real name, email, and address ten years ago, that record is still in dozens of broker databases — and is now a high-confidence anchor that ties your home address to anything else they can attach to you.

Mobile SDK telemetry. Apps embed third-party SDKs that collect precise GPS, Wi-Fi SSIDs you connect to, Bluetooth MAC addresses around you, and your Mobile Advertising ID (MAID — Apple’s IDFA, Google’s GAID). The SDK ships this to its vendor, which sells it to brokers. The FTC’s Part 2 enforcement against InMarket made the scale of this concrete: one company’s SDK was harvesting location from over 100 million unique devices per year through its own apps and third-party apps.

Breach ingestion. When a breach dumps credentials and personal data on the open web, brokers don’t ignore it — they ingest it. Plaintext passwords from 2014 breaches still get cross-referenced against modern accounts. Security questions and password-recovery answers from the LinkedIn breach are still used to pivot. The graph integrates everything it can attach to a known identifier.

The Individual Stack

Network: Self-Hosted Recursive DNS

The single highest-leverage thing a technically-comfortable person can do is take their DNS resolution back from their ISP and from public resolvers. The standard architecture is Pi-hole as a local sinkhole, Unbound as a local recursive resolver, running on a Raspberry Pi (or any always-on Linux host) on your home network.

The mechanics, per the Pi-hole documentation:

1. Devices on your network point their DNS at the Pi-hole’s IP on port 53.
2. Pi-hole compares the query against blocklists of known tracking, advertising, and telemetry domains. Anything on the list is dropped at the door.
3. Anything that passes is forwarded to Unbound, listening on 127.0.0.1#5335 on the same machine.
4. Unbound does recursive resolution. Instead of asking Google or Cloudflare to look up the domain for you, it asks the DNS root nameservers directly, follows the TLD referral chain (.com, .org), and queries the authoritative nameserver itself. There is no upstream third party logging your queries because there is no upstream third party.
5. Unbound also validates DNSSEC signatures, which means resolved records that have been tampered with in transit get rejected before they reach you.

A minimal install on Raspberry Pi OS Lite (64-bit):

# Base system
sudo apt update && sudo apt upgrade -y
sudo apt install unbound -y

# Disable resolvconf conflict so it doesn't overwrite Unbound config
sudo systemctl disable --now unbound-resolvconf.service
sudo sed -Ei 's/^unbound_conf=/#unbound_conf=/' /etc/resolvconf.conf
sudo rm -f /etc/unbound/unbound.conf.d/resolvconf_resolvers.conf

# Increase socket buffer for high query volume
echo "net.core.rmem_max=1048576" | sudo tee /etc/sysctl.d/99-unbound.conf
sudo sysctl -p /etc/sysctl.d/99-unbound.conf

In the Unbound config (/etc/unbound/unbound.conf.d/pi-hole.conf), bind to port 5335 on the loopback so it doesn’t conflict with Pi-hole on port 53. In the Pi-hole admin UI under Settings → DNS, set 127.0.0.1#5335 as the only upstream and untick every public resolver. Do not leave 8.8.8.8 or 1.1.1.1 checked alongside Unbound — Pi-hole will fall back to them for anything it can’t resolve from cache, defeating the point.

Finally, on the edge router, add a firewall rule that NAT-redirects any outbound traffic on port 53 (and 853 for DNS-over-TLS) back to the Pi-hole. Otherwise, smart TVs, IoT devices, and Chromecast-style hardware will quietly bypass it and resolve against their hardcoded upstreams.

For environments where full recursive resolution is overkill — laptops on the road, for instance — Unbound can also be configured to forward encrypted DNS-over-TLS queries to a chosen upstream, which still keeps local routers and ISPs from logging the domains.

Identity Isolation: Aliases, Hardware Keys, Domain Privacy

Brokers’ identity-resolution products are good at stitching together an email address used on five different sites. They cannot stitch together five different email addresses — at least, not easily. That asymmetry is the basis of aliasing.

Use SimpleLogin, Addy.io, or Cloudflare Email Routing to generate a unique forwarding alias for every web service you sign up for. Each alias forwards to the same real inbox, but each service only ever sees its own dedicated alias. If a service is breached, the leaked email address cannot be used to pivot into any of your other accounts — and the brokers cannot correlate your behavior across services using the email address as a key.

Tie the aliasing to a domain you own. Register the domain through a registrar that supports WHOIS privacy by default — most reputable registrars (Cloudflare, Namecheap, Porkbun) do this — so your real name, address, and phone number are never indexed by the WHOIS scrapers. If you’ve ever registered a domain with real contact details, expect that record to live in broker databases roughly forever; switch the registrar to one that proxies WHOIS, but understand the older record may not fully delete.

For account security, the threat model is no longer “someone guesses your password.” It is “someone with bulk credential dumps tries them against every service you use.” Defense:

• FIDO2 / WebAuthn hardware keys (YubiKey 5 series, Solo, Titan) for every account that supports them. SMS- and TOTP-based MFA are better than nothing but are bypassable; a FIDO2 key is not phishable without physical possession.
• Google Advanced Protection Program if you have a Google account that matters. It enforces FIDO2 for sign-in, blocks third-party app access to Gmail/Drive, and ramps up Chrome’s Safe Browsing.
• Apple Advanced Data Protection on iCloud. Without it, your iCloud backups (which include iMessage history, photos, and Keychain on most accounts) are encrypted with keys Apple holds. With it, the keys never leave your devices.
• A password manager (1Password, Bitwarden) with a unique random password per account, so credential reuse stops being a pivot point.

Physical and Spatial Sanitization

Brokers anchor your digital identity to your physical address through public-records ingestion. The defenses are correspondingly physical.

• Voter registry. Public voter rolls are a primary anchor source. Most states publish them. Some states allow address-suppression registration for victims of stalking, domestic violence, or specific categories of risk; others let you withhold publication for political-party purposes only. Check your state’s specific rules and file whatever exemption you qualify for.
• PO Box with USPS Street Addressing. A standard PO Box address is rejected by most online merchants (UPS, FedEx, and Amazon often won’t deliver to one). The fix is the USPS Premium PO Box Service with Street Addressing: your PO Box gets formatted as the post office’s street address followed by # and your box number — 500 Main Street #59 instead of PO Box 59 — which passes merchant validation and accepts UPS/FedEx/DHL/Amazon deliveries. Important caveat from USPS’ own customer agreement: you cannot use this address as your legal residence or place of business on legal documents. Misuse can get the box closed. Use it for shopping, shipping, and personal correspondence — not as a substitute for a real address on regulated paperwork.
• Real estate held in trust. For property owners, county recorders publish deed information publicly. Purchasing through a blind land trust or LLC keeps your personal name off the deed and out of the property-database scrape. This is jurisdiction-specific, has tax and estate-planning implications, and is worth talking to a real estate attorney about — not something to DIY off a blog post — but the privacy effect is real.

Financial Pseudonymity

Card-on-file at every merchant means that every merchant — and every broker the merchant sells transactions to — gets to use the card’s identifier as another stitch in your graph. The defense is unique virtual cards.

Privacy.com (now part of Lithic) issues single-use or single-merchant virtual cards funded from your real bank account. Each card carries its own number, a custom spending cap, a freeze toggle, and lets you submit any name and billing address you want at checkout. From the broker’s perspective, every merchant sees a different card and a different identity envelope, which kills correlation. Practical posture: one card per recurring subscription, one disposable card per one-off purchase, and lock or close cards the moment the relationship ends. Most U.S. cardholders qualify. Equivalents exist for some Canadian users; the market is thinner here.

Mobile Posture

Mobile is the highest-leakage device most people carry, and the defenses are blunt:

• Reset your Mobile Advertising ID on a schedule — iOS Settings → Privacy → Tracking, Android Settings → Privacy → Ads. Both platforms support resetting the ID, which forces brokers to re-stitch.
• Deny location access to anything that doesn’t structurally need it. Weather apps don’t need precise location, they need a city. A flashlight app needs nothing.
• Audit installed SDKs for apps you can’t avoid. The App Store privacy labels and Google Play data-safety section disclose, imperfectly, what each app’s SDK partners collect. Uninstall the ones whose disclosures make no sense for the app’s purpose.
• For high-risk threat models, GrapheneOS on a Pixel or iOS Lockdown Mode materially reduces the attack surface. Neither is a casual choice; both involve real usability tradeoffs.

There is a ceiling. Even with everything above, modern smartphones leak more per hour than the rest of the defensive stack can fully suppress. The realistic posture is harm reduction, not elimination. GrapheneOS and iOS Lockdown Mode close more of the gap than any of the smaller measures, but nothing closes it entirely; mobile is the most exposed surface in most threat models, and no configuration tweak changes that.

Programmatic Deletion: Manual Where It Counts, Automated for the Rest

The broker market is hierarchical. A small number of upstream “data authorities” — Acxiom, LexisNexis, the credit bureaus — feed downstream people-search sites. Deleting from the top of the hierarchy often causes downstream records to thin out on their own. Below them, hundreds of people-search sites scrape and republish constantly. The right strategy is manual at the top, automated at the bottom.

Manual Deletion at the Upstream Authorities

Use an incognito window, a clean email alias, and your real legal name for matching against each broker’s records:

Authority	Category	Opt-out endpoint	Processing time	Notes
Acxiom	Marketing & analytics	isapps.acxiom.com/optout	Up to 30 days	Email verification required. Profile may re-form when downstream partners send fresh data.
LexisNexis	Public records, legal, identity	suppression.lexisnexis.com	10-30 days	Requires selecting a basis for removal (e.g., risk of physical harm). May need prior-address verification.
Equifax	Credit & financial	myprivacy.equifax.com	15-30 days	Requires full name, address, last 4 of SSN for matching.
Spokeo	People-search	spokeo.com/optout	24-72 hours	UX is intentionally hostile. Requires exact profile URL. Frequently reappears in 3-6 months.
BeenVerified	Background check	beenverified.com/app/optout/search	7-14 days	Email confirmation. Opt out each duplicate listing separately.

Federal and state law restrict brokers from using the PII you submit in a deletion request for any purpose other than locating and suppressing your record. Practical hygiene says: still send only what’s needed, still use isolated browser sessions, still use aliases for the confirmation emails.

Automated Removal Services: What They Actually Differ On

Below the data authorities sit the long tail of people-search sites. Manual deletion there is whack-a-mole. The automated services exist to play whack-a-mole at scale on your behalf, and they differ in real ways. Current 2026 figures, verified against the providers’ own sites and Cybernews / State of Surveillance testing:

Service	Monthly cost (annual)	Automated broker coverage	Re-submission cadence	Differentiator
Incogni	~$7.99/mo	420+ brokers	Every 60-90 days	Surfshark-owned. Handles GDPR and CCPA simultaneously — useful cross-border. Deloitte-verified deletion claims.
DeleteMe	~$8.71/mo (1 yr)	~85 automated (claims 850, but ~569 require custom requests; practical ~181)	Quarterly manual sweeps	Adds email and phone masking. Slower but more human-verified.
Optery (Core / Extended / Ultimate)	$24.99/mo for Ultimate	370+ / 540+ / 645+ brokers	Continuous	Free exposure scanner with raw screenshots is the cleanest “before” view in the market. SOC 2 Type II. U.S./Canada only. Some reviewers flag optional AI-summary features as a potential PII-exposure concern; disable them if you care.
Aura	~$10/mo bundled	~140 brokers	Continuous	Bundled with credit monitoring, dark-web scanning, antivirus, VPN, up to $5M family identity-theft insurance. Less specialized on deletion; more comprehensive on overall identity protection.

• Coverage numbers are not directly comparable. “Brokers covered” means different things in marketing copy than in the field-test reports. Optery’s Ultimate field-test deletion rate is the highest I’ve found in independent reviews; Incogni’s value-per-dollar is the strongest; DeleteMe’s automated coverage is genuinely thinner than its marketing implies; Aura is the right answer if you want one bill for several adjacent problems.
• Treat every published deletion rate as an upper bound, not a guarantee. The numbers come from the providers themselves and from Consumer Reports field tests measured against the specific brokers each service knows about. The long tail of unregistered brokers, foreign brokers, and constant re-ingest sources is not in the denominator. The right mental model is “this service prunes the part of the dossier it can see,” not “this service deletes you.”
• For executives, public figures, current or former military, current or former intelligence personnel, abuse survivors, and anyone with a stalking-threat profile, the mass-market tier is not enough. BlackCloak and similar concierge services pair removal with broader digital-executive protection — security audit, family coverage, takedown of impersonation accounts. The mass-market tools were not designed against an adversary who will spend $0.12 per record to find you (see Part 2 on the Duke study).
• All of these are continuous services. The moment you cancel, the next re-ingest starts rebuilding the dossier. Treat them like a subscription to clean water: necessary, ongoing, not optional in the long run.

Legal Levers: When to Wield Which Statute

When a broker stonewalls or moves slowly, the statutes from Part 2 become live tools.

California Delete Act (DROP). If you are a California resident, the DROP request submitted on or after August 1, 2026 is the single highest-leverage move available to any individual in North America. The request is keyed to SHA-256 hashes of your identifiers — name, email, phone — which brokers must download from DROP, match against their internal data, and delete within 45 days. They must propagate deletion to their service providers and contractors and maintain a suppression list to prevent rebuilding the profile. Non-compliance: $200 per request per day. drop.cppa.ca.gov is the entry point. File once, sweep the entire registered broker market.

GDPR Article 17 (Right to Erasure). If you are a resident of the EU/EEA — or have ever interacted with an EU-based service — you have a formal “right to be forgotten” against any data controller, including U.S. brokers offering services in the EU. The fine for serious non-compliance is up to €20 million or 4% of global annual revenue. European-facing brokers comply quickly because they have to.

CCPA / CPRA. Even outside California, CCPA-style requests are often honored because brokers don’t want to build separate workflows per state. For California residents specifically, the Delete Act layered on top — DROP is the right primary lever, but the underlying CCPA right to deletion is what makes individual one-off requests work.

PIPEDA (Canada, federal). PIPEDA does not give you an absolute right to deletion of data still in use for its original purpose. What it does give you is the right to withdraw consent (Principle 4.5.3 and OPC interpretation), and once consent is withdrawn, the broker no longer has a legal basis for processing and must delete or de-identify. The lever is consent withdrawal; the effect is functionally equivalent to deletion for the data they were holding. For an ordinary person in a province without its own stringent regime — rural Manitoba, say — PIPEDA consent withdrawal plus a complaint to the OPC is the available toolkit, and it does not have the teeth of the California or Quebec regimes.

Alberta PIPA. Provincially regulated organizations in Alberta have to destroy or anonymize PII when it’s no longer needed, must notify the OIPC of breaches posing a “real risk of significant harm,” and face binding compliance orders plus penalties up to CAD $10,000 (individuals) or CAD $100,000 (organizations). The lever is an OIPC complaint, which has teeth most provincial privacy regimes do not.

Quebec Law 25. If you are a Quebec resident, you get the strongest deletion regime in North America: express opt-in consent, 30-day data portability, and penalty thresholds up to CAD $10M / $25M. Use it.

A useful pattern: file the statute-grounded request first, in writing, citing the specific provision. If the broker doesn’t respond within the statutory window, file a complaint with the relevant authority (CPPA, OPC, OIPC, CAI, ICO). Most of the time the request gets honored after the first formal letter; the small fraction that don’t are why the complaint authorities exist.

OSINT Self-Audit: See Yourself First

You cannot defend against a dossier you have not measured. The same open-source intelligence tools threat actors use to profile targets work in reverse to audit your own exposure.

• HaveIBeenPwned and DeHashed — check whether your email addresses appear in known breach corpora, and what data was exposed. Rotate every credential that turns up.
• Sherlock — python3 sherlock.py your-username scans 400+ platforms for accounts registered to that handle. Catches old, inactive accounts you forgot about, which are often the weakest pivot point.
• OSINT Industries or X-Ray Contact — real-time lookups across thousands of services to see what’s registered to a given email or phone number. Surfaces accounts you didn’t know still existed.
• ExifTool — strip metadata from photos and PDFs before you publish or share them.

# See everything embedded in a file
exiftool image.jpg

# Strip everything in place
exiftool -all= image.jpg

Most photos taken on a smartphone include precise GPS coordinates, the device’s exact camera model and serial number, the software used to edit, and exact creation timestamps. None of that needs to leave with the image.

• Maltego — graph-based relationship visualization. If you are in any threat model that includes family members or close contacts as pivot points (executives, public figures, journalists), running Maltego on your immediate circle exposes the weakest link in your own privacy posture. Often it’s a family member with a public real estate listing or a parent’s hometown newspaper interview.

Run the audit quarterly. The dossier moves; the surface changes.

The Organizational Stack: What Changes for Security and Privacy Leads

If you are responsible for a company’s data posture, Part 2’s regulatory shift translates into operational work, not just policy work.

Vendor procurement is now an export-control problem. The DOJ Bulk Data Transfer Rule treats certain bulk transfers of U.S. sensitive personal data to “countries of concern” or their covered persons as categorically prohibited transactions. PADFAA does the same at zero threshold for sensitive personal data on U.S. individuals. The compliance question for any vendor in your stack that touches consumer data is now: where does this data flow to, who owns the receiving entity, and is any of it bulk? You need a written Data Compliance Program structured around CISA security standards if you touch restricted categories at scale. That program needs auditable logging, employee training, and routine review.

Data inventory is the precondition. You cannot run a DCP without knowing what data you hold, what categories it falls into under the DOJ rule (genomic, biometric, geolocation, health, financial, covered identifiers), how it flows to vendors, and whether any of those vendors resell. Most organizations have not done this exercise. It is now the gate to compliance — not optional polish.

Broker procurement is now traceable risk. Buying audience data from Acxiom, identity resolution from LiveRamp, or risk-intelligence lookups from LexisNexis used to be an unremarked vendor relationship. After EO 14117, PADFAA, and the recent FTC posture, every broker-purchased dataset is a compliance line item with its own audit trail. The procurement team needs to know what categories of data are in each purchase, what the contractual onward-transfer restrictions are, and what the breach-notification chain looks like.

Match the privacy-by-default ratchet. Quebec’s Law 25 requires maximum privacy as the default setting. The California Delete Act requires continuous suppression after deletion. The DOJ rule requires data minimization above thresholds. The consistent direction: collect less, keep less, link less. A privacy-mature product team in 2026 designs new features against a baseline assumption that they will not be allowed to retain whatever data they want indefinitely, and that retention longer than the user’s session is a deliberate engineering decision that has to be justified.

Treat first-party data like a regulated asset. The flip side of the broker squeeze is that first-party data — what your users explicitly give you in exchange for service — is now the cleanest, most defensible, and most valuable category of data your organization holds. Investments in consent management, transparent purpose limitation, and direct relationships with users pay off across the entire regulatory landscape.

The North Star: What Structural Metadata Privacy Actually Looks Like

Configuration-level defenses operate inside the current consumer tech landscape. None of them solve the underlying structural problem: as long as the hardware, operating system, and network protocols you use leak metadata by design, every layer of defense is a patch on top of leaky infrastructure. A small body of research is now defining what structural metadata privacy — privacy with mathematical guarantees rather than configuration choices — would actually require. None of it is operational for ordinary users today, but the direction it sets matters.

Formally verified microkernels. The seL4 microkernel is the most mathematically scrutinized OS kernel in production. Its implementation has been formally proven to match its specification using theorem provers like Isabelle/HOL. In an seL4-based system, components without explicit capabilities to share state cannot leak information across their boundaries — not as a configuration rule, but as a mathematical consequence of the kernel’s structure. Compare to the millions of lines of privileged code in Linux or Windows, any of which can be the source of a lateral-movement vulnerability.

Capability-based hardware. CHERI (Capability Hardware Enhanced RISC Instructions) replaces conventional integer pointers with hardware-tagged capabilities that carry bounds, permissions, and provenance. Buffer overflows, use-after-free errors, and pointer forgery — the source of roughly 70% of software vulnerabilities — become hardware exceptions instead of exploitable bugs. Combined with seL4, you get formal isolation between components and hardware-enforced memory safety inside each component.

Mixnets with continuous-time delay and cover traffic. Tor protects payload contents but is vulnerable to end-to-end correlation by global passive adversaries — its circuit-based routing means matching timing patterns at entry and exit nodes deanonymizes the connection. The Nym network, built on the Loopix research, abandons circuits entirely. Every packet picks its own random three-hop route, each hop adds an exponentially distributed delay (~50ms average per hop), and the network continuously injects indistinguishable cover traffic and loopback packets. Statistically, an outside observer cannot match incoming packets to outgoing ones at any node. The cryptographic packet format that makes this work — Sphinx — guarantees bitwise unlinkability: every hop fully scrambles the packet’s bit pattern via layered decryption, and packets are padded to uniform length so size never leaks routing position.

Dandelion / Dandelion++ for P2P networks. Standard peer-to-peer gossip (Bitcoin, Ethereum mempool propagation) leaks transaction origin through symmetric epidemic flooding — colluding network observers can triangulate the source from arrival timestamps. Dandelion++ breaks the symmetry with a two-phase protocol: a linear “stem phase” where each transaction is forwarded along a single random path, followed by a probabilistic transition to a “fluff phase” of normal flooding. The stem-phase aggregator structure makes the originating node statistically indistinguishable from any other forwarding node.

Private Information Retrieval (PIR). When you query a database — DNS resolution, certificate transparency, a medical-record lookup — the query reveals your interest to the server even if the payload is encrypted in transit. PIR is the cryptographic protocol that lets you fetch a specific record from a remote database without the server learning which record you fetched. Classical PIR requires either non-colluding multi-server deployments or linear server-side computation that doesn’t scale. The recent Piano PIR protocol achieves sublinear online server computation by amortizing work into a preprocessing phase, which makes large-database PIR — Certificate Transparency, blockchain queries — actually feasible.

FHE, SMPC, differential privacy, ZKPs. Fully Homomorphic Encryption lets a server compute on encrypted data and return an encrypted result the server cannot read. Secure Multiparty Computation lets multiple untrusted parties jointly compute an aggregate without any of them seeing each others’ inputs. Differential Privacy provides a quantifiable mathematical bound on what any single individual’s contribution can reveal about them, regardless of what an adversary does with the output. Zero-Knowledge Proofs let you prove a fact (you are over 18, you hold a credential, you are accredited) without revealing the underlying attribute — empirical studies show ZKP-based KYC cuts exposed user data by roughly 97%.

None of these run on a consumer laptop today; most require deeply specialized infrastructure or are not yet production-ready for general use. But the mathematical primitives exist, the direction of structural privacy research is clear, and the next decade’s worth of practical privacy tooling will be built on these foundations. A privacy-aware practitioner in 2026 should know what these terms mean even if the day job is configuring Pi-hole.

The Practice Is the Point

Privacy is not a state. It is a practice. There is no configuration you can apply once and walk away from. The brokers re-ingest quarterly. New apps install new SDKs. New breaches drop new data into the graph. The defensive equivalent has to be continuous: alias creation when you sign up for things, MAID resets on a schedule, quarterly OSINT audit of your own surface, removal-service subscription maintained over years, statutory requests filed each time you change addresses or jurisdictions.

In practice, after the initial setup, the maintenance is on the order of an hour a month. The cost is real but bounded. The benefit is that the dossier on you in 2030 is dramatically thinner than the dossier on you in 2026 — and the people who are interested in that dossier, whether brokers, marketers, foreign intelligence services, or threat actors, find themselves working harder for less data attached to a less useful identity.

The shadow economy mapped in Part 1 is still running. The regulatory floor described in Part 2 slows it. A maintained practice — alias by alias, request by request, audit by audit — is what determines whether you live well inside it or become its product.

---

Series complete. Part 1 — Who Data Brokers Actually Are and How They Build You · Part 2 — The Surveillance Pipeline, the Breach Record, and the Regulatory Pushback · Part 3 — Privacy Practices: The Operational Stack That Actually Works.