The Five Things That Actually Matter: The 80/20 of Surveillance Capitalism

We have spent this series establishing what surveillance capitalism is, how the business model works, what is documented versus assumed, why enforcement fails, what companies actually hold on you, how the attention economy functions as a supply chain, and why platforms degrade over time. That is the diagnosis. It is necessary, but it is not sufficient. The sovereign individual needs a prescription — and the prescription needs to be selective, because the number of possible privacy actions is large enough to become paralyzing, and paralysis is its own failure mode.

This article narrows the field to five areas where individual action yields the highest return on effort. Not five hundred. Not fifty. Five. The selection criteria are straightforward: these five represent the highest-value streams of behavioral surplus you currently generate, and each one has a practical alternative that does not require technical expertise, significant expense, or withdrawal from functional digital life. Address these five before worrying about anything else. The proportional response is not comprehensive. It is focused.

Why This Matters for Sovereignty

Zuboff’s framework identifies behavioral surplus as the raw material of surveillance capitalism. Snowden’s disclosures documented the mechanisms of government access to that surplus. Doctorow’s enshittification thesis explains why platforms will extract more over time, not less. But none of these frameworks tell you where to start. The intellectual understanding is important — it prevents you from misallocating effort toward threats that are low-priority while ignoring threats that are high-priority. But understanding without action is observation, not sovereignty.

The five items below are selected because they sit at the intersection of high sensitivity (the data reveals a great deal about your life), high accessibility (the data is easily collected, sold, or compelled by legal process), and high actionability (you can meaningfully change the dynamic without extraordinary effort). This is the 80/20 of surveillance capitalism — the small number of changes that account for the majority of practical sovereignty improvement.

How It Works: The Five, In Order of Priority

Thing One: Your Primary Email Provider

Your email address is your digital identity. It is the key that unlocks every other account you own — your bank, your social media, your government services, your commerce accounts. When you recover a forgotten password, you do it through email. When a platform verifies your identity, it sends a code to your email. This makes your email provider the single most consequential infrastructure choice in your digital life.

If your primary email is a Gmail account, Google has access to metadata about every communication you send and receive — who you correspond with, when, how frequently — along with the content of those messages. Google has stated that it stopped scanning email content for ad targeting purposes in 2017 for free Gmail accounts, but the company retains access to email content for other purposes, and email metadata alone is extraordinarily revealing. A 2013 MIT study demonstrated that email metadata — sender, recipient, timestamp, subject line — was sufficient to infer social networks, daily routines, organizational hierarchies, and personal relationships with high accuracy.

The proportional response is not necessarily to abandon Gmail immediately. It is to understand what your email provider can see and to evaluate whether that access is acceptable given your specific circumstances. For most people, the highest-impact move is migrating their primary email to a provider whose business model does not depend on advertising — services like Proton Mail, Fastmail, or Tuta, which charge a subscription fee in exchange for not monetizing your communications data. The migration is not trivial — it requires updating account recovery addresses across dozens of services — but it is a one-time cost that permanently changes the surveillance exposure of your most critical digital asset.

Thing Two: Your Phone’s Location Data

Your phone generates a continuous stream of precise location data — GPS coordinates logged at regular intervals, cell tower triangulation data maintained by your carrier, and Wi-Fi positioning data used by your operating system. This data is, in Zuboff’s framework, some of the highest-value behavioral surplus you produce, because it reveals not just where you are but the patterns of your life: where you sleep, where you work, where you worship, who you visit, what doctors you see, what protests you attend.

The sensitivity of location data has been confirmed through multiple investigations. Senator Wyden’s office documented cases where data brokers like Babel Street sold location data precise enough to track individuals to specific buildings. The Electronic Frontier Foundation has published analyses showing how commercially available location data could identify individuals visiting abortion clinics, addiction treatment facilities, and domestic violence shelters. This is not theoretical capability. It is documented practice.

The proportional response involves several layers. First, audit your phone’s location permissions and revoke access for any app that does not functionally require it. A weather app needs your approximate location. A flashlight app does not. Second, disable Wi-Fi and Bluetooth scanning when not actively in use — both are used for location refinement even when you are not connected to a network. Third, understand that your carrier collects location data regardless of your phone’s settings; this is inherent to cellular network operation and cannot be fully prevented without turning off cellular connectivity. The goal is not to become invisible — it is to reduce the number of parties with access to your location data from dozens to the minimum necessary for the services you actually use.

Thing Three: Your DNS Traffic

Every time you visit a website, your device first asks a DNS (Domain Name System) resolver to translate the human-readable address (example.com) into a machine-readable IP address. By default, this request goes to your internet service provider’s DNS resolver, which means your ISP maintains a log of every website you visit — not the content of what you read, but the fact that you visited it and when. This browsing metadata is a detailed behavioral profile generated automatically by normal internet use.

Changing your DNS resolver is one of the highest-impact, lowest-effort privacy improvements available. The process takes five to ten minutes, requires no technical expertise beyond following a settings guide, and immediately redirects your browsing metadata away from your ISP to a resolver of your choosing. Privacy-focused options include Quad9 (9.9.9.9), which blocks known malicious domains and does not log query data; Cloudflare’s 1.1.1.1 service, which commits to purging query logs within 24 hours; and self-hosted DNS solutions for those with more technical comfort.

The effectiveness of this change depends on whether you also enable encrypted DNS (DNS over HTTPS or DNS over TLS), which prevents your ISP from reading DNS queries in transit even after you have changed your resolver. Most modern operating systems and browsers support encrypted DNS natively — it is a settings toggle, not an installation project. Without encryption, your ISP can still observe DNS queries in transit even if they are directed elsewhere.

This is a genuinely proportional action: minimal effort, no cost, no reduction in functionality, and a meaningful reduction in the behavioral metadata available to your ISP and anyone your ISP shares data with.

Thing Four: Your Content Platform

If your writing, your audience, your professional reputation, or your creative work lives primarily on a platform you do not control — Medium, Substack, YouTube, Instagram, LinkedIn, Twitter/X — you are a digital sharecropper. You are building value on someone else’s land, subject to someone else’s terms, and vulnerable to someone else’s enshittification timeline. This is not a privacy concern in the traditional sense. It is a sovereignty concern in the structural sense.

Doctorow’s framework predicts what happens to platform-dependent creators: the platform attracts them with distribution and tools, then degrades the terms as the platform’s interests shift. Facebook reduced organic reach from 16 percent to under 2 percent over a decade, forcing businesses to pay for access to audiences they had built for free. YouTube’s algorithm changes can reduce a creator’s visibility overnight with no explanation and no recourse. Twitter/X’s ownership change in 2022 demonstrated how quickly platform stability can evaporate.

The proportional response is to own your primary platform. This means a domain you control, hosted on infrastructure you can migrate, with an audience relationship (email list) that is not mediated by a platform’s algorithm. You can — and should — continue using platforms for distribution. They offer reach that owned infrastructure cannot easily replicate. But the platform should feed the owned platform, not replace it. Post on social media to drive traffic to your site. Publish on YouTube to convert viewers to email subscribers. Use the platforms instrumentally while they are useful, and ensure that if any of them degrade, your core asset — the direct relationship with your audience — survives intact.

Thing Five: Your Financial Data

Your purchase history is behavioral data. It reveals your income level, your consumption patterns, your health conditions (pharmacy purchases), your political donations, your vices, your relationships (gifts, shared subscriptions), and your daily routines (coffee shops, gas stations, grocery stores). This data is collected by your bank, your credit card issuer, payment processors, and the merchants themselves — and it is aggregated by data brokers into composite profiles that are sold widely.

The sensitivity of financial behavioral data was highlighted by a 2015 study published inScience, which demonstrated that just four credit card transactions were sufficient to uniquely identify 90 percent of individuals in a dataset of 1.1 million people [VERIFY — confirm study details: de Montjoye et al., 2015,Science]. Your purchases are not anonymous even when your name is not attached to them. The patterns are the identifier.

The proportional response here is not to pay cash for everything — that is impractical for most people and unnecessary for most threat models. It is to diversify your financial data exposure. Use multiple payment methods so that no single entity has a complete picture. Consider using privacy-focused payment tools for purchases where anonymity matters to you — prepaid cards, privacy.com virtual card numbers, or, for the technically inclined, cryptocurrency for specific transactions. Review your bank’s and credit card issuer’s data-sharing policies and opt out of marketing data sharing where the option exists. The goal is fragmentation — making it harder for any single entity to assemble a complete financial behavioral profile.

Why These Five and Not Others

Several categories that might seem like obvious inclusions are deliberately absent from this list.

Social media presence is not here because, while social media generates substantial behavioral data, the sensitivity of that data is generally lower than location data, email metadata, or financial records — and the effort required to meaningfully change social media’s data collection (deleting accounts, changing platforms) is high relative to the privacy improvement. Social media is worth addressing, but it is not in the top five.

Smart home devices — Alexa, Google Home, Ring cameras — are not here because they affect a smaller portion of the population and because the simple act of not purchasing them is a complete solution. If you already own them, the calculus changes, but for most people these are optional additions to digital life rather than structural dependencies.

Loyalty programs and retail tracking are not here because the behavioral data they generate, while commercially valuable, is lower-sensitivity than the five categories listed above and because opting out is trivially easy — you simply stop using the loyalty card.

The principle is this: address the five things that matter most before spending energy on the twenty things that matter less. Sovereignty is not about controlling everything. It is about controlling the infrastructure that gives you the most leverage over your own digital life.

The Proportional Mindset

The sovereign response to surveillance capitalism is not a project with a completion date. It is an ongoing practice — a set of deliberate choices about where your behavioral surplus goes and who profits from it. The five priorities listed here are starting positions, not endpoints. Once you have addressed these five, you will have a clearer understanding of your own digital infrastructure and a better foundation for evaluating additional actions.

The posture is settled, not frightened. You understand the system — the business model that drives extraction, the documented capabilities of the entities that collect your data, the enforcement gap that leaves you largely on your own, the enshittification cycle that degrades the platforms you depend on, and the attention economy that competes for the time you could spend building. None of this is cause for panic. All of it is cause for deliberate action.

You now have the map. These five items are the first five moves. Make them, and the rest of the territory becomes easier to navigate.

This article is part of the Surveillance Capitalism & The Proportional Response series at SovereignCML.

Related reading: Your Data Portfolio: What Companies Actually Have on You, What’s Documented vs. What’s Assumed, The Paranoia Trap: When Privacy Becomes Paralysis