The Privacy Landscape: What's Real, What's Theater

The modern privacy conversation is flooded with noise — products that promise anonymity, settings that imply control, and rituals that feel productive but change nothing. Shoshana Zuboff documented the architecture of surveillance capitalism in 2019, describing a system that extracts behavioral surplus from every digital interaction and converts it into prediction products sold on futures markets. Edward Snowden, the same year, published the operational details of how mass surveillance actually works from the inside. Between them, we have a clear map of the terrain. The question is not whether surveillance exists — it does — but which of the practices people adopt in response actually reduce their exposure, and which are performance.

Why This Matters for Sovereignty

Privacy is not a luxury concern for the paranoid. It is infrastructure. Thoreau did not build his cabin at Walden because he feared society — he built it because he wanted to know what was essential and what was merely inherited habit. The same principle applies to your digital life. Most of what passes for privacy practice today is inherited habit dressed up as security. You click “accept” on cookie banners. You toggle settings in apps. You might even pay for a VPN because an ad told you it would make you invisible. None of these actions are worthless in every case, but most of them deliver a fraction of the protection they imply.

The sovereign approach to privacy starts with an honest audit. What actually reduces your exposure to the systems Zuboff described? What merely creates the feeling of having done something? The distinction matters because attention and effort are finite. Every hour spent on privacy theater is an hour not spent on the five or six practices that genuinely move the needle.

How It Works: Privacy Theater vs. Real Protection

Privacy theater borrows a concept from security studies — it describes measures that create the appearance of protection without delivering meaningful results. The TSA analogy is instructive. After September 11, the United States built an enormous airport security apparatus. Travelers remove shoes, submit to body scans, surrender water bottles. Independent testing has repeatedly shown that the system misses a significant percentage of prohibited items. But the theater persists because it is visible, because it employs people, and because it makes passengers feel that something is being done.

Digital privacy has its own version. Cookie consent banners are perhaps the most universal example. The European GDPR required websites to obtain consent for tracking cookies, which spawned billions of pop-up windows that almost everyone clicks through without reading. In most implementations, the tracking was going to happen regardless — the banner exists to satisfy a legal checkbox, not to give you meaningful control over data collection. You click “accept all” and move on. The data flows exactly as it would have.

Similarly, the “privacy settings” offered by most platforms control a narrow slice of what those platforms collect. Facebook’s privacy settings let you choose who sees your posts. They do not let you choose whether Facebook collects behavioral data from your activity — that collection is the product, not a feature you can toggle off. Instagram’s settings control whether other users see your activity status. They do not control whether Meta analyzes your engagement patterns, scroll velocity, and content preferences to build a behavioral profile.

VPN advertising represents another significant theater. The VPN industry spends heavily on influencer marketing and podcast sponsorships, with messaging that implies total online anonymity. A VPN encrypts traffic between your device and the VPN server and masks your IP address. It does not make you anonymous. If you are logged into Google, Facebook, or Amazon, those platforms track you by account identity, not by IP. A VPN changes nothing about that relationship. We will cover VPNs in depth later in this series, but the short version is this: they have legitimate uses, and those uses are narrower than the marketing suggests.

Real protection, by contrast, tends to be boring, invisible, and effective. Three examples illustrate the pattern.

First, changing your DNS resolver. Every time your device loads a website, it asks a DNS resolver to translate the domain name into an IP address. By default, your internet service provider handles this — and logs every single request. Switching to a privacy-respecting DNS resolver like Cloudflare’s 1.1.1.1 or Quad9’s 9.9.9.9 takes five minutes at the router level and immediately prevents your ISP from maintaining a complete record of every website you visit. This is a concrete, measurable reduction in surveillance exposure that costs nothing and requires no ongoing effort.

Second, using a password manager with unique passwords for every account. Credential stuffing — where attackers take leaked username/password combinations from one breach and try them across thousands of other services — is one of the most common attack vectors for individual accounts. If you reuse passwords, a single breach anywhere compromises you everywhere. A password manager eliminates this entire category of risk. We will dedicate a full article to this practice because it is, for most people, the single highest-impact privacy action available.

Third, full-disk encryption. If your laptop or phone is lost or stolen, full-disk encryption means the data on the device is inaccessible without your password. Both macOS (FileVault) and Windows (BitLocker) offer this as a built-in feature. On modern iPhones and most Android devices, it is enabled by default. Confirming that it is active takes two minutes. The protection it provides against physical device compromise is absolute.

The Proportional Response: The 80/20 of Privacy

The Pareto principle — roughly 20% of inputs produce 80% of outputs — applies to privacy with unusual precision. A small number of practices deliver the vast majority of real-world protection. This series is built around identifying and implementing that 20%.

The reason theater persists is not stupidity. It persists because it is profitable, because it is easy, and because it feels productive. VPN companies generate billions in revenue from marketing that overstates their product’s privacy benefit. Cookie banners employ compliance teams and software vendors. Toggling privacy settings takes thirty seconds and produces a satisfying sense of agency. Real privacy practices — changing DNS, installing a password manager, auditing app permissions — are less dramatic but more durable.

There is also the question of threat modeling, which the next article in this series addresses in detail. The proportional response to privacy depends entirely on who you are defending against. A data broker assembling a marketing profile about you requires a different defense than a hacker attempting to compromise your email account, which requires a different defense than a nation-state intelligence agency with targeted interest in your communications. Most people’s actual adversaries are data brokers and automated attackers. Optimizing for intelligence-agency-level threats when your real exposure is to data brokers is disproportionate — the digital equivalent of building a bunker when what you need is a better lock on your front door.

Snowden, who knows more about the surveillance apparatus than almost anyone alive, does not recommend that ordinary people attempt to become invisible. He recommends that they make bulk surveillance uneconomical for their individual data. That is a different goal with a different set of practices. Making yourself invisible requires extraordinary effort and significant lifestyle sacrifice. Making your data expensive to collect at scale requires a weekend of setup and occasional maintenance.

What to Watch For

The privacy landscape changes. New regulations, new platform policies, new tools, and new vulnerabilities emerge continuously. Several patterns are worth tracking as of early 2026.

Passkeys are replacing passwords on major platforms, which will eventually make much of the password security conversation obsolete — but the transition will take years, and password managers remain essential during that transition. The European Union’s Digital Markets Act is forcing changes in how large platforms handle data, though the practical impact on individual privacy is still unfolding. AI systems are creating new categories of data collection, as large language models trained on user interactions raise questions about what constitutes personal data and how it should be handled.

The through-line is this: privacy is maintenance, not a project. The practices that matter are the ones you implement once and sustain. The practices that don’t matter are the ones that feel urgent in the moment and change nothing about the underlying architecture of your digital life. This series will walk through the specific actions, in priority order, that constitute the 80/20 of personal privacy — the proportional response for someone who wants to live deliberately in a surveillance economy without pretending they can opt out of it entirely.

This article is part of the Data & Privacy series at SovereignCML.

Related reading: Your Threat Model: Who Are You Actually Defending Against?, Passwords and Authentication: The Foundation You’re Probably Getting Wrong, Your Phone: The Most Intimate Surveillance Device You Own