Your Surveillance Capitalism Response Plan

This is the capstone. Over the preceding eleven articles, we have mapped the terrain: Zuboff’s thesis and where it holds, the business model that drives extraction, what is documented versus what is assumed, the enforcement gap, your data portfolio, the attention economy, platform enshittification, the five highest-leverage intervention points, the paranoia trap, the exposure children face, and the geopolitical landscape that determines which rules apply to your data. You now understand the system. What follows is the plan — structured, prioritized, and deliberately proportional.

We have organized this plan into three tiers, not because sovereignty is a ladder you climb, but because sequencing matters. Tier one is what you do this weekend. Tier two is what you do this month. Tier three is what you practice from here forward. The tiers are ordered by effort and impact: tier one is high impact and low effort, tier two requires more sustained attention, and tier three is the ongoing practice that makes the first two tiers durable. If you do nothing beyond tier one, you will have addressed the most common and most exploitable vectors of behavioral surplus extraction. That alone puts you ahead of the vast majority of internet users.

Tier 1: This Weekend (2-4 Hours)

These are the interventions that cost nothing, require no technical expertise, and eliminate the easiest paths by which your behavioral surplus is extracted. This is not security. It is hygiene. You would not leave your front door open and then install a safe in the basement. Close the door first.

Change your DNS resolver. Your DNS traffic — the record of every website you visit — is logged by your internet service provider by default. Changing your device or router’s DNS resolver to a privacy-respecting alternative (Quad9, Cloudflare’s 1.1.1.1, or NextDNS if you want filtering and logging controls) takes less than ten minutes and eliminates one of the most comprehensive passive data streams you generate. Your ISP still sees your IP traffic, but they no longer see a clean, human-readable log of every domain you resolve. This is the single highest-ratio privacy intervention available: minutes of effort, years of reduced exposure.

Audit your phone’s app permissions. Open your phone’s privacy settings and review which applications have access to your location, microphone, camera, contacts, and health data. Most people discover applications with permissions they never consciously granted — a weather app with continuous location access, a shopping app with microphone permissions, a game with access to the contact list. Revoke any permission that is not essential to the application’s core function. On both iOS and Android, you can set location permissions to “only while using” rather than “always,” which eliminates the continuous location tracking that data brokers purchase from app developers.

Request your data exports. Google Takeout, Facebook’s “Download Your Information” tool, and equivalent features on other major platforms allow you to see what these companies actually hold. Requesting your data is not an action step in itself — it is a diagnostic. When you see the scope of your data portfolio — years of search history, location breadcrumbs, message metadata, ad interaction records — the abstract argument of this series becomes concrete. Most people who complete this step describe it as the moment the behavioral surplus economy stopped being theoretical. Allow an hour for this; the exports take time to generate, but the request itself is quick.

Install browser-level tracker blocking.A reputable content blocker (uBlock Origin remains the standard as of early 2026 ) eliminates the majority of cross-site tracking scripts, advertising beacons, and fingerprinting attempts that you encounter during normal browsing. This is the digital equivalent of closing the curtains — it does not make you invisible, but it stops the casual observation that funds the largest share of the behavioral prediction market.

These four steps, completed in a single weekend, address the broadest and most common extraction vectors. They are layer one: the hygiene layer. Everything that follows builds on this foundation.

Tier 2: This Month (Ongoing)

Tier two requires more deliberation. These are not one-time actions; they are transitions that involve changing habits, migrating workflows, and accepting some friction in exchange for reduced exposure. Do them at a pace that is sustainable. Rushing through tier two and then abandoning it because the friction was too high defeats the purpose.

Set up a password manager.If you are not already using one, this is the most important single security intervention you can make. A password manager (Bitwarden is open-source and well-audited; 1Password is a strong commercial option ) allows you to use unique, strong passwords for every account without remembering them. This eliminates credential reuse — the single most common vector for account compromise. It also enables you to see, in one place, every account you have created. That inventory is the foundation of digital sovereignty: you cannot steward what you cannot see.

Review and revoke third-party app connections. Your Google, Facebook, Apple, and Microsoft accounts are likely connected to dozens of third-party applications and services that you granted access to once and forgot. Each of these connections is an ongoing data-sharing pipeline. Go to each platform’s security or connected-apps settings and revoke access for any service you no longer use. This is the digital equivalent of changing the locks after you have lent out too many keys.

Evaluate your primary email provider.Your email address is your digital identity. It is the recovery mechanism for every account you hold, the repository of years of correspondence, and a metadata goldmine. If you use Gmail, Google has structural access to your email content and metadata for ad targeting and profile building. Migrating away from Gmail is a significant undertaking — it involves updating your email address across every service, notifying contacts, and setting up forwarding during the transition period. We are not saying you must do this. We are saying you should understand the trade-off you are making by staying, and make that choice deliberately rather than by default. If you choose to migrate, ProtonMail and Tuta (formerly Tutanota) are the most established privacy-focused alternatives as of early 2026 .

Start building on a platform you own. If your writing, your content, your professional presence, or your audience lives entirely on platforms you do not control — social media accounts, Medium, Substack, YouTube — you are a digital sharecropper. The enshittification cycle Doctorow described guarantees that these platforms will eventually optimize against your interests. Start a website on a domain you own. It does not need to replace your platform presence overnight. It needs to exist as infrastructure you control, so that when the platform degrades — and it will — you have somewhere to stand.

Tier 3: Ongoing Practices

Tier three is not a checklist. It is a set of practices that become part of how you operate, the way financial management is a practice rather than a task you complete once.

Regular permission and access audits. Every quarter — set a calendar reminder if it helps — review your app permissions, your connected third-party applications, and your active accounts. New exposures accumulate constantly. Applications update their permission requests. Services you signed up for and forgot continue to hold your data. The audit habit prevents the slow drift back toward maximum exposure that happens when you set up protections once and never revisit them.

Deliberate attention allocation. The attention economy is the supply chain for behavioral surplus extraction. Every hour spent in an algorithmically curated feed is an hour of behavioral data generated for the platform and an hour not spent on things you own. We are not prescribing a specific screen time target. We are prescribing awareness: know how much attention you are giving to platforms that monetize it, and decide whether that exchange rate is acceptable. If you reclaimed two hours per day from algorithmic feeds and spent them building owned content, owned skills, or owned relationships, the compounding effect over a year would be substantial.

Teach your household. Sovereignty that lives in one person’s practices and dies at the household door is fragile. The DNS filtering you configured protects the network; the conversations you have about why it is configured that way protect the people. Household members who understand the behavioral surplus economy — in age-appropriate terms for children, in practical terms for partners — become participants in the sovereignty practice rather than vectors for its erosion. This is not about converting anyone to a worldview. It is about shared awareness of how the digital infrastructure around you operates.

Build on owned infrastructure. Over time, shift the center of gravity of your digital life toward infrastructure you control. Your own domain. Your own email. Your own content platform. Your own data backups. This is not a weekend project. It is a directional commitment — each year, more of your digital life should live on infrastructure where you set the terms, and less should live on platforms where the terms are set for you and changed without your consent.

What Not To Do

The plan above is deliberately incomplete. It does not address every possible privacy threat, and it is not intended to. What follows is a brief list of common mistakes that undermine the proportional approach.

Do not try to do everything at once. The most common failure mode is enthusiasm followed by burnout. Tier one this weekend, tier two over the next several weeks, tier three as an ongoing practice. That sequencing is intentional.

Do not go dark on platforms where you have real relationships without a transition plan. If your community, your family, or your professional network communicates through a platform you want to leave, the sovereign move is to build an alternative channel first and migrate gradually — not to disappear and hope people follow. Sovereignty includes the ability to maintain connection on your terms.

Do not spend money on “privacy products” before doing the free interventions. The privacy industry sells hardware, subscriptions, and services to people who have not yet changed their DNS resolver or audited their app permissions. The free interventions in tier one address more exposure than most paid products do. Do the free work first. Spend money only on specific, identified needs that the free tools do not address.

Do not mistake this for a one-time project. The surveillance capitalism landscape changes. Platforms update their data practices. New extraction vectors emerge. Old tools become obsolete or compromised. The practice of sovereignty is ongoing, the way maintaining a house is ongoing. You do not repair the roof once and declare the house permanently waterproof.

The Posture, Restated

You now understand the system. You know what Zuboff documented and where her framework has limits. You know the business model and why it persists despite regulation. You know what is documented and what is assumed. You know the enforcement gap and why laws alone will not protect you. You know what your data portfolio looks like, how the attention economy feeds the behavioral futures market, and how platform enshittification degrades every rented space you occupy. You know the paranoia trap and why maximum response is not the same as optimal response. You know the generational dimension and the geopolitical landscape.

Your response is deliberate. It is proportional. It is focused on the interventions that give you the most leverage over your own digital life. You are not hiding from a system that, for the most part, is not targeting you as an individual. You are withdrawing your behavioral surplus from markets that profit from it, building on infrastructure you control, and making conscious choices about the trade-offs you are willing to accept.

That is sovereignty. Not a destination you arrive at, but a practice you maintain — the way Thoreau maintained his bean field, the way Emerson maintained his journal, the way the Stoics maintained their discipline. The rest of Branch 3 in this project — SEO as sovereignty, owning your platform, data privacy specifics, economic sovereignty — gives you the tools to build on this foundation. This series gave you the map. The building starts now.

This article is part of the Surveillance Capitalism & The Proportional Response series at SovereignCML.

Related reading: The Five Things That Actually Matter, The Paranoia Trap: When Privacy Becomes Paralysis, Platform Enshittification: Doctorow’s Framework