Thought Crime

War is not peace, freedom is not slavery, ignorance is not strength

Section 0

• How to use this site
  • Purpose and limits
  • Who this site is for
  • Who this site is not for
  • Privacy and security as risk management
  • No tool is a silver bullet
  • How to read the guides without changing everything at once
  • Why normality and restraint often provide more safety
  • Legal and ethical responsibility

Section 1

• 1. Foundations and threat modelling
  • What is a “threat model” in ordinary life?
  • Assets, adversaries, and your boundaries
  • Context shapes risk
  • Threat modelling by example
  • Common misunderstandings that weaken security
  • Understanding how data moves
  • Risk, friction, and the reality of trade‑offs
  • Failure modes and how they show up
  • Trust is part of the model
  • Setting a personal baseline
  • Freedom of speech and the cost of visibility
  • Where to go next
• 1.1 Understanding threats
  • Who might care about you, and why
  • Opportunistic vs targeted threats
  • Commercial surveillance, criminal exploitation, and state monitoring
  • Automation vs human review
  • How false positives occur
  • Why most harm comes from aggregation, not single actions
• 1.2 Privacy, security and anonymity
  • Privacy as control over information
  • Security as protection from unauthorised access
  • Anonymity as lack of attribution
  • Where the goals align and where they conflict
  • When improving one weakens another
  • Common pitfalls and realistic protections
  • Context, expectations, and trade-offs
• 1.3 Thoughtcrime and intent inference
  • Punishment without statements
  • How behaviour is used to infer beliefs
  • Search history, reading habits and curiosity
  • Pattern-of-life analysis
  • Guilt by association and network analysis
  • Why “I was just curious” is rarely accepted

Section 2

• 2. Identity, authentication and access control
  • Identity is a claim, not a fact
  • Authentication: proving the claim
  • Passwords and their limits
  • Two-factor and multi-factor checks
  • Biometrics: useful but not magic
  • Access control: deciding what you can do
  • Least privilege and its practical limits
  • Identity proofing: linking the digital to the real
  • Session management and the quiet mechanics of access
  • Single sign-on and its ripple effects
  • Everyday friction and real-world compromises
  • Myths and misunderstandings
  • Practical choices in a monitored world
• 2.1 Passwords done properly
  • Escaping complexity theatre
  • Why traditional complexity rules failed
  • Length vs randomness
  • Passphrases and memorability
  • Why humans reuse passwords
  • Avoiding personal references
  • When rotation helps and when it harms
• 2.2 Password managers
  • Centralisation as both solution and risk
  • What password managers protect against
  • Local vs cloud-based managers
  • Master password failure modes
  • Sync convenience vs exposure
  • Backups and disaster recovery
  • Situations where a password manager is inappropriate
• 2.3 Multi-factor authentication (MFA) — Strengthening identity without adding fragility
  • Strengthening identity without adding fragility
  • What MFA actually stops
  • SMS codes and SIM‑swap risk
  • App‑based authenticators
  • Push notification fatigue
  • Recovery codes as a weak point
• 2.4 Hardware security keys
  • Physical proof of presence
  • How hardware keys work
  • Phishing resistance in the real world
  • Advantages over software MFA
  • Backup keys and loss planning
  • When hardware keys attract attention
  • Everyday use without false confidence
• 2.5 Biometrics: convenience vs coercion
  • The irreversible factor
  • Fingerprints, face recognition, and voice
  • Why biometrics cannot be changed
  • Legal differences: knowledge vs body‑based authentication
  • Forced unlocking risks
  • Why biometrics suit devices better than accounts
  • Combining biometrics safely
  • Common misunderstandings
  • Practical, UK‑context examples
  • Operational practices

Section 3

• 3. Encryption and data at rest — Protecting what already exists
  • Protecting what already exists
  • What “at rest” really covers
  • Full-disk encryption: the blunt but effective tool
  • File and folder encryption: precision and flexibility
  • Phones and tablets: convenience with sharp edges
  • Cloud storage: encryption depends on who holds the keys
  • Backups: the most forgotten risk
  • Keys, passwords, and recovery: the human factor
  • Common myths and misunderstandings
  • Limits you cannot encrypt away
• 3.1 Encryption fundamentals
  • Understanding before trusting
  • Encryption at rest vs in transit
  • Keys, passphrases and entropy
  • What encryption does not hide
  • Common misunderstandings
• 3.2 Full disk encryption
  • Why it matters even for low-risk users
  • Pre-boot authentication
  • Sleep, hibernation and memory risk
  • Performance and usability trade-offs
• 3.3 Plausible deniability and hidden volumes
  • Protection under coercion
  • What a hidden volume is
  • Behavioural discipline required
  • How deniability fails in practice
  • Legal and psychological pressure
  • Why backups often undermine deniability
• 3.4 File-level and container encryption
  • Granularity and portability
  • When full disk encryption is insufficient
  • Encrypted containers and naming risks
  • Storage locations and access patterns
  • Avoiding “sensitive data” signals

Section 4

• 4. Devices and operating systems — Your platform defines your exposure
  • Your platform defines your exposure
  • The OS as a gatekeeper
  • Phones: convenience by design
  • Laptops and desktops: flexibility and exposure
  • Updates: the uncomfortable trade‑off
  • Accounts, identity, and device binding
  • Pre‑installed software and the unseen surface
  • Encryption and storage realities
  • Network radios and the trail they leave
  • Alternative operating systems and custom builds
  • Shared and managed devices
  • Choosing devices with context in mind
  • What to revisit regularly
• 4.1 Desktop and laptop operating systems
  • Control and convenience on the same machine
  • Linux, Windows and macOS: trade-offs in practice
  • Linux: flexible, inspectable, but uneven
  • Windows: broad compatibility with tight vendor control
  • macOS: integrated design, good default security, limited inspection
  • Telemetry and forced updates
  • Auditability and trust
  • Software ecosystem risks
  • Choosing with context in mind
• 4.2 Mobile operating systems
  • Always-on surveillance devices
  • Android vs iOS realities
  • Vendor control
  • App store gatekeeping
  • De‑Googling trade‑offs
• 4.3 Hardware trust and firmware
  • BIOS and UEFI persistence
  • Baseband processors
  • Peripheral attacks
  • Second-hand device risks

Section 5

• 5. Network privacy and traffic control — What your connections reveal
  • What your connections reveal
  • The shape of a connection
  • IP addresses, location, and identification
  • DNS as the internet’s address book
  • Traffic control in everyday networks
  • Encryption: what it protects and what it does not
  • Virtual private networks in practice
  • Proxies, Tor, and layered routing
  • Mobile networks and always-on signalling
  • Wi‑Fi realities: hotspots and shared networks
  • Device and browser fingerprints
  • Traffic analysis and inference
  • Monitoring in workplaces and schools
  • Balancing privacy, functionality, and trust
• 5.2 VPNs in reality
  • Capabilities and limits
  • What VPNs hide
  • What VPNs expose
  • Logging and jurisdiction
  • When VPN use increases suspicion
• 5.3 Safer networking habits
  • Blending rather than hiding
  • Public Wi‑Fi risks without drama
  • Home router configuration that helps rather than harms
  • Behavioural fingerprints and how they form
  • Consistency versus randomness

Section 6

• 6. Browsing and information access — Observation without participation
  • What gets recorded when you read
  • Seeing without being seen
  • Search engines and discovery
  • Encrypted connections and what they do not hide
  • DNS and the map of where you go
  • Public Wi‑Fi and shared networks
  • Content blockers and the limits of consent
  • Cookies, local storage, and persistence
  • Reading without interaction
  • Remote viewing and the difference between content and access
  • Social platforms and logged-in browsing
  • Local devices and the people around you
  • When anonymity is not the goal
• 6.1 Browsers and search engines
  • Defaults matter
  • Browser choice
  • Search engine profiling
  • Fingerprinting techniques
  • Extension risk
• 6.2 Research under surveillance
  • Curiosity without clustering
  • Passive reading versus active searching
  • Query shaping
  • Timing discipline
  • Archives and mirrors
  • Putting it into daily practice

Section 7

• 7. Communications and messaging
  • What actually travels when you send a message
  • Encryption, and what it does and does not solve
  • Choosing a channel: convenience, coverage, and control
  • Device security: the weak link by default
  • Contact lists and social graphs
  • Groups, forwards, and the risk of drift
  • Voice and video calls
  • Disappearing messages and their limits
  • When you should worry about telecommunications data
  • Identity, accounts, and phone numbers
  • Bridging work and personal life
  • Operational habits that make a real difference
  • Knowing when to accept risk
• 7.1 Messaging applications
  • Encryption is not invisibility
  • End-to-end encryption, explained without mystique
  • Metadata exposure: the trail around the message
  • Group chat risks: the weakest link is real
  • Disappearing messages and the lure of false safety
  • Putting the pieces together in daily life
• 7.2 Email privacy
  • Legacy systems, modern threats
  • Provider trust
  • Metadata permanence
  • Aliases and compartmentalisation
  • Attachments and tracking
  • Practical choices for everyday email

Section 8

• 8. Compartmentalisation and identity separation
  • Limiting damage by design
  • Multiple identities safely
  • Devices, accounts, and networks
  • One-way information flow
  • Clean versus contaminated contexts
  • Abandoning identities
  • Everyday scenarios and trade-offs

Section 9

• 9. Social media and public presence
  • Managing unavoidable exposure
  • Algorithmic amplification
  • Historical posts and reinterpretation
  • Private groups and leaks
  • Images, metadata and recognition
  • Minimising footprint without isolation

Section 10

• 10. Borders, searches and coercion
  • When theory meets force
  • Device search realities
  • Biometrics vs passwords
  • Travel devices
  • Cloud access after seizure
  • Post-inspection hygiene

Section 11

• 11. Behavioural discipline and human risk
  • The weakest link
  • Emotional posting
  • Alcohol and fatigue
  • Over-explaining
  • Normality as camouflage
  • Silence as strategy

Section 12

• 12. Living under surveillance states
  • Persistent monitoring environments
  • Passive versus active surveillance
  • Informants and honeypots
  • Social engineering by authorities
  • Plausible deniability in daily life
  • Low‑tech safety
  • Everyday trade‑offs and limits

Section 13

• 13. Psychological resilience and sustainability
  • Avoiding paranoia without ignoring reality
  • Accepting constraints without surrender
  • Private thought versus recorded thought
  • Offline trust and the limits of digital certainty
  • Disengagement as health, not defeat
  • Living with trade-offs over time

Section 14

• 14. Exit planning and contingency thinking
  • Preparing quietly
  • Escalation signals
  • Reducing digital drag
  • Financial and document readiness
  • Data abandonment
  • Rebuilding elsewhere

Section 15

• 15. Practical baselines
  • Actionable starting points
  • Minimum viable privacy
  • High-risk environment checklist
  • Prioritisation
  • What not to bother with
  • Periodic reassessment

Section 16

• 16. Freedom of Speech in the Digital Age
  • What it means, where it applies, and how it erodes
  • Freedom of speech is not a single rule
  • Where freedom of speech applies in practice
  • How digital systems reshape speech
  • Everyday speech and the friction of identity
  • Common myths and misunderstandings
  • How speech erodes without anyone banning it
  • Risks, trade-offs, and how to manage them
  • UK context: rights, limits, and uncertainty
  • Everyday scenarios that show the stakes
  • What durable freedom of speech looks like online
• 16.1 What freedom of speech actually is
  • Legal protection, not entitlement
  • Negative rights and positive rights
  • Speech versus reach
  • Courts versus platforms
• 16.2 Law, jurisdiction and reality
  • Borders and enforcement
  • Elastic laws
  • Retroactive interpretation
  • Selective enforcement
• 16.3 Platforms as speech gatekeepers
  • Terms of service as law
  • Algorithmic suppression
  • Appeal asymmetry
• 16.4 Surveillance and the chilling effect
  • Self-censorship
  • Metadata as speech
  • Association as expression
• 16.5 Thoughtcrime and intent enforcement
  • Inference over statements
  • Undefined categories
  • Jokes and hypotheticals
• 16.6 Deplatforming and digital exile
  • Account termination
  • Financial exclusion
  • Reputation systems
• 16.7 Speech vs identity
  • Why speech and identity get tangled online
  • Social graph risk
  • Context collapse
  • Misclassification
  • Living with the trade-offs
• 16.8 Speaking safely
  • Audience control
  • Choosing the right channel
  • Managing identity and linkage
  • Group dynamics and trust boundaries
  • Avoiding virality
  • Writing for the right scale
  • Designing posts to resist spread
  • De‑escalation
  • Recognising escalation signals
  • Shifting the channel
  • Using clarity instead of volume
  • Setting limits and exiting
  • Aftercare and documentation
• 16.9 Anonymity and pseudonymity
  • Trade-offs
  • Real-name coercion
  • Behavioural fingerprints
• 16.10 Speech under surveillance states
  • Legal speech and safe speech are not the same
  • Bait topics and how they work
  • Quiet survival and selective visibility
• 16.11 Ethics and self-preservation
  • Responsibility to others
  • Silence as resistance
  • Knowing red lines
• 16.12 Practical guidance
  • Low-risk speech baseline
  • High-risk checklist
  • When to disengage