Asked under oath last week whether he would commit to not buying Americans’ location data without a warrant, the Director of the FBI declined. Kash Patel told the Senate Intelligence Committee on March 18 that the Bureau “purchases commercially available information” — a flat reversal of what his predecessor told Congress in 2023, and a public confirmation of the thing privacy advocates have warned about for years: the government doesn’t need a warrant for your movements if it can just buy them. That’s the news.

Here’s the field guide.

I’d spent an hour, not long before, on the Culture, Faith, and Politics podcast with Pat Kahnke, talking about Peter Thiel, the Pope, and the surveillance economy the encyclical calls “data colonialism.” Near the end, Pat asked the question that always comes — the one that matters most: all right, so what can an ordinary person actually do? I promised I’d write it up. This is that piece. It’s also built to last: I’m keeping a permanent, updated version in the Resources section so it doesn’t rot the way a single post does, because the tools change and the advice has to keep up.

In the summer of 2025, a man assassinated the Speaker of the Minnesota House, Melissa Hortman, and her husband in their home. When investigators searched his vehicle, they found a notebook. In it was a list of eleven people-search and data-broker websites — Spokeo, TruePeopleSearch, Intelius among them — annotated with what each one cost and what information each one required. Beside that list was a roster of more than forty officials. Next to Hortman’s name was her home address.

The brokers did not pull the trigger. They sold the man the door.

This is the part of the surveillance story that usually gets left out, because it doesn’t fit on a screen. We talk about algorithms and feeds and AI as if the harm were abstract — a nudge here, a manipulated mood there. But the same infrastructure that decides which posts you see also assembles packages and sells the precise coordinates of your life to anyone with a credit card. Including the government. The data broker is the hinge between the abstract surveillance you feel and the physical harm you don’t see coming.

So when people ask me, after the reporting, what can I actually do? — this is the honest answer. Not “nothing, the system is too big.” And not “download these five apps and you’re safe,” which is a lie the privacy industry is happy to sell you. The honest answer is a strategy, and it starts with understanding what kind of business you’re up against.

Surveillance is a volume business

The companies doing this don’t make money off you specifically. They make money off everyone, at scale, cheaply. The whole apparatus runs on volume economics: collect everything, sell it in bulk, keep the marginal cost of each record near zero. That’s the weakness. You don’t have to make the surveillance machine blind. You just have to make it expensive.

Every record you remove raises their cost to supply you. Every percentage point of accuracy you degrade raises their cost to use you. Every assertion of refusal you put on the record raises their cost to ignore you. None of these, alone, frees you. Together, they’re a margin squeeze on a market that only works because the margins are thin.

That’s the frame. Here’s the field guide — five moves, from what you can do this afternoon to what we have to build together.

Move 1: Remove your data (and the surprise about how)

This is the highest-leverage thing an individual can do, because broker data is what feeds everything downstream — the government purchases, the targeting, the notebook in the killer’s car.

Here’s the surprise, and it’s well-documented. In 2024, Consumer Reports (with the security firm Tall Poppy) ran a controlled study of paid data-removal services — the ones you’ve seen advertised on every podcast. Over four months, the paid services as a group removed only about 35% of participants’ personal records, and the report concluded plainly that doing it yourself is more effective than the services. Submitting opt-outs by hand removed 70%. Exactly one paid service kept pace — Optery, at 68%, basically tying the manual effort — with EasyOptOuts close behind around 65%. The rest trailed badly, the worst clearing single digits. The honest takeaway is sharper than “they’re all useless”: free DIY matches the single best paid service and beats all the others.

I’ll be direct, because it’s a useful correction: a few months ago I recommended one of these subscription services. The data says do it yourself, or if you want help, use Optery or EasyOptOuts — not the ones with the biggest ad budgets. The marketing spend and the removal rate are, if anything, inversely correlated.

What does it actually do? It removes you from the people-search sites that resell your address, relatives, and phone number. What does it not do? It doesn’t reach every broker, and the sites re-scrape and re-list you, so this is maintenance, not a one-time fix. Do it, then do it again in a few months.

The free tools that make this doable: - Permission Slip, from Consumer Reports — a free iOS and Android app. You swipe through companies and tap to send “do not sell” and deletion requests. The same nonprofit that proved the paid services underperform built a free tool that does the work. Start here. - For the technically comfortable, open-source projects exist that batch and automate removal requests across hundreds of brokers — search for a currently-maintained one (the Privacy Guides community is a reliable place to look) rather than trusting a name from a guide, since these tools change hands and quality varies. - The community-maintained “Big Ass Data Broker Opt-Out List” is the canonical DIY map — regular people keeping the instructions current as brokers change their forms.

The political point hiding in here: the nonprofit and open-source world already built the public-good version. The subscription services are selling you something that’s free and, on the evidence, worse.

Move 2: Shrink your footprint (and the honest limits)

These are the baseline switches everyone should make. I’m going to tell you what each one doesn’t do, because that’s exactly where the privacy industry lies to you.

Email — Proton over Gmail. Gmail’s business model is reading you; Proton’s isn’t, and your message contents are end-to-end encrypted. That’s a real upgrade. But — and the Freedom of the Press Foundation is blunt about this — Proton “is simply not made to protect your identity.” It operates under Swiss law and can be compelled to hand over the data it does hold: IP logs, payment info, your recovery email. It has done exactly that — including handing a “Stop Cop City” activist’s payment data to authorities, later shared with the FBI. Proton fixes the content and the business model. It does not make you anonymous. Anyone who needs anonymity should assume they’re identifiable on it.

Messaging — Signal. Lots of apps encrypt your messages now. The reason Signal is the standard isn’t just content — it’s metadata. Signal is built to collect and keep almost none of it. WhatsApp uses the same encryption but is owned by Meta and harvests the metadata around your messages. The content of what you said versus the record of who you talked to, when, and how often — that second thing is often the more revealing, and Signal is designed not to have it.

Browser — Firefox, hardened, for most people. It’s independent, built by a nonprofit, not Chromium-based, and has no crypto side-hustle. Turn on Enhanced Tracking Protection and you’re most of the way there. Brave blocks more aggressively out of the box and scores well on privacy tests — but be aware of its baggage: it was caught silently inserting its own affiliate codes into the crypto-exchange URLs users typed, it runs a cryptocurrency rewards scheme, and its leadership is its own conversation. For maximum anonymity, that’s Tor’s job, not a everyday browser’s.

Search — DuckDuckGo or Startpage over Google. Better, with an asterisk: DuckDuckGo was caught allowing some Microsoft trackers to run in its browser under a search-syndication deal, then changed it after the backlash. Better than Google. Not immaculate.

VPNs — mostly oversold. A VPN hides your browsing from your internet provider and encrypts your traffic in transit. That’s it. It does not make you anonymous, does not stop the tracking that doesn’t rely on your IP address, and does not protect you from malware or phishing. It just moves your trust from your ISP to the VPN company — which sees all your traffic and, per the EFF, often logs as much as the ISP did. Consumer Reports found 12 of 16 VPNs made misleading claims like “complete anonymity.” If you use one, the institutionally-vetted picks are Mullvad, IVPN, and Mozilla VPN. But don’t mistake a VPN for a force field.

Move 3: Build the capability (this is where it stops being about you)

Here’s the lever that the 70%-versus-35% finding actually points to. If doing it yourself works better than paying, then the thing standing between most people and real protection isn’t a product. It’s an hour of someone’s time and the knowledge of where to start.

That’s a solvable problem, and it’s a collective one. The opt-out treadmill is, in effect, a tax the broker market imposes on your attention — and the way you lower a tax for everyone is you teach people to do the thing, together.

This is the part of the work that happens in church basements and library meeting rooms and union halls — the physical, face-to-face resistance that the surveillance machine is worst at fighting. An algorithm can flood a forum with a thousand convincing posts. It cannot sit down next to your neighbor and walk her through a data-broker opt-out. We can.

You don’t have to invent this. The infrastructure exists: - The Electronic Frontier Foundation runs Surveillance Self-Defense and security-education trainings built exactly for at-risk communities — the model for a local data-detox clinic. - EFF’s annual “Opt-Out October” is a ready-made campaign you can localize. - Permission Slip and the Big-Ass list are your curriculum.

The Catholic Worker movement didn’t write theology about hospitality and stop there; it ran houses. The move here is the same: don’t just protect yourself, host the room where ten of your neighbors protect themselves, and send each of them home able to teach ten more.

Move 4: Close the loophole (the law the brokers count on you ignoring)

Everything so far is defense. But there’s a specific legal hole that makes the whole government-surveillance side of this possible, and it can be closed.

In 2018, the Supreme Court ruled in Carpenter v. United States that the government needs a warrant to obtain long stretches of your phone’s location data — even though a third party (your carrier) holds it. It was a genuine crack in the old rule that anything you hand a company loses its constitutional protection.

Here’s the hole: Carpenter limits what the government can compel. It says nothing clear about what the government can buy. So agencies just buy it. CBP purchased Americans’ domestic flight records — names, full itineraries, financial details — from a data broker owned by the major airlines, under a contract that barred the government from naming the source. ICE bought access to a Thomson Reuters database, CLEAR, holding more than 400 million names, addresses, and utility-service records — phone, water, electricity — so it could find people who avoid a driver’s license but still pay a utility bill. And in a separate seven-month stretch in 2021, ICE ran more than a million searches through LexisNexis’s commercial database. An ICE contracting document justified buying broker data specifically as a way around sanctuary-law limits. The data is laundered through a middleman, and the warrant requirement evaporates.

There is a model for closing this exactly — the Fourth Amendment Is Not For Sale Act, which would ban the government from buying the data it would otherwise need a warrant to get. The House passed it with a bipartisan majority, 219–199, in April 2024; the Senate never took it up, and when that Congress ended the bill died with it. As of this writing it hasn’t been reintroduced. That it cleared the House once, on a bipartisan vote, and then simply lapsed is the whole story in miniature: the fix is popular, written, and proven votable — and it’s sitting on the shelf for lack of pressure. The loophole is a choice, and choices can be pressured.

And there’s a move you can make right now that’s more than symbolic. Asserting your non-consent explicitly — telling platforms and data collectors, on the record, that you do not agree to this — is not a magic spell that creates a constitutional right. Don’t let anyone tell you it is. But it is a signal of refusal, and we have watched refusal signals become law. The “Global Privacy Control” — a simple browser setting that says “do not sell my data” — started as a voluntary, symbolic flag with no legal force. Then California made honoring it mandatory, and the state’s first major privacy enforcement action, a $1.2 million settlement with Sephora, was for ignoring those signals. Symbolic to enforceable, in a few years.

So when you assert non-consent, you’re doing three real things: building the record that your data was never given voluntarily (the soft spot in the law the brokers rely on), raising awareness, and adding to the pressure that shifts what courts are willing to treat as a “reasonable expectation of privacy.” That standard is not fixed. Carpenter moved it. You’re not claiming a right you don’t have. You’re doing the thing that creates it.

Move 5: Turn off the engine (the upstream fix)

The opt-out treadmill exists because there’s an industry whose entire product is the surveillance that generates the data. You can spend the rest of your life removing yourself from brokers who re-list you next quarter — or the law can ban the business model that makes the data in the first place.

That’s what surveillance-advertising legislation does. The Banning Surveillance Advertising Act, introduced in Congress by Representatives Anna Eshoo and Jan Schakowsky and Senator Cory Booker, would prohibit advertisers from targeting you using your personal data — explicitly including data bought from brokers — while still allowing ads based on what you’re actually reading. It attacks the supply at its source. (It has been introduced, not passed; it’s the model for the fix, not yet the fix.)

There’s a small, sharp irony worth holding onto here. One of that bill’s sponsors, Senator Booker, also turned up on the leaked guest list of Peter Thiel’s secretive “Dialog” society — the same recordless rooms where the people who build the surveillance apparatus meet the officials who are supposed to govern it. The fight over your data runs straight through the same few rooms. Which is exactly why the outside pressure matters.

What this adds up to

Start this afternoon: download Permission Slip, do an opt-out pass, switch your email and your default search. Tell yourself the truth about the limits — none of these tools is a force field, and anyone selling you one is selling you something.

Then go past yourself. Teach a room of neighbors to do what you just did. Learn the name of the bill that would close the loophole, and the name of the one that would turn off the engine, so that when the moment comes to push, you’re not starting from zero.

The two warehouses — the one that holds bodies and the one that holds attention — run on the same fuel: the cheap, frictionless, unconsented harvest of human life as data. The Pope named it colonialism in another form. The way you fight a colonial economy is not by perfecting your own hygiene. It’s by raising the cost of extraction until it isn’t worth it, and by demanding the law that makes it illegal.

Resistance to this is going to be physical and relational — face to face, in rooms, between people who can do for each other what no algorithm can do for anyone. The tools buy you a little room. Teaching multiplies it. And the politics, eventually, closes the door.

Make yourself expensive. Then go make the whole thing expensive, together.

Sources

Reporting & Studies: - Data Defense: Evaluating People-Search Site Removal Services (Consumer Reports, 2024) — the 35%-paid vs. 70%-DIY finding - Proton Mail Is Not for Anonymity (Freedom of the Press Foundation) - Brave Browser’s Affiliate Link Controversy (CoinDesk, 2020) - DuckDuckGo removes carve-out for Microsoft tracking scripts (TechCrunch, 2022) - VPNs: what Consumer Reports found (Consumer Reports) - Closing the Data Broker Loophole (Brennan Center for Justice) - FBI Director Patel confirms warrantless purchase of commercially-available data (NPR, March 2026) — the news peg - ICE Searched LexisNexis Database Over 1 Million Times in Just Seven Months (The Intercept) - ICE used a private utility database (CLEAR) covering 400M+ records (Washington Post / Georgetown) - House Passes Fourth Amendment Is Not For Sale Act (ACLU) - AG Bonta Announces Sephora Settlement (California DOJ) — Global Privacy Control enforcement - US Lawmakers Introduce Banning Surveillance Advertising Act (IAPP)

Tools & Guides: - EFF Surveillance Self-Defense — the canonical free guide - Permission Slip by Consumer Reports — free opt-out app - Big Ass Data Broker Opt-Out List — community DIY map

Related RAMM reporting: - The data-colonialism / two-warehouses series on detention, datacenters, and the surveillance-advertising economy