# **The Privacy Maximalist Standard** ## I. Purpose This standard exists to preserve **jurisdiction over the self**. Privacy is not an aesthetic, a mood, or a consumer preference. It is lawful boundary around person, property, movement, association, reserves, intention, and timing. It is the retained power to decide what becomes legible, to whom, under what terms, at what time, and with what recourse. The aim is not absolute invisibility. The aim is **non-submission**. This document is therefore not a purity code and not a catalog of tricks. It is a practical standard for reducing unnecessary disclosure, resisting forced correlation, limiting dependence, and preserving continuity under pressure. --- ## II. Governing Law All sections of this standard answer to four tests: 1. **Reduce disclosure.** 2. **Reduce correlation.** 3. **Reduce non-substitutable dependence.** 4. **Preserve continuity under coercion, compromise, fatigue, incapacity, or death.** If a control does not serve one of these, it is ornamental. --- ## III. Definitions **Privacy** Control over disclosure, correlation, and timing. **Sovereignty** Direct control over the systems, credentials, keys, archives, and dependencies that materially determine action. **Self-custody** Direct control over keys, signing flow, verification, backups, recovery, and succession. **Metadata** Data about timing, relationships, devices, patterns, movement, counterparties, and context. Metadata often exposes more than content. **Correlation** The fusion of separate fragments into a unified profile. Correlation is the primary mechanism of capture. **Compartmentation** Intentional separation of identities, devices, funds, accounts, and channels so compromise in one domain does not automatically collapse the rest. **Dependence** Any condition in which access, continuity, or legibility is materially controlled by another party. --- ## IV. First Principles 1. Every unnecessary disclosure is a property leak. 2. Every identity bridge creates future attack surface. 3. Every public pattern becomes a map. 4. Every non-substitutable convenience becomes a sovereignty risk. 5. Every centralized record tends toward future correlation. 6. Every custody claim not backed by direct control is conditional possession. 7. Encryption without endpoint discipline is decoration. 8. FOSS without scrutiny, simplicity, and survivability is not enough. 9. Bitcoin without privacy becomes surveilled possession. 10. A system too complex to survive stress is already failing. 11. Privacy performance without continuity, courage, and material independence is also costume. --- ## V. What This Standard Protects This standard protects: * personhood from involuntary indexing * property from easy mapping and targeting * reserves from public attribution * relationships from graph extraction * speech from unnecessary retention * movement from routine surveillance * strategy from premature revelation * continuity from third-party lockout * households from preventable spillover compromise Privacy is not only protection from enemies. It is preserved room for sovereign action. --- ## VI. Threat Model The privacy maximalist names the adversary before selecting the control. ### Ambient adversaries Data brokers, analytics systems, cloud retention, merchant tracking, mainstream consumer platforms, behavioral advertising infrastructure. ### Institutional adversaries Banks, exchanges, compliance vendors, chain analysis firms, employers, insurers, state record systems, large platforms. ### Targeted adversaries Thieves, extortionists, doxxers, hostile litigants, stalkers, investigative counterparties, malicious insiders. ### Intimate adversaries Careless partners, relatives, coworkers, contractors, guests, children, household devices, anyone with routine proximity to your environment. ### Structural adversaries Systems that merge identity, finance, communication, movement, reputation, and behavioral prediction into a single profile. The usual defeat mode is not dramatic attack. It is **ordinary correlation over time**. Correlation maps the target. Coercion exploits the map. --- ## VII. Priority Order A standard fails when it overwhelms. Priority therefore matters. ### Foundation * identity separation * self-custody * strong authentication * encryption * metadata minimization * communication discipline * vendor minimization * recurring audit ### Hardening * role-separated devices or profiles * wallet-role separation * browser separation * reduced phone-number dependence * household discipline * physical-world hygiene * continuity planning ### Adversarial posture * strict compartmentation * exposure-aware travel and public routines * coercion procedures * incident playbooks * aggressive dependence reduction * tightly bounded disclosure No control is sovereign if it cannot be maintained. --- ## VIII. Privacy Tiers ### Tier I — Baseline Sovereignty For anyone seeking meaningful reduction of exposure. Required: * strong unique passwords * controlled MFA * full-disk encryption * password manager * separate identities for major functions * private channels for sensitive communication * self-custody for meaningful Bitcoin reserves * no Bitcoin address reuse * reduced cloud dependence * recurring audits ### Tier II — Hardened Posture For high-value operators, public figures, politically exposed persons, or anyone with meaningful reserves or visibility. Required: * role-separated devices, profiles, or both * dedicated signing environment * wallet-role separation * browser separation by function * email separation by function * minimized phone-number dependence * hardened household discipline * explicit continuity and inheritance structure * independent Bitcoin verification infrastructure ### Tier III — Adversarial Environment For active scrutiny, harassment, coercion risk, or hostile institutional interest. Required: * strict identity compartmentation * reduced sensor surface * dedicated communications and financial devices * public-routine minimization * prewritten incident procedures * role-based information release * aggressive vendor minimization * high-discipline graph control * continuity under seizure, lockout, or incapacity --- ## IX. Data Classification All information is classified before storage, transmission, or disclosure. **Public** Safe if exposed. **Private** Not for public circulation, but limited damage if leaked. **Sensitive** Exposure could cause embarrassment, targeting, moderate financial harm, or relational harm. **Strategic** Exposure could reveal structure, reserves, counterparties, plans, or operational architecture. **Catastrophic** Exposure could endanger custody, bodily safety, identity boundaries, or continuity. Rules: 1. Catastrophic information is never handled casually. 2. Strategic information is disclosed strictly on need-to-know basis. 3. Private information is not treated as harmless merely because it is common. 4. Sensitivity is determined by correlation risk, not by embarrassment alone. --- ## X. Identity Standard Identity is layered, not singular. At minimum, distinguish: * legal identity * public identity * work identity * financial identity * communications identity * device identity * network identity * travel identity * residential identity * Bitcoin-operational identity Rules: 1. No unnecessary unification of identity layers. 2. No use of a primary identity where a bounded alias or limited persona is sufficient. 3. No reuse of the same contact points across unrelated domains unless required. 4. No durable public bridge between speech and reserves. 5. No assumption that one verified account should anchor all life functions. 6. Identity shards that become overlinked are retired, downgraded, or isolated. 7. Every identity layer must have a purpose, exposure budget, and exit path. The threat is not only identity collection. The threat is identity fusion. --- ## XI. Anti-Unnecessary KYC Standard This doctrine is not adolescent anti-law posturing. It is refusal of unnecessary identity coupling. Rules: 1. Do not disclose identifying information where it is not required. 2. Do not normalize permanent financial autobiography. 3. Do not casually bind legal identity, reserves, communication channels, and movement patterns into one stack. 4. Where disclosure is unavoidable, disclose the minimum required for the function. 5. Track where verified identity has already attached and avoid new bridges without cause. 6. Assume every disclosed record persists and will later be fused with others. The standard is not “never disclose.” The standard is: **no unnecessary disclosure, no casual disclosure, no irreversible coupling without clear necessity.** --- ## XII. Custody Standard Possession means direct control over: * key generation * signing flow * backups * recovery * verification * succession Rules: 1. Meaningful reserves are self-custodied. 2. Signing environments are dedicated, understood, and bounded. 3. Seeds are never screenshotted, casually duplicated, or stored in plain form in cloud systems. 4. Recovery materials are physically durable and geographically resilient. 5. Recovery is rehearsed. 6. Wallet roles are separated: * spending * savings * public receive * business or operational * continuity or inheritance 7. No hidden single point of failure is tolerated unless explicitly chosen and understood. 8. Custody architecture remains simple enough to survive stress, aging, and time. Unrehearsed recovery is fantasy. Undesigned inheritance is hidden dispossession. --- ## XIII. Bitcoin-Native Privacy Standard Bitcoin privacy is not branding. It is disciplined behavior. ### Acquisition Prefer acquisition paths that minimize unnecessary attribution, unnecessary account linkage, and unnecessary long-term identity coupling. ### Verification Verification outsourced is sovereignty outsourced. Critical financial truth should be confirmed through infrastructure you control or can independently verify. ### UTXO discipline Every spend is a disclosure event. Rules: * no address reuse * no careless merges * no blending of public receipts with private reserves * no unnecessary exposure of ownership structure * no assumption that private storage cancels sloppy spending * internal labeling is maintained without externalizing structure ### Wallet-role separation Long-term savings, active spending, public receive, business activity, and experimentation are not collapsed into one domain. ### Privacy tools Privacy tools are useful only when their assumptions, limits, and failure modes are understood. Tools do not replace discipline. ### Language Reject taint language such as “clean” and “dirty” coins. The relevant distinctions are: * linked or compartmented * attributed or minimally attributed * merged or isolated * surveilled or less disclosed Bitcoin without privacy decays into transparent possession under observation. --- ## XIV. Encryption Standard Encryption is mandatory wherever exposure would materially harm sovereignty, reserves, safety, counterparties, or continuity. Encrypt: * devices * backups * archives * sensitive notes * consequence-bearing communications * any remote storage that must exist at all Rules: 1. Use strong unique passwords. 2. Use a password manager under your control. 3. Use stronger factors than SMS where possible. 4. Protect recovery paths, not only daily login paths. 5. Protect the secrets that unlock encrypted archives. 6. Do not assume encrypted content hides metadata, timing, or counterparties. 7. Do not place secrets in channels optimized for indexing, forwarding, retention, or search. Encryption protects content. It does not erase endpoint compromise, recipient weakness, or structural correlation. --- ## XV. FOSS Standard The default preference for critical systems is free and open-source software, not because openness is magic, but because black boxes demand faith. Critical tools are judged by: * inspectability * simplicity * project health * release integrity * dependency burden * maintainer trust and capture risk * community review * fork and exit viability Rules: 1. Critical tools should be auditable, replaceable, and survivable. 2. Closed systems should not hold critical keys, archives, or irreplaceable truth unless truly necessary. 3. “Open source” alone does not confer trust. 4. Favor tools that leak less, assume less, and remain usable if their creators disappear. The best software is not the prettiest. It is the software that minimizes trust. --- ## XVI. Device Standard Devices are not neutral. They are witnesses, and often sensors. Rules: 1. Devices are assigned roles. 2. Sensitive functions are not casually mixed with high-noise consumer activity. 3. Full-disk encryption is mandatory. 4. Permissions are denied by default. 5. Unnecessary applications are removed. 6. Ambient collection is minimized. 7. Sync is treated as an exposure decision, not a harmless convenience. 8. Sensitive work is not performed on devices whose primary role is identity aggregation, entertainment, or public browsing. 9. Backup posture is explicit and encrypted. 10. Wearables, smart-home devices, vehicles, and convenience sensors are treated as exposure surfaces. A phone bound to identity, banking, communication, travel, authentication, and reserves is not a tool. It is an involuntary autobiography. --- ## XVII. Browser and Web Standard Most ordinary privacy collapse occurs in the browser. Rules: 1. Browsing roles are separated by profile, browser, or device. 2. Public browsing, financial browsing, work browsing, and sensitive research do not share one persistent identity environment. 3. Extensions are minimized. 4. Accounts are not left signed in without cause. 5. Trackers, cookies, and persistent sessions are treated as identity bridges. 6. Browser sync is disabled unless strictly required and understood. 7. Sensitive web actions are performed in the smallest possible environment. 8. Federated logins are avoided where they create unnecessary identity fusion. Web privacy is not only about IP. It is about continuity of profile. --- ## XVIII. Network Standard The network reveals posture, but network privacy alone does not solve correlation. Rules: 1. Home, travel, and public-network usage are distinguished. 2. Sensitive actions are not performed on unmanaged networks without additional protection. 3. Home networks are segmented. 4. Low-trust devices do not share a trust boundary with critical systems. 5. Routing and DNS choices are treated as privacy decisions. 6. IP exposure matters, but account state, browser state, and device identity often matter more. --- ## XIX. Communication Hygiene Standard Every communication channel is a jurisdictional choice. Rules: 1. Channel choice follows consequence. 2. Sensitive communication uses tools designed to reduce unnecessary access and retention. 3. Content is minimized, not merely encrypted. 4. Recipient sets are minimized. 5. Forwarding, screenshots, searchability, syncing, and retention are assumed possible unless actively constrained. 6. Contact lists are not surrendered casually. 7. Strategic, financial, identity-bridging, or reserve-revealing details are not mixed into casual channels. 8. Popularity is not a confidentiality standard. Communication hygiene includes channel choice, recipient discipline, retention discipline, deletion discipline, and graph discipline. The best-protected secret is often the one never transmitted. --- ## XX. Third-Party Dependence Standard The issue is not whether third parties exist. The issue is whether they become root authorities. Assess every service by asking: * What does it know? * What can it correlate? * Can it freeze or deny access? * Can it be compelled? * Can I export from it? * Can I replace it? * Can I survive its disappearance? Rules: 1. No irreplaceable third party should hold critical keys, archives, or identity anchors. 2. No vendor should know more than the function requires. 3. No convenience layer should silently become a sovereign dependency. 4. Every critical service must have an exit path. 5. Vendor-held records are assumed durable and future-correlatable. Third-party dependence is delayed dispossession unless bounded by substitution, minimization, and explicit design. --- ## XXI. Household and Relational Standard Many irreversible privacy failures are relational, not technical. Exposure surfaces include: partners, relatives, children, guests, coworkers, contractors, shared calendars, shared clouds, household devices, mail, casual speech, photographs, and background details. Rules: 1. Intimacy is not exemption from boundary. 2. Shared accounts, shared devices, and shared clouds are minimized. 3. Sensitive information is not disclosed internally by emotional default. 4. No household member should accidentally bridge public identity to reserves or architecture. 5. Children and nontechnical household members are not assumed to understand disclosure consequences. 6. Home routines, travel plans, holdings, device roles, and operational structure are not made casually visible. A privacy posture that excludes the household is fantasy. --- ## XXII. Physical-World Standard The body in space is part of the privacy stack. Exposure surfaces include: mail, shipping, property records, travel patterns, vehicles, hotel logs, conferences, receipts, invoices, packaging, cameras, access-control systems, neighbors, offices, and public routine. Rules: 1. Do not publicly map residence, movement, or reserve-bearing habits. 2. Do not allow online identity and physical routine to collapse into one easily trackable profile. 3. Delivery, billing, and public-facing addresses are separated where practical. 4. Travel is not publicly announced in advance. 5. Public appearances are treated as exposure events. Digital privacy without physical-world discipline is incomplete. --- ## XXIII. Social and Behavioral Standard The greatest leaks are often voluntary. Common failure channels: boasting, oversharing, public displays of competence, routine posting, purchase posting, location posting, counterparty posting, irony used as confession, and partial disclosures that become full maps when fused. Rules: 1. Need-to-know is structural respect, not paranoia. 2. Capability does not require advertisement. 3. Public identity must never imply the full shape of private architecture. 4. Status hunger is an attack surface. 5. Silence is often the strongest compartment. The privacy maximalist is not obscure for theater. He is bounded by design. --- ## XXIV. Complexity Discipline Complexity is a hidden adversary. Rules: 1. Every control must justify its maintenance burden. 2. Every critical process must be executable under fatigue. 3. Every backup plan must remain legible years later. 4. Every compartment must exist for a reason, not for aesthetic purity. 5. Any system that cannot be inherited, audited, or recovered from is unstable. 6. A control that cannot be maintained is not a control. The goal is not maximal complication. The goal is durable asymmetry. --- ## XXV. Incident Response Standard Compromise is assumed possible. Procedure therefore precedes panic. Prepare in advance for: * lost, stolen, or seized device * exposed email * phone-number linkage * compromised password manager * exposed recovery material * address reuse * linked wallet clusters * household disclosure * doxxing attempt * vendor inquiry * public leak of movement or location Minimum requirements: 1. Know what is rotated first. 2. Know what is frozen first. 3. Know what identities are retired first. 4. Know what channels become primary. 5. Know which counterparties must be warned. 6. Know what secondary exposures must be reviewed. 7. Know what public behavior must stop immediately. Improvisation under stress reveals hidden dependence. --- ## XXVI. Continuity, Incapacity, and Death A privacy system that dies with the operator, or that collapses into indiscriminate exposure under incapacity, is incomplete. Rules: 1. Critical custody paths must survive hospitalization, cognitive failure, and death. 2. Heirs or continuity agents receive what they need, not total unnecessary exposure. 3. Succession structures are documented, bounded, and rehearsed. 4. Present-day control is not surrendered merely to create continuity. 5. The system must answer: * who can recover * under what conditions * with what information * with what proof * with what limits Sovereignty includes succession. --- ## XXVII. Audit Standard Privacy decays without review. ### Audit cadence * quarterly at minimum * after major travel * after moving residence * after device changes * after custody changes * after household changes * after public visibility events * after institutional scrutiny ### Audit domains * identity map * device map * browser map * account map * wallet map * vendor map * communication map * household map * public exposure map * recovery and succession map ### Audit questions * What has become newly linked? * What third party has become too central? * What routine has become too legible? * What identity shard is now overexposed? * What data exists where it should not exist? * What control is no longer maintainable? * What assumptions have silently gone stale? Audit is not anxiety. Audit is sovereign maintenance. --- ## XXVIII. Failure Modes This standard fails through: * convenience * ego * fatigue * complexity overload * centralization * delegation * opaque tooling * household leakage * public routine formation * false confidence from partial hardening * legal or institutional pressure * emergency improvisation * grief, aging, or incapacity * confusing encryption with privacy * confusing self-custody with total sovereignty * confusing privacy aesthetics with actual asymmetry Most collapse arrives gradually, through tolerated concessions. --- ## XXIX. Minimal Non-Negotiables 1. Meaningful reserves are self-custodied. 2. Critical financial truth is independently verified. 3. Devices and sensitive archives are encrypted. 4. Strong unique passwords and controlled MFA are mandatory. 5. Identities are separated by function. 6. Wallets are separated by function. 7. Unnecessary KYC and unnecessary identity coupling are refused. 8. Metadata is minimized, not only content exposure. 9. Critical systems minimize black-box dependence. 10. Communication channels match consequence. 11. Browser and account roles are separated. 12. Continuity under compromise, incapacity, and death is planned. 13. The stack is audited regularly. 14. No control is adopted that cannot be maintained. --- ## XXX. Final Principle Privacy is not the refusal to be seen. It is the refusal to become **involuntarily legible**. It is the maintained boundary against premature revelation, forced correlation, strategic mapping, and conditional access. It is the preserved right to separate, to withhold, to delay, to compartment, to recover, and to survive the hostility or disappearance of intermediaries. Self-custody without privacy is exposed custody. Encryption without discipline is decoration. FOSS without scrutiny is borrowed confidence. Bitcoin without privacy is surveilled possession. Complexity without continuity is vanity. And privacy without material independence is performance. Protect the key. Protect the graph. Protect the boundary. Protect continuity. Protect the right to remain unindexed until disclosure is truly chosen. Because sovereignty without privacy is costume.