Security Brutalism and Privacy: A Unified Approach

Part 2 of 3: Digital Footprint

This is the second installment of a three-part series exploring privacy and its intersection with Security Brutalism. In Part 1, we introduced the need to strip away the complexity that has accumulated around modern security and privacy programs in order to uncover the critical common ground between them.

In this post, we shift the focus to an aspect of security and privacy that does not apply to systems or networks, but to the people who manage them and who can themselves become targets of bad actors. We will examine how protecting the digital footprints of individuals and their immediate social circles strengthens not only the enterprise, but also their households and everything in between.

Introduction

Security begins with what we project into the world. Every post, every photo, every “check-in” is a structural weakness that can be mapped, exploited, and weaponized. If an attacker can learn a C-level executive’s travel schedule from LinkedIn, or track a family member’s routine from Instagram, then the organization’s defenses have already been breached, long before a technical control ever comes into play.

This is why personal and corporate digital footprint management must be treated as a baseline control. The boundary between the individual and the enterprise no longer exists; exposure in one dimension becomes vulnerability in the other. Executives, their families, and even staff are all entry points into the organization.

Brutalist Security cuts the noise and hardens what matters, making privacy not optional but survival. Without it, both the person and the organization are exposed. With it, they stand on solid ground.

The Concept

Security Brutalism applied to privacy is raw digital reduction + controlled misinformation. It treats personal data as infrastructure. Either load-bearing (necessary) or fluff (dangerous). Everything ornamental (fluff) must be destroyed. Everything that can’t be removed must be polluted. This creates a privacy architecture of void and noise: attackers either see nothing, or they see too much of the wrong thing.

Security Brutalism demands essential, functional, structural defenses. Applied to personal privacy, the principle is simple.

Brutalist ethos applied to privacy:

1. Do not project more than you must.
2. Strip away what does not serve security.
3. Exploit the adversary’s reliance on data by polluting their feed.

It’s focusing on raw survivability in a hostile or denied information landscape.

Framework: Brutalist Privacy and Counterintelligence

1. Minimal Projection (reduce attack surface)

If it doesn’t exist, it can’t be exploited.

• Remove old accounts, scrub inactive profiles, delete unnecessary posts.
• Use deletion services to handle data brokers. Manual purges are prone to miss things.
• Avoid over-sharing on platforms (family details, job info, location, etc).

Ideal outcome: A flat, uninteresting digital wall. Nothing for attackers to grip

2. Structural Necessity (keep only what’s required/needed)

Keep what’s functional, discard everything else.

• Retain only accounts/services necessary for work or essential services.
• Use alias emails*, pseudonyms, and compartmentalized identities.
• Configure privacy settings to maximum restriction, but assume they leak anyway.

Ideal outcome: A minimal, hardened skeleton. Digital presence reduced to critical load-bearing elements only.

* An alias is an alternative email address that automatically forwards messages to your main inbox.

3. Obfuscation over Illusion (brutalist security and privacy countermeasures)

Do not pretend to be invisible; instead, be structurally confusing.

• Use privacy tools (VPNs, Tor, encrypted comms) not as “cool privacy tools", but as baseline infrastructure. Make sure data is encrypted, both at-rest and in-transit.
• Vary behavioral patterns (different logins, device fingerprints, browsing habits).
• Ensure no single “you” exists online: only fragments, some real, some manufactured.

Ideal outcome: Adversaries see raw structures but cannot distinguish signal from noise.

4. Family and Corporate Protection

The perimeter extends beyond the individual.

• Extend minimization practices to family members (kids, spouses, relatives) and immediate support staff (EAs, protective security detail, deputies).
• Remove identifiable company associations from personal accounts.
• Encourage leadership and employees to follow the same brutalist privacy framework.

Ideas outcome: Attackers cannot use personal data as leverage against the company or family.

Advanced (bonus)

5. Counterintelligence via Data Pollution

If erasure is impossible, dilute the value of what remains.

• Seed false or misleading information (alias profiles, fake interests, incorrect personal details).
• RPlant decoy trails: alternative names, throwaway accounts, conflicting metadata.
• Pollute automated scrapers, OSINT collectors, and data brokers with contradictions.

Ideal outcome: When adversaries attempt profiling, they face noise and false patterns, making targeting cost more money and unreliable, and forcing them to move to a different target.

The Brutalist Privacy Framework (Summary)

1. Minimal Projection → Delete unnecessary accounts, stop broadcasting.
2. Structural Necessity → Retain only essential, hardened digital elements.
3. Counterintelligence via Data Pollution → Flood OSINT channels with false flags.
4. Obfuscation over Illusion → Don’t hide; confuse and fragment.
5. Family and Corporate Protection → Extend practices beyond yourself.

Digital footprint discipline is not paranoia. It is perimeter management in a world where the perimeter includes people. The same brutalist principles that apply to infrastructure apply to identity: remove what is unnecessary, harden what must remain, and assume visibility equals exposure. When individuals reduce and control their digital presence, they are not only protecting themselves. They are reinforcing the structural integrity of the enterprise, the household, and every system that depends on them.