We’ve all left trails online. Tweets (or, posts now), forum posts, throwaway comments, blurry photos… The internet is a scrapbook we never agreed to curate. With governments pushing digital IDs and tightening surveillance, the rist isn’t just that your old content exists. It’s that it can be weaponized against you.

Maybe your area of the world isn’t looking at digital IDs (yet). That doesn’t mean your online history can’t still impact your life. Imagine a scenario where you apply for a job, the HR person searches online from your name, and finds something they don’t like that you posted in 2018.

Here’s the harsh truth: deleting won’t save you. You must assume every post has already been archived, scraped, or screenshot. The defense is not erasure. It’s strategy.

Why deletion is a mirage

• Archival reality. Search engines, scrapers, and private databases mean your content may live in dozens of places you’ll never see.
• The Streisand trap. Trying to scrub aggressively often highlights what you’re trying to bury.
• Identity linkage. Even if you delete the post, usernames, email ties, and friend graphs can keep pointing back to you.

So stop thinking in terms of erasure. Start thinking in terms of mitigation.

Choose your threat model

Pick the profile that best matches your worst-case worry today. If you’re unsure, just read through them and decide what makes sense.

1. The state-level threat (authoritarian/social credit worry)

Who this is for: You fear a government with near-unlimited resources will link databases, assign scores, and impose sactions. Adversary = nation-state with legal powers, data access, and forensic capability. Maybe this isn’t your government today, but it could be whoever takes office next, or the the next after that.

Assumed capabilities: Access to telecom/CDR, ISP logs, CCTV/biometric systems, corporate databases; legal coercio/subpoena power; sophisticated analytics; long timelines.

What to prioritize (order matters)

1. Physical safety & exit options - plan to get somewhere safe, escape routes, legal emergency contacts.
2. Minimize centralization of your identity - avoid national identity enrollment where possible; insist on paper alternatives. This can be tricky. Vietnam famously erased over 86 million bank accounts when people failed to comply with new biometric verification requirements.
3. Operational security for high-risk activities - air-gapped workflows, burner devices, thorough compartmentalization.
4. Data minimization & plausible deniability - keep minimal traceable footprints.
5. Community resilience - coordinate with trusted networks, lawyers, human-rights orgs.

Concrete actions

• Use air-gapped systems for truly sensitive work (offline laptops, write-to-USB-only workflows).
• Mantain multiple, fully separate physical personas (different devices, SIMs, recovery emails). Never bring them together.
• Use hardware tokens for all critical accounts; keep spares in secure caches.
• Prefer cash and privacy-preserving currencies where safe; avoid registrable payment rails.
• Store an offline vault (encrypted drive, passphrases memorized). Store it in a Faraday bag for bonus points.
• Practice burn-and-replace plans: if a device is compromied, have a known procedure to destroy it and migrate.
• Use secure comms with verification: Signal + safety numbers, Session, SimpleX, DeltaChat, etc., but assume metadata may be available; combine with in-person drops.
• Build relationships with legal aid, civil liberties NGOs, and sympathetic journalists. Document abuses (securely, with redundancy).

Short checklist

• Offline emergency plan (locations, contacts)
• Burnable devices & spares stored separately
• Air-gapped workflows for sensitive files
• Encrypted vault + paper backups (in Faraday?)
• Trusted lawyer/NGO contact list

Read the other posts on this blog on case studies for how people in hostile environments access the internet and participate freely.

Don’ts

• Don’t centralize your ID (single phone + single recovery email + all accounts)
• Don’t assume encryption equals safety if your device is compromised
• Don’t broadcast your plans on mainstream platforms

2. The career/HR threat (someone worried old posts will kill job prospects)

Who this is for: You’re worried a hiring manager or background check will find immature or problematic content and use it to reject you. Adversary = employers, HR background-screeners, casual internet sleuths.

Assumed capabilities: Web search, archived copies, OSINT, shallow correlational linking, social searches by name/email.

Maybe your “adversary” isn’t specifically an HR person, but just someone with similar capabilities.

What to prioritize

1. Reframe & overwhelm - create newer, authoritative content that shows your current character.
2. Compartmentalize public identity - separate professional identity from past casual personal.
3. Remediation for surface damage - targeted takedown requests, privacy settings, and reputation management. This is where you go back and delete your old content, even if that doesn’t mean it’s gone forever. It shows you no longer support what it says.
4. Network buffering - referees, colleagues, and publications that can vouch for you.

Concrete actions

• Claim the top results: Create a professional blog/LinkedIn/Github that ranks for your name. Publish good content regularly.
• Canonical CV & context page: Have a URL that explains yoru growth, mistakes, and current values (framing preempts).
• Use different emails: Your professional email should never be linked to sloppy, old usernames.
• Targeted takedown: For sensitive content on platforms, use their privacy/appeal routes and removal forms, but assume many mirrors exist.
• Change names and identifying data on old accounts: For accounts with problematic content, change the email address, phone number, photo, name, birthday, and as much else as you can to data that does not link back to you.
• Prepare a short script: For interviews, admit, contextualize, move to growth. Practice delivering it calmly.
• Reference network: Have 2-3 people (managers, coworkers) who can vouch and be contactable by HR.
• Audit public accounts: Lock down privacy settings (old Facebook posts to “Only Me”, remove PII). For critical red flags, replace content with new contact that changes SERP.
• Monitor yourself: Set Google Alerts for your name or use a paid monitoring service if high stakes.

Short checklist

• Professional site + canonical narrative page
• Separate work email & accounts
• Reputable references lined up
• Privacy audit of major accounts
• Prepared interview response for resurfaced content

Don’ts

• Don’t over-apologize or delete rashly in public - it looks guilty
• Don’t launch legal threats unless you already have counsel
• Don’t assume recruiters are neutral - some searches are shallow and emotional

3. The activist dual-life threat (you need to protest or organize, but you must keep a real-world life)

Who this is for: You’re politically active and need to organize/research publicly but also hold a job, rent, family life, or legal status. Adversary = a mix of HR (moderate), platforms, and potentially surveillance.

Assumed capabilities: Automated scraping, targeted doxxing, OPSEC mistakes by friends/peers, social engineering.

What to prioritize

1. Compartmentalization with plausible deniability - both public activism and private life must be insulated.
2. Opsec hygiene for collaborators - the weakest link is often a friend who slips.
3. Safe comms & group protocols - threat-model your meetings and files.
4. Narrative management & legal awareness - know what your employer can legally act on and prepare documentation.

Concrete actions

• Two-tier identities: Public activism persona (pseudonymous) + professional persona. Use distinct devices or isolated browser profiles.
• Opsec at meetings: Vet attendees, use registration tokens, use encrypted group chats, prefer in-person or invite-only spaces for sensitive planning.
• Limit PII in organizing platforms: Don’t collect unnecessary real names; use shortlived tokens for sign-ups.
• Training and rules: For your group: “no posting photos of members without consent,” “no meeting notes on personal devices,” etc.
• Compoartmentalized backups: Activist docs encrypted and backed with separate keys from your personal keys.
• If public actions are legal risk: Have legal observerse, know arrest procedures, and have a legal rapid-response fund/contact.
• Social separation: Avoid following or being followed by your professional contacts with your activist accounts, and vice versa.

Short checklist

• Pseudonymous activism account(s) on isolated devices
• Group OPSEC policy document
• Encrypted backups + separate recovery keys
• Legal observer/rapid response plan
• Training for collaborators on metadata risks

Dont’s

• Don’t reuse photos, handle names, or phrases across identities
• Don’t assume private messages are private - platform breaches happen
• Don’t rely solely on goodwill of platforms to protect activists

Cross-model technical knobs (things everyone should consider)

• Hardware tokens: YubiKey/Nitrokey for MFA - reduces account takeover risk.
• Password managers with separated vaults or folders per identity.
• Browser isolation: at minimum separate browser profiles; better: separate browsers or VMs/devices for different identities.
• Air-gapped storage for critical keys and seed phrases.
• Use PGP or age for encrypting sensitive files before cloud storage - trustless encryption.
• Device hygiene: disk encryption, current OS/firmware, minimal installed apps.
• Think like an adversary: write down your worst-case scenarios and test whether your current setup trivially fails them.

Final rules

1. Identify your adversary. Match your complexity to the threat. Don’t overdo state-level OPSEC for a LinkedIn scrape.
2. Compartmentalize first, scrub second. Treat deletion as cosmetic at best. Build boundaries that prevent single points of failure.
3. Own the present. If you can’t erase the past, drown it in a louder, better present.
4. Prepare fallbacks. Every identity should have an exit plan and disposable elements.
5. Get legal & social backup. Tech only buys you so much - lawyers, unions, NGOs, and referees matter.

Your online past is not a prison sentence. It’s a shadow. It only grows dangerous if you leave your present undefined.

Harden your accounts. Build your own narrative. Assume the archive exists, and then live in a way that makes the archive meaningless.