A privacy consulting tightrope

One thing you should do to maximize your personal privacy is to “change coats,” i.e. burning identities, burning bridges, not keeping a permanent record as often as possible.

To grow a brand or business, you should do the exact opposite. Your name should be stable in time, you should be reachable even years later. There might be nothing worse for a business’ reputation if a satisfied client calls you years later and reaches either a dead number or some old lady halfway across the country.

I’ve been thinking about this topic more and more over the time I’ve been in security. I would love to build a consultancy that helps people, makes me enough money to live comfortably, and brings benefits to people in this cyberpunk dystopia. The one thing that is holding me back is my own fear and paranoia. While I know how to maintain some semblance of security for my own person, but it’s another thing to hide myself (and break no laws) and be an entrepreneur with the same privacy perks. I could, as we say, “take my own hide to the market” and just run an LLC, but if you’re looking for a privacy consultant and can find their house on Google maps in 10 minutes, what good is such a privacy consultant?

I would love to do more work in this field, especially since it’s quite close to my heart (and I have made so many mistakes I got the “Dead-end pioneer” achievement), but the fact remains that I don’t know how to run a private business.

Extreme number one: Be invisible

I could, of course, start the business in a grey zone. Cash or crypto, no records anywhere, and help people disappear. I could probably make tons of dosh in such a system, but my clientelle would only come from the same area: Criminal. In such an extreme scenario, I would have to step up my paranoia game to an extreme, and if I wanted to survive longer than a few years, I would have to sever as many contacts to people I care about, live on the move, and never be in a place for long.

After weighing pros and cons, I must say that I would not like to sell my peace of mind for money.

Extreme number two: Be completely open

The easy way to a privacy consultancy would be a completely public company. My name, my real number, an LLC in my name, a website registered in my real name. This would make business quite a bit easier, since I could make myself as known as I wanted and conduct business with a blessing from the government.

I don’t think I need to explain the downsides, but for the sake of argument: Would you trust a person who consults on privacy, but can be found with a simple google search? I don’t believe so. While this way would be much easier in terms of legality, it would drive people away rather than towards.

A Goldilocks example: Michael Bazzell

An example of a person that made this system work in their favour is Michael Bazzell. You may have heard about his trainings, talks and services he provides. The only information I have heard is what Michael himself said in his podcast. Granted, I haven’t done any deep research on the subject, but as far as I can tell, there are too many traps set in the path to be worth it. I don’t really want to find Michael Bazzell. What would I do with that information?

The way Michael Bazzell can do what he does is part experience, part research. He had to learn these techniques because, as he said himself, he needed to disappear. While I understand this must be a horrifying experience, it also appears to be a great catalyst for learning. If I’m sitting here, pyjamas on, hot cocoa in my hand and my only worry is that I skipped gym this week, it might be a little difficult to adopt these extreme measures. By living through what he had to, Michael appears to have learned how to get lost the hard way.

I have no such discomfort. I have a stable job, am staying under the radar and my claim to criminal fame is a parking ticket when the cop didn’t see me sitting there. There must, however, be some way someone like me to learn how to disappear and have the chance to test stuff out. It’s always to try things out while the sea is calm, because when a storm hits, these skills would surely come in handy.

Why not rip off M.B. and be done with it?

Yes, I have thought about this as well. There is a niche market where I’m from and the demand is not met, not by a long shot. I could just take Bazzell’s books, make a PDF with some simple bullet points even my mum could understand and apply, translate it, and sell it online for pennies on the dollar. Easy cash, right?

Well, the issue lies in translation, specifically. Sure, I can take M.B. word for word, just put it in Google Translate or let ChatGPT write up an essay based on a sentence I provide, but that would still miss the fact that laws vary from country to country. Case in point: Trusts. In the US, you can make a living trust. Michael uses these quite often, as I’m told by him. The issue is, Europe has a fuckton of laws, but trusts seem to be mostly restricted to anglo-saxon law. I am lucky enough to live in a country that did implement trust laws, I can set them up and use them quite freely. However, most countries around me don’t have a suitable equivalent for a trust. I consider myself lucky in this regard.

BUT.

Even though trusts exist and can be used, the way they have been implemented is another matter altogether. In the US, if you make a trust, that documentation is only on paper. Basically a bearer bond for stuff you own. As far as I know, there is no requirement for you to publish the details of a trust anywhere. The only person who knows the identity of a beneficiary/grantor is the trustee (the person administering the trust). This is also the only person that is publicly tied to a trust. The beneficiary can stay secret. I understand why it’s set up this way, you’re a fucking huge country and managing a central registry would be a bureaucratic nightmare.

I live in Europe. I only have to drive 4 hours tops to be in a different country. We are small, therefore, we do have a central registry for trusts. I have looked into it, and while some are set up in a way that protects the beneficiaries, I have also found “Schmidt family trust” with all the beneficiaries public. Is it a bad thing? No, if the Schmidts are not trying to protect their privacy. If they are, they are not going about it in a proper manner.

One better example: In the US, you can get out of using your SSN (Social Security Number) by signing up for an EIN (Employer ID Number). SSNs are considered very sensitive information, but an EIN can be often substituted with no repercussions from Mr. Law man and you get a different number not really tied to you as a human being. There are limits to what an EIN might do for you, but that’s what we want: Variety. Well, guess what? We have a similar thing where I live. A birth number (basically an SSN, but based on the date of birth + some fancy number magic at the end), an ID number (for companies and freelancers) and a Tax ID number (if your business pays VAT). For companies, the company ID is randomly generated and the Tax ID number is derived from that. Usually, these two numbers are identical with letters before or after it. So far so good. But if you’re a freelancer and have to get a Tax ID number because you work with companies abroad, our gracious government has decided it would literally be your entire birth number, including the magic numbers! Sure, if I know when you’ve been born, I can derive the birth number, but I usually don’t have the last 4 digits. If you’ve started a business and got a Tax ID number, I know the whole thing!

I have strayed from the main point, but the summary is this: Not everything M.B. uses in his books can be put to work where I live. Not everything M.B. does in the US would be considered legal, or even possible, where I live. Therefore, the “translation” of his books would have to be a lot more than finding the correct term for “trust.” It would be a search through legal textbooks, consultations with lawyers, and a buttload of paperwork just to find out that “the thing you are proposing is highly illegal in this country” or “the Geneva convention states that…” or “Sir, this is a McDonald’s. Please order or go away.”

What am I going to do about it?

For the time being, nothing. I am happy at the job I’m doing right now, and since it’s security-related, if a client comes up and we see a good fit for some privacy consultancy, I’ll be the first to jump at the opportunity. I’m not going to try and find a way to create a privacy business while obeying all laws and staying private. That’s just too much hassle for very little potential reward, since people don’t often care that much about their privacy. It’s a hard sell if you’re not being actively hunted.

What I might do is create a separate website, in the moonspeak of the locals around me, and just publish what I find. Of course, I’d have to become a guinea pig for that, but on the way, I may actually find a viable way to start a privacy-centered business. This may require some self-searching, aggressive OSINT, or maybe hiring someone else under the pretense of “Hey, find the owner of this company, please.” In the meantime, I will probably enjoy some peace and quiet, reassess my own weak points, and start putting down notes on how I got where I am.

And then I’ll burn everything down to the ground, move to Greenland and live as a hermit.