Every security blog, podcast and YouTube channel gives you the same advice. Use ProtonMail. Switch to Signal. Route everything through Tor. Encrypt your hard drive. The message is always the same: encrypt everything and you will be safe.

I have spent more than 25 years in cybersecurity. I have built intelligence platforms for government agencies and I run security operations for a global enterprise. And I am going to tell you something most privacy guides will not: by following that advice to the letter, you may be making yourself a target instead of protecting yourself.

In the survival and preparedness community, there is a well-known concept called the grey man. The idea is simple. The person who blends into a crowd is the person nobody notices, nobody remembers and nobody targets. The grey man does not wear tactical pants and Oakley sunglasses to the grocery store. He does not carry a bag covered in morale patches. He dresses like everyone else, moves like everyone else and disappears into the baseline of his environment.

Now apply that same thinking to your digital life.

Two goals that most advice conflates

Most people are trying to solve one or both of these problems when they think about digital privacy:

Confidentiality — can someone read your message, file or conversation?

Inconspicuousness — do your tools and patterns make you easier to flag, profile or remember?

Encryption is excellent at confidentiality. It is not a complete strategy for inconspicuousness. Most security advice treats them as the same problem, and they are not. The grey man principle is about the second goal: reducing the signal you send to anyone deciding whether to pay attention to you.

The tactical tuxedo problem

When you swap your Gmail address for a ProtonMail address on your business card, you are making a statement. When your email traffic is end-to-end encrypted while everyone around you relies on standard transport encryption, you stand out. When your network traffic routes through Tor while your colleagues browse normally, you are the equivalent of the person wearing a plate carrier at a coffee shop.

You may be more protected. But you have already failed the first test of the grey man: not being noticed.

This is not a theoretical concern. The Snowden disclosures gave us concrete proof. The National Security Agency’s XKeyscore system could be used to identify and flag users of encryption and anonymity tools. Disclosed NSA documents and training materials showed that the system could run queries like “all PGP usage in Iran” and would flag anyone connecting to Tor directory servers for further scrutiny and potential longer-term data retention. The XKeyscore rules explicitly labelled Tails — a privacy-focused Linux distribution — as “a comsec mechanism advocated by extremists on extremist forums.”

The very tools the security community recommends were being used as selectors to identify people for closer surveillance. Using them did not make you invisible. It made you interesting.

Metadata is the real intelligence

Here is something most privacy advice overlooks entirely. Intelligence agencies, law enforcement and even corporate adversaries often derive more value from metadata than from the content of your messages: who you talk to, when, how often and what tools you use.

Edward Snowden said it plainly: metadata is extraordinarily intrusive. As an analyst, he preferred looking at metadata over content because it is quicker, easier and does not lie.

ProtonMail encrypts your message body. Email as a protocol necessarily exposes routing metadata — who you are emailing, when and how frequently — and providers can be compelled to produce certain logs. Subject lines, depending on provider and configuration, may not be end-to-end encrypted either. In 2021, ProtonMail was compelled by a Swiss court order to log the IP address of a French climate activist after French police routed their request through Europol and Swiss authorities. The content was protected. The metadata told the story anyway.

A 2021 FBI training document obtained through a freedom-of-information request laid this out with striking clarity. It catalogued exactly what data the FBI can legally obtain from nine major messaging apps. Signal gives up almost nothing: registration date and last connection date. WhatsApp, on the other hand, provides subscriber records and address book contacts in response to subpoena and search warrant, plus source and destination metadata for every message via pen register updated every 15 minutes, and potentially message content through iCloud backups if enabled and not end-to-end encrypted. The document confirmed what practitioners already knew: even when content encryption holds, metadata can be extraordinarily revealing.

The same pattern applies to most encrypted tools. Signal encrypts your messages end to end. But your phone still registers on a cell tower. Your contacts still generate a social graph. And if a forensic examiner gets physical access to your device, tools like Cellebrite can extract and render message data when a device is unlocked or otherwise accessible — a reminder that end-to-end encryption protects data in transit, not at the endpoint.

Encryption protects your content. It does not make you invisible. That distinction matters enormously.

Cryptography versus steganography: two different philosophies

This is where the grey man concept maps perfectly to information security, and where most advice goes wrong.

There are two different approaches to secure communication. Cryptography says: you can see that I am communicating, but you cannot read what I am saying. It provides privacy. Steganography says: you do not even know that I am communicating. It provides secrecy.

The grey man’s philosophy is steganographic. He does not wear body armour under a neon vest. He wears a plain jacket and carries a nondescript bag. His protection is real but invisible.

Most security advice is purely cryptographic. It wraps everything in visible encryption and then broadcasts the fact that you are someone who encrypts. To an intelligence analyst or adversary looking for targets of interest, that is a signal, not a shield.

The smartest attackers already understand this. Living off the land (LOTL) techniques are the offensive equivalent of the grey man. Instead of deploying custom malware that triggers every alarm, sophisticated threat actors use PowerShell, Windows Management Instrumentation and other tools already present in the target environment. They blend into normal operations and become nearly undetectable. The grey man defender should think the same way: blend into normal digital patterns while quietly maintaining protection where it counts.

A digital grey man playbook

What does a grey man approach to digital privacy actually look like? It starts with your threat model.

Know your actual adversary. If you are a journalist protecting a source from a nation-state, use Tails and Tor and accept the visibility trade-off because the cost of exposure is higher than the cost of being flagged. But if you are a professional trying to protect your personal data from brokers, credential stuffing and opportunistic criminals — which describes the vast majority of people — the grey man approach is far more effective.

Use mainstream tools with disciplined hygiene. A Gmail account secured with a hardware security key, unique passwords and no third-party app access is harder to compromise than a ProtonMail account with a reused password and no second factor. The Gmail account also generates zero signal that you are a person who prioritizes privacy.

Own your outward identity. Route privately behind the scenes. One of the simplest grey man moves is to avoid making your privacy tool your public identity. Instead of giving out a recognizable “privacy brand” email address, use a neutral personal domain as your outward-facing address and route it to whatever service you trust on the back end. The outer layer is unremarkable. The inner layer is capable. This does not solve metadata, but it eliminates the superficial signal that your vendor choice otherwise broadcasts.

Layer protection inside normal channels. If you need to send a truly sensitive message, encrypt the content within a mainstream platform rather than switching to a conspicuous one. A password-protected attachment sent through Outlook is functionally encrypted and draws no unusual attention, provided you use a strong encryption format and share the passphrase through a separate channel. An encrypted file sent as a normal-looking attachment through a mainstream provider blends into ordinary business traffic.

Compartmentalize instead of centralizing. A common mistake is building a single “secure identity” and using it for everything. A more resilient approach is clear compartmentalization: a mainstream address for shopping, newsletters and low-risk accounts; a work address for corporate life; a privacy-focused workflow reserved for genuinely sensitive exchanges. The point is not secrecy for its own sake. It is limiting blast radius and avoiding the pattern where everything interesting about you lives in one place.

Resist the urge to encrypt everything. Not every message needs end-to-end encryption. Treating your lunch plans and your tax documents with the same level of cryptographic ceremony is like wearing a plate carrier to walk the dog. It wastes effort and draws attention. Apply strong protection where the data justifies it and use normal channels for everything else.

Let mainstream adoption be your camouflage. Signal has crossed a useful threshold: it is now mainstream enough that using it does not automatically signal paranoia. iMessage is even more grey because it is the default messaging platform across a massive installed base of Apple devices — and its end-to-end encryption is built into that default experience. When a security tool becomes widespread enough, using it stops being a signal and starts being baseline. Choose tools that have crossed that line.

Manage operational friction, because friction becomes a signal. When you force everyone around you to adopt unfamiliar, high-assurance tools for routine conversations, two things happen. You become memorable — the person who makes everything complicated. And people create workarounds: screenshots, forwards, copy-pastes, “can you just text me instead?” Those workarounds often erase the security gains you thought you achieved. A practical posture accepts that not every conversation is a high-risk event. Use secure mainstream defaults for routine coordination. Reserve high-assurance channels for high-assurance topics.

Avoid sudden behavioural shifts. Many monitoring systems are less interested in what you do than in how abruptly you change. A sudden pivot from normal app usage to always-on VPN, Tor-only browsing and niche encrypted services is a strong anomaly even if it is motivated by perfectly legitimate privacy concerns. If you are changing your posture, do it gradually and deliberately. The grey man does not suddenly start moving differently from everyone else. He transitions without creating a stimulus that triggers notice.

Mind your digital body language. In the physical world, the grey man avoids sweeping gestures, direct eye contact and anything that projects heightened awareness. The digital equivalent is avoiding privacy-obsessed usernames, not posting about your operational security practices on forums and not configuring your browser so aggressively that websites fingerprint you as unusual. A user running Brave with every tracking shield maxed out, using a VPN from a residential IP and blocking all JavaScript is not invisible. They are a unicorn.

Treat travel as a separate threat model. If you expect enhanced scrutiny at a border crossing or in a high-risk environment, apply the grey man principle directly. Carry a travel device with minimal data and minimal accounts. Use ordinary, supportable configurations. Do not create a puzzle-box posture that invites questions. This is not about defeating lawful processes. It is about reducing unnecessary exposure and avoiding avoidable complexity in environments where you have fewer controls.

When to break grey

There are situations where the grey man approach is the wrong call and maximum encryption is the correct choice, visibility be damned.

Journalists protecting sources under authoritarian regimes. Whistleblowers communicating with oversight bodies. Activists co-ordinating under state surveillance. Human rights workers in hostile countries. In these scenarios, the cost of having your content exposed dramatically outweighs the cost of being flagged as someone who uses encrypted tools. If you are in one of these situations, you already know it, and the full suite of privacy tools exists specifically for you.

But for the vast majority of people who receive generic security advice, the grey man approach delivers a better balance of protection and practicality.

The bottom line

The best security posture is not always the most encrypted one. Sometimes it is the most invisible one.

Real-world security is not a fortress. It is a set of trade-offs. Encryption is necessary. It is not sufficient. Strong tools protect content, but they do not automatically hide relationships, patterns or intent.

If your objective includes “do not stand out,” your strategy should favour secure defaults inside mainstream behaviour, compartmentalization to limit blast radius, selective escalation for genuinely sensitive scenarios and a bias toward boring, stable and supportable choices.

The physical grey man knows that the most dangerous moment is not the confrontation. It is target selection. If you are chosen, you are already at a disadvantage. The same is true in the digital world. Every tool, every habit and every configuration choice you make sends a signal about who you are and what you are protecting. The goal is not to send a signal that says “I have something to hide.” The goal is to send no signal at all.

Stop dressing your digital life in tactical gear. Start blending in.

Ethics statement

This article is intended to support informed discussion about personal digital privacy and security trade-offs. It aims to describe surveillance capabilities, metadata exposure and privacy tool limitations accurately; avoid sensationalism; and distinguish clearly between documented disclosures, publicly reported events and the author’s professional interpretation. Where uncertainty exists — including where tool capabilities, provider policies or legal frameworks may vary by jurisdiction — it is explicitly acknowledged. This article does not advocate unlawful evasion of legal processes, unauthorized circumvention of security controls or any activity intended to obstruct lawful investigations.

Disclaimer

This article is provided for general information and discussion purposes only. It is not legal, security, privacy or professional advice, and it should not be relied upon as such. Technical capabilities, provider policies, encryption implementations, legal frameworks and surveillance practices are subject to change. Threat models, legal obligations and acceptable risk vary by individual, organization and jurisdiction. Any errors or omissions are unintentional. The views expressed are those of the author in a personal capacity and do not represent the views of any employer, client, partner or affiliated organization. Generative AI tools were used to assist with research and editing.

Keywords

#DigitalPrivacy #Cybersecurity #InfoSec #ThreatModeling #OPSEC #Encryption #Metadata #PrivacyStrategy #OnlineSecurity #SecurityAwareness #RiskManagement #CyberRisk #DataProtection #CyberResilience #IdentitySecurity #AccountSecurity #MFA #HardwareSecurityKey #ZeroTrust #AnomalyDetection #BehavioralAnalytics #BrowserFingerprinting #SecureDefaults #Compartmentalization #DataBrokers #CredentialStuffing #Surveillance #SignalsIntelligence #EndpointSecurity #TravelSecurity #PrivacyTools #SignalApp #TorNetwork #ProtonMail #iMessage #OperationalSecurity #GreyMan #PrivacyEngineering #CyberHygiene