Cloud Publica Cloud Publica
Technology & Privacy

Privacy Protection: Actionable Steps for 2026

Based on Nicholas Merrill's privacy-first philosophy and current 2026 technologies: concrete steps for phones, WiFi, home devices, and proximity-based protection.

Minimalist smartphone on marble surface representing intentional disconnection

About Nicholas Merrill: Privacy Activist and Entrepreneur

Nicholas Merrill is a pioneering privacy advocate and system administrator best known for being the first person to challenge the National Security Letter (NSL) provision of the USA PATRIOT Act in 2004. After receiving a secret FBI demand for customer data from his ISP, Calyx Internet Access, Merrill spent over a decade fighting the accompanying lifelong gag order, eventually winning the right to speak publicly about the case in 2015.

Recent Developments: Calyx Institute Departure and Phreeli Launch

In 2025, Merrill made two significant moves:

  1. Left the Calyx Institute: After founding the nonprofit in 2010, Merrill departed in 2025 to pursue other projects, causing disruption to CalyxOS development. The organization faced leadership transitions, with both Merrill and lead developer Chirayu Desai leaving, resulting in paused updates and new signing key requirements. [1][2][3]
  2. Launched Phreeli.com: In December 2025, Merrill introduced Phreeli, the world's first privacy-by-design wireless carrier, featured in Wired. [4][5]

The service allows users to sign up with only a ZIP code, using a "Double-Blind Armadillo" cryptographic architecture to separate identity from network activity. [2][6][1]

Actionable Privacy Protection Steps

Based on Merrill's privacy-first philosophy and current 2026 technologies, here are concrete steps to protect yourself across phones, WiFi, and home devices, including proximity-based protection.

Phone Protection

1. Choose Privacy-Respecting Mobile Service

Use Phreeli for Cellular Service

  • What it is: Phreeli is a prepaid MVNO that requires only a ZIP code to sign up, accepts cryptocurrency payments, and uses zero-knowledge proofs to verify service without linking identity to usage. [6][1]
  • How it works: The "Double-Blind Armadillo" system routes operations through a blind mixing service, preventing linkage between user actions and identity. [7]
  • Action: Sign up at phreeli.com using minimal information and pay with cryptocurrency for maximum anonymity. [8][6]
  • Live URL: https://www.phreeli.com/privacy[9]

Alternative: Use Prepaid SIMs with Cash

  • If Phreeli isn't available in your area, purchase prepaid SIM cards with cash at retail locations, avoiding identity verification. [2]

2. Install Privacy-Focused Operating System

CalyxOS (Current Status: Use with Caution)

  • Current situation: As of January 2026, CalyxOS development is on hiatus due to leadership departures. Updates are paused and new signing keys are being implemented. [5][10]
  • Action: If already using CalyxOS, monitor calyxos.org/news for updates on key ceremony and Android 16 QPR1 ports. For new installations, consider alternatives like GrapheneOS until CalyxOS resumes stable releases. [10][11][5]
  • Live URL: https://calyxos.org/news/[10]

Key Features When Active:

  • De-Googled Android with microG
  • Default Signal integration for calls/texts
  • Tor and VPN support built-in
  • No Google Play Services tracking [12][13]

3. Minimize App Permissions and Metadata

Principle: Merrill's approach emphasizes that "if you do not share data, it cannot be compromised". [14]

Actionable Steps:

  • Audit app permissions: Disable location, contacts, microphone, and camera access for all non-essential apps
  • Use Signal for communications: Default to Signal for calls and texts to encrypt metadata [2]
  • Remove bloatware: Uninstall or disable pre-installed apps that collect telemetry
  • Use Shelter work profile: Isolate untrusted apps in a separate work profile to prevent data leakage

4. Enable Network-Level Encryption

Always-on VPN + Tor:

  • Configure CalyxOS or GrapheneOS to route all traffic through Tor via Orbot
  • Use Calyx Institute's no-logs VPN service (if still operational) or Mullvad VPN (accepts cash/crypto) [12]
  • Enable "Always-on VPN" and "Block connections without VPN" in network settings

WiFi Protection

1. Secure Home Router Configuration

Principle: Treat your router as a critical privacy boundary, following Merrill's ISP privacy advocacy. [3]

Actionable Steps:

  • Change default credentials: Replace factory admin username/password
  • Disable WPS: This insecure protocol can be brute-forced
  • Use WPA3 encryption: If available, otherwise WPA2-AES
  • Disable remote management: Prevent ISP or attackers from accessing router settings
  • Enable MAC address filtering: Only allow known devices (though MACs can be spoofed)
  • Disable SSID broadcast: Makes network less visible to casual scanners

2. DNS Privacy

Use Encrypted DNS:

  • Configure router to use DNS-over-HTTPS (DoH) or DNS-over-TLS (DoT)
  • Recommended providers: Quad9 (privacy-focused) or Cloudflare (1.1.1.1)
  • This prevents ISP from seeing your DNS queries, a key metadata source [12]

3. Network Segmentation

Separate Networks for Different Device Types:

  • Main network: For trusted devices (laptops, phones with privacy OS)
  • IoT network: Separate SSID for smart home devices (see below)
  • Guest network: For visitors, isolated from main network
  • VLANs: If your router supports it, use VLANs to isolate networks at layer 2

4. Public WiFi Protection

Never Trust Public Networks:

  • Always use VPN: Connect to VPN before joining public WiFi
  • Disable auto-join: Prevent phone from automatically connecting to open networks
  • Use mobile hotspot instead: If possible, use your Phreeli connection rather than public WiFi
  • Verify network names: Confirm exact SSID with venue staff to avoid evil twin attacks

Home Device Protection

1. IoT Device Management

Principle: Apply Merrill's "privacy by design" to smart home devices. [12]

Actionable Steps:

  • Audit all connected devices: List every IoT device and its data collection practices
  • Disable cloud features: Use local control where possible (Home Assistant, openHAB)
  • Block internet access: Use router firewall rules to prevent IoT devices from phoning home
  • Change default passwords: Many IoT devices have hardcoded credentials
  • Update firmware: Check for updates monthly, or replace if unsupported
  • Physical mute switches: Use devices with hardware mute for microphones (e.g., smart speakers)

2. Smart TV and Streaming Devices

Disable Tracking:

  • Turn off ACR (Automatic Content Recognition) in TV settings
  • Disable personalized ads
  • Use Pi-hole or AdGuard Home to block telemetry domains at DNS level
  • Connect via Ethernet and disable WiFi to reduce broadcast visibility

3. Voice Assistants

Minimize Always-On Listening:

  • Use push-to-talk devices instead of wake-word activation
  • Review and delete voice recordings regularly
  • Disable voice purchasing and sensitive commands
  • Consider removing cloud-based assistants entirely and using local alternatives (Rhasspy, Mycroft)

Proximity-Based Protection

This addresses threats from being near others, even without using your device.

1. Location Tracking Prevention

Cellular Tower Tracking Mitigation:

  • Use Phreeli's architecture: Since Phreeli separates identity from SIM activity, tower logs can't easily be linked to you. [1][6]
  • Airplane mode when idle: Disable cellular radios when not expecting calls
  • Faraday bags: Use RF-blocking pouches (e.g., SLNT, Faraday Defense) when you need guaranteed isolation [2]
  • Disable location services: Turn off GPS, WiFi scanning, and Bluetooth scanning in settings

Bluetooth Beacon Awareness:

  • Disable Bluetooth when not in use: Prevents tracking via retail beacons and contact tracing
  • Disable "Find My" networks: Apple and Google crowdsource location via nearby devices
  • Use BLE spoofing: Some privacy OSes allow randomizing Bluetooth MAC addresses

2. WiFi Probe Request Privacy

Prevent Passive WiFi Tracking:

  • Disable WiFi when not connected: Stops probe requests that reveal your device's presence
  • Use MAC randomization: Enable "Randomized MAC" for each WiFi network (Android 10+)
  • Forget networks after use: Prevents automatic probing for known SSIDs

3. Audio Surveillance Protection

Protect Against Nearby Recording:

  • Use ultrasonic jammer: Devices like the "Ultrasonic Microphone Blocker" emit frequencies that interfere with microphones (legal in most jurisdictions)
  • White noise generators: Place near windows/doors to mask conversations from directional microphones
  • Physical barriers: Soundproofing materials, window film, and door sweeps reduce audio leakage
  • Signal-blocking paint: Paint walls with RF-blocking paint to create a Faraday room

4. Visual Privacy

Prevent Shoulder Surfing and Cameras:

  • Privacy screen protectors: Limit viewing angle to ~30 degrees
  • Camera covers: Physical shutters for laptop and phone cameras
  • IR-reflective glasses: Some glasses reflect infrared light used by hidden cameras
  • Laser detection: Use camera detectors to find hidden surveillance devices in Airbnbs/hotels

5. Social Engineering and Shoulder Surfing Defense

Protect Against Human Proximity Threats:

  • Use privacy screen filters: On phones and laptops in public spaces
  • Beware of "shoulder surfing": Position yourself with back to walls in public
  • Disable lock screen notifications: Prevents message previews from being read
  • Use duress passwords: Some OSes allow a secondary password that wipes data or opens a decoy profile

Advanced Protection: Zero-Trust Architecture

Based on Merrill's "privacy by design" philosophy, implement zero-trust principles: [12]

1. Assume Breach Mentality

  • Compartmentalize data: Use different devices for different purposes (work, personal, sensitive)
  • Encrypt everything: Full disk encryption on all devices, use VeraCrypt for external drives
  • Regular factory resets: Wipe and reinstall phone OS monthly to clear potential malware

2. Metadata Minimization

  • Use Matrix/Element instead of SMS: Decentralized, encrypted messaging with minimal metadata
  • Disable read receipts and typing indicators: Reduces behavioral metadata
  • Schedule message sending: Avoid pattern analysis by sending at random intervals
  • Use Tor Browser for all web activity: Never use regular browsers, even for "innocent" searches

3. Physical Security

  • Never leave devices unattended: Even for seconds in trusted environments
  • Use hardware security keys: YubiKey for 2FA instead of SMS codes
  • Secure boot: Enable on all devices that support it
  • Tamper-evident seals: Place stickers on device screws to detect physical access

Implementation Checklist for January 2026

Immediate Actions (This Week):

  1. Sign up for Phreeli at https://www.phreeli.com/privacy
  2. Audit all app permissions on your phone
  3. Enable MAC randomization for WiFi networks
  4. Change router admin password and disable remote management
  5. Install Signal and set as default SMS app

Short-term (This Month):

  1. Install GrapheneOS or await CalyxOS stable release
  2. Set up Pi-hole or AdGuard Home on home network
  3. Create separate VLANs for IoT devices
  4. Purchase Faraday bag for sensitive situations
  5. Disable Bluetooth and location services when not needed

Long-term (This Quarter):

  1. Migrate all communications to Matrix/Signal
  2. Replace cloud-dependent IoT devices with local-control alternatives
  3. Implement full-disk encryption on all devices
  4. Conduct quarterly privacy audits of all services and devices
  5. Attend FOSDEM 2026 (Jan 31) to learn about latest privacy developments

Key Live URLs (January 2026)

Conclusion

Nicholas Merrill's evolution from challenging FBI surveillance to launching Phreeli demonstrates that effective privacy protection in 2026 requires systemic changes at the carrier and OS level, not just app-level tweaks. The core principle remains: minimize data collection at the source, separate identity from activity, and assume that any data collected will be compromised.

By implementing these steps—switching to Phreeli, using a privacy OS, securing your WiFi network, isolating IoT devices, and employing proximity-based defenses like Faraday bags—you create multiple layers of protection that align with Merrill's "privacy by design" philosophy. The goal is not paranoia, but digital autonomy: living your normal life without feeling watched or exploited. [14][1]

References

  1. Business Wire: Wired Features Nicholas Merrill's Launch of Phreeli. Link.
  2. Wired: New Anonymous Phone Carrier—Sign Up With Nothing But a ZIP Code. Link.
  3. Wikipedia: Nicholas Merrill. Link.
  4. Reddit r/degoogle: CalyxOS founder and tech lead departure. Link.
  5. GrapheneOS discuss: CalyxOS leadership and discontinuation of updates. Link.
  6. ZDNet: Phreeli privacy-first mobile carrier. Link.
  7. Privacy Guides: Calyx Institute founder launches private wireless carrier. Link.
  8. Mobile Industry Review: US privacy-focused MVNO Phreeli. Link.
  9. Phreeli Privacy. Link.
  10. CalyxOS News. Link.
  11. CalyxOS Progress Update Dec 2025. Link.
  12. Calyx Institute About. Link.
  13. Android Authority: Privacy-focused MVNO Phreeli. Link.
  14. Interesting Engineering: Phreeli anonymous phone service launch. Link.