Ghost Stack
// MODULE-02 · INFRASTRUCTURE
UPGRADE GUIDE

GHOST
STACK
SETUP
GUIDE

The Digital Ghost Protocol removes your existing exposure. This guide builds the infrastructure that prevents it from coming back — alias emails, encrypted browsing, hardened phone settings, and zero-trace browsing habits. All free.

7
Stack Modules
100%
Free Tools Only
~3
Hours to Deploy
Ongoing Protection
// What this guide covers
The Ghost Protocol removes your past exposure. This guide builds a privacy-first technical foundation so new exposure stops accumulating. Each module is independent — deploy them in any order, skip ones that don't apply to your threat model. All tools listed have free tiers that cover everything described.
MOD 01
Email Alias Infrastructure
// Priority: Deploy First

Your primary email address is the single most exposed identifier you have. Every site that gets breached, every form you fill out, every forum you sign up for — they all collect it. The fix: stop giving out your real address entirely. Use aliases that forward to it instead.

SimpleLogin
Creates unlimited email aliases that forward to your real inbox. When an alias gets breached or spammed, you disable it — your real address is never exposed.
Free tier: unlimited aliases · open source · works with any email provider
↗ simplelogin.io
DuckDuckGo Email Protection
Free
@duck.com forwarding address that strips trackers from emails before delivering. Simple to set up, no account switching required.
Free · built-in tracker removal · no signup required beyond browser extension
↗ duckduckgo.com/email
⚠ IMPORTANT Never use an alias for your primary bank, IRS, or healthcare accounts. Aliases are for reducing exposure on low-trust services — not for accounts where delivery failure has real consequences.
MOD 02
Password Manager Setup
// Priority: Critical Foundation

Password reuse is the single most exploited attack vector in credential theft. The solution isn't memorizing more passwords — it's using a password manager to generate and store a unique 20+ character password for every single account. You only need to remember one master password.

Bitwarden
Open-source, end-to-end encrypted, free forever for individuals. Available on every platform. Your vault is encrypted before it leaves your device.
Free forever · open source · cross-platform · self-hostable if desired
↗ bitwarden.com
KeePassXC
Offline Option
Stores your vault locally — no cloud sync, no servers. Maximum security for users who don't trust any third party with their passwords.
Completely offline · open source · no cloud dependency · Windows/Mac/Linux
↗ keepassxc.org
MOD 03
Two-Factor Authentication Hardening
// Priority: Deploy Immediately

2FA stops 99% of automated account takeover attacks. But not all 2FA is equal — SMS-based 2FA can be defeated by SIM-swap attacks in under 10 minutes. Authenticator app-based 2FA cannot. Here's how to upgrade your entire account stack.

2FA Method SIM-Swap Proof Phishing Resistant Works Offline Verdict
SMS / Text Code Avoid
Email OTP Avoid
Authenticator App (TOTP) ~ Use This
Hardware Key (YubiKey) Gold Standard
Aegis Authenticator
Open-source TOTP authenticator for Android. Encrypted backup, export/import support, PIN/biometric lock. Far superior to Google Authenticator.
Free · open source · encrypted local backup · no cloud dependency
↗ getaegis.app
Raivo OTP
Open-source iOS authenticator. iCloud sync with encryption, clean interface, fast scanning. Best free option for iPhone users.
Free · open source · iCloud encrypted backup · Face ID support
↗ raivo-otp.com
1
Primary email account
Your email is the recovery key for every other account. If it falls, everything falls. Enable authenticator 2FA here first.
2
Banking and financial accounts
Every bank, brokerage, PayPal, Venmo, Cash App. If SMS is the only 2FA option, consider calling your bank to ask about adding a security PIN to prevent SIM-swap.
3
Password manager (Bitwarden)
Enable 2FA on your Bitwarden account immediately. This protects the master vault containing all other credentials.
4
Social media and Google/Apple accounts
These accounts are commonly targeted for account takeover and used to impersonate you or access linked apps.
5
Everything else
Enable on any remaining accounts that support it. Takes 2 minutes per account — work through your Bitwarden vault alphabetically.
MOD 04
Browser Privacy Configuration
// Priority: High

Your browser leaks your identity constantly — through fingerprinting, trackers, cookies, and search history. You don't need to switch browsers entirely. These configuration changes reduce 80% of passive tracking with zero impact on your browsing experience.

Firefox
Most configurable mainstream browser. uBlock Origin works perfectly. Total Cookie Protection by default in recent versions blocks cross-site tracking.
Free · open source · strong extension support · EU data protection
↗ mozilla.org/firefox
Brave
Chrome Alternative
Chromium-based with aggressive ad/tracker blocking built in. Good if you need Chrome extensions. Fingerprint randomization included.
Free · Chromium-based · built-in shields · no setup required
↗ brave.com
🛡
uBlock Origin
Best ad and tracker blocker available. Blocks fingerprinting scripts, malicious ads, and data collection networks. Install this before anything else.
Free · Essential
🍪
Cookie AutoDelete
Automatically deletes cookies from sites you're no longer visiting. Prevents cross-site tracking via cookie accumulation.
Free · Recommended
🔒
HTTPS Everywhere / Smart HTTPS
Forces encrypted HTTPS connections on sites that support it. Prevents network-level snooping on your browsing.
Free · Quick Win
🔍
DuckDuckGo (Default Search)
Switch your default search engine. DDG doesn't build a profile on your searches. Settings → Search Engine → DuckDuckGo.
Free · 2 Minutes
MOD 05
Phone Privacy Hardening
// Priority: High

Your phone is the most personal data collection device you own. Every app requests permissions it doesn't need. Location data, contacts, microphone access, and advertising IDs are harvested constantly. These settings disable the worst offenders without breaking your phone.

Android Settings — Run These Now
  • A1
    Reset your Advertising ID
    Settings → Google → Ads → Reset Advertising ID → then select "Delete Advertising ID" if available on your Android version. This disconnects your ad tracking history.
  • A2
    Audit every app's permissions
    Settings → Apps → [each app] → Permissions. Revoke: location (set to "only while using"), microphone, camera, contacts for any app that doesn't absolutely need them.
  • A3
    Disable "Improve Location Accuracy" (Google Location History)
    Settings → Location → Google Location Accuracy → Off. Also: Google Account → Data & Privacy → Location History → Off. This stops Google from building a map of everywhere you go.
  • A4
    Set app installs to "review first" and remove unused apps
    Every installed app is a potential data collection point and breach surface. Delete every app you haven't used in 30 days.
iOS Settings — Run These Now
  • I1
    Enable "Limit Ad Tracking" and reset Advertising Identifier
    Settings → Privacy & Security → Tracking → toggle "Allow Apps to Request to Track" OFF. Then Settings → Privacy → Apple Advertising → disable Personalized Ads.
  • I2
    Set all location services to "While Using" or "Never"
    Settings → Privacy → Location Services. Review every app. Only navigation apps need location always-on. Social apps, keyboards, and utilities should be Never.
  • I3
    Use Hide My Email for Apple Sign-In
    When signing into apps with "Sign in with Apple," always select "Hide My Email." Apple generates a relay address — your real email is never shared with the app.
  • I4
    Enable Lockdown Mode for high-risk users
    Settings → Privacy & Security → Lockdown Mode. Extreme protection that limits attack surface significantly. Not for everyone — blocks some features — but powerful for high-risk individuals.
MOD 06
VPN Selection & Usage Guide
// Priority: Situational

A VPN hides your browsing from your ISP and masks your IP address from websites — but it does NOT make you anonymous. It shifts trust from your ISP to your VPN provider. The free tier of Proton VPN is the only free VPN worth using.

⚠ AVOID FREE VPNs Most free VPN providers sell your browsing data to ad networks — which is the exact privacy violation you're trying to prevent. The only exception: Proton VPN's free tier, which has a verified no-logs policy and is backed by a Swiss privacy law non-profit.
Proton VPN
Unlimited free tier with no data caps. Swiss-based, audited no-logs policy, open source. Slower speeds on free tier but fully functional for privacy.
Free forever · no logs verified · open source · Swiss jurisdiction
↗ protonvpn.com
Mullvad VPN
Paid ($5/mo)
Accepts cash and crypto. No account required — just a random account number. Best option if you want maximum anonymity in the payment itself.
No account needed · accepts cash · Swedish jurisdiction · strong audit history
↗ mullvad.net
MOD 07
Shadow AI Opt-Out Table
// Stop AI Training on Your Data

Every major AI platform is training on user data by default. Most have opt-out mechanisms buried 4–6 settings deep. This module gives you the exact path for each platform. Do this before anything else — these opt-outs do not retroactively remove data already used in training, but they stop future collection.

PLATFORM OPT-OUT PATH WHAT IT STOPS DIFFICULTY
ChatGPT / OpenAI Settings → Data Controls → Disable "Improve the model for everyone" Your chats used in model training EASY
Google / Gemini myaccount.google.com → Data & Privacy → Web & App Activity → Manage → Auto-delete (3 months max) Search + AI assistant history used in training MEDIUM
Meta AI facebook.com/privacy/policy/ → Generative AI → Use of info for AI → Submit objection form Posts, likes, messages used to train Meta AI HARD
Microsoft Copilot account.microsoft.com → Privacy → Activity history → Clear + disable "Send optional diagnostic data" Copilot prompts, Office usage fed to training MEDIUM
Apple Intelligence Settings → Privacy & Security → Analytics → Disable "Share iPhone Analytics" and "Improve Siri" Siri requests, on-device AI learning EASY
Amazon Alexa Alexa app → More → Settings → Alexa Privacy → Manage Your Alexa Data → Auto-delete recordings (3 months) Voice recordings used in speech model training EASY
LinkedIn AI Settings → Data Privacy → Data for Generative AI Improvement → Off Profile, posts, messages used in LinkedIn AI EASY
X / Twitter AI Settings → Privacy and Safety → Grok → Allow your posts to train Grok → Off Tweets, DMs, interactions used to train Grok EASY
Adobe Firefly account.adobe.com → Privacy & Personal Data → Content Analysis → Disable Your content used in Adobe AI training EASY
// PRO TIP

Set a quarterly calendar reminder to re-audit these — platforms silently re-enable AI training after major updates or terms-of-service changes. Takes 15 minutes. Worth it every time.

MOD 08
Private AI: Run Local LLMs
// AI That Never Calls Home

Every query you send to ChatGPT, Gemini, or Copilot is logged, analyzed, and potentially used for training. Local LLMs run 100% on your hardware — no internet connection required, no data sent anywhere. Ollama makes this zero-config on Mac, Windows, and Linux.

// STEP 1 — INSTALL OLLAMA
01
Download Ollama
Visit ollama.com → click Download for your OS (Mac, Windows, Linux). One-click installer. Runs as a background service.
02
Pull Your First Model
Open Terminal / Command Prompt. Run: ollama pull llama3.2 — downloads Meta's Llama 3.2 (2GB). Zero cloud dependency once downloaded.
03
Chat Locally
Run: ollama run llama3.2 — starts a local chat session in your terminal. Or install Open WebUI for a ChatGPT-style browser interface.
04
Add a Private Browser UI (Optional)
Install Open WebUI via Docker: docker run -d -p 3000:8080 ghcr.io/open-webui/open-webui — gives you a full ChatGPT-style interface at localhost:3000, running entirely offline.
// RECOMMENDED MODELS BY USE CASE
ollama pull llama3.2
General purpose. Fast. Best for everyday tasks. 2GB download.
ollama pull mistral
Strong reasoning. Great for writing + analysis. 4GB.
ollama pull phi4-mini
Tiny + fast. Runs on older hardware. 2.5GB.
ollama pull deepseek-r1
Best for code. Comparable to GPT-4 on programming tasks. 7GB.
// MINIMUM HARDWARE
RAM: 8GB minimum, 16GB recommended
Storage: 5–15GB free per model
GPU: Not required — runs on CPU only
// FINAL UPGRADE

Your stack is locked. Now protect your family.

Your partner, kids, and elderly parents are the easiest path around your defenses. The Family Protection Protocol covers AI voice cloning scams, parental digital controls, safe-word protocols, and a full family audit system — in plain language anyone can follow.

GET FAMILY PROTECTION PROTOCOL →
$97 · one-time · instant access
MOD 09
Complete Ghost Stack Summary
// Your Full Infrastructure

Your complete privacy infrastructure when all modules are deployed. Each layer addresses a different exposure vector. Together they form an integrated, zero-cost privacy stack that prevents most passive data collection.

✉️
Email Layer
SimpleLogin aliases shield your real address from all third-party services
SimpleLogin · Free
🔑
Credential Layer
Bitwarden stores unique 20+ char passwords for every single account
Bitwarden · Free
📱
Authentication Layer
Aegis / Raivo TOTP replaces vulnerable SMS 2FA on all critical accounts
Aegis · Free
🌐
Browser Layer
Firefox + uBlock Origin blocks fingerprinting, tracking, and ad networks
Firefox · Free
📲
Device Layer
Permission audits + ad ID reset stop app-level data harvesting
Settings · Free
🔐
Network Layer
Proton VPN encrypts traffic on untrusted networks and masks IP from sites
ProtonVPN · Free
🔍
Exposure Layer
Digital Ghost Protocol removes existing footprint from brokers and search
Ghost Protocol · Done

// Stack Complete

Your Privacy Infrastructure Is Live.

You've removed your past exposure with the Ghost Protocol and built a system that prevents future accumulation. One module remains — protecting your family.

Family Protection Protocol → Available Separately