Here is how privacy works today. You read the policy. You dismiss the cookie banner. You hunt through three settings menus for the opt-out toggle that someone deliberately buried. You do this to exercise a right that should have been the default. And while you are still on the first paragraph of the terms of service, every click, scroll, hover, and the exact timing of your keystrokes has already been harvested, packaged, and sold. We have accepted this as normal.
The defensive playbook is the standard answer. Use a VPN. Block trackers. Stay off social media. Self-host what you can. I do most of this, and I recommend it. But it has a structural flaw that bothers me every time I think about it.
Defence Means You Have to Win Every Round
You can only block what you know about. The widget embedded three layers deep in a page you visited once, the analytics SDK bundled into an app you forgot you installed, the new tracking domain that spun up this morning - none of that is on your blocklist yet. The collector only has to slip through once to start building a profile. You have to catch it every single time, on every device, forever.
That is a game of perfect play, and you are not going to play it perfectly. Ad blockers work until a site detects them and degrades your experience. VPNs hide your IP until fingerprinting routes around it. DNS blocking catches known trackers until tomorrow’s domains show up. The economics are lopsided: an industry with billions of dollars of incentive on one side, you and a browser extension on the other.
So I keep coming back to a different question. What if you stopped trying to win every round?
What If the Data Was Worthless?
Imagine you let the collection happen. The tracker fires, the SDK phones home, the profile gets built. But the profile is garbage. The model trained on your data learns the wrong things. The advertiser bidding on your attention is bidding on noise.
That is the shift. Instead of fighting to prevent collection, which you will eventually lose, you make the collected data unreliable. The system still runs. The data it captures is just worthless.
Think of giving a fake name at a coffee shop. The barista still makes your coffee. The loyalty system still logs a visit. But the data point they wrote down points at a person who does not exist. Scale that idea up and you get data poisoning: deliberately feeding misleading, noisy, or corrupted information into the systems that profile you, until the quality drops below the point of usefulness.
This is an old idea wearing new clothes. Resistance groups in occupied territory filed false reports and seeded deliberate misinformation to degrade what their occupiers knew. When you cannot stop the surveillance, you can poison what it learns.
The Tools Already Exist
Here is the part that surprised me when I first dug in: this is not a research curiosity. The tooling ships today, and a lot of it runs in your browser.
AdNauseam clicks every ad it sees, quietly, in the background. To the ad networks you suddenly look interested in baby clothes, retirement homes, skateboards, and farming equipment, all at once. Your profile gets so noisy that targeting you becomes pointless. The network still collects its per-click fee, but the advertiser pays for nothing. Google pulled AdNauseam from the Chrome Web Store, which I take as a decent signal that it does what it claims.
TrackMeNot does the same trick to your search history. It fires off random queries in the background, so your real searches sit buried in a pile of fake ones. The principle behind both tools is simple: if you cannot hide the signal, drown it in noise.
Poisoning AI Training Data
This is where it gets interesting for me, because it lines up with the moment we are in.
Large language models are trained on enormous datasets scraped off the open internet. Your blog posts, your forum replies, your Stack Overflow answers, the things you wrote about yourself - all of it feeds the pipeline. Nobody asked you. Nobody paid you. And there is no meaningful way to pull your contribution back out after the fact.
Nightshade, built at the University of Chicago, adds perturbations to images that your eye cannot see. The picture looks identical to you. To a training pipeline it reads as something else entirely: a dog parses as a cat, a car as a cow. Get enough poisoned images into the dataset and the model’s ability to generate certain content degrades.
Glaze, from the same group, targets artists specifically. It wraps a style cloak around artwork so models cannot learn and replicate an artist’s style, while the art still looks unchanged to humans.
Text gets even more interesting. If you know your writing is being scraped for training, you can embed adversarial patterns into it. Subtly contradictory claims, carefully built edge cases, statements that mislead in context - all of it can drag down model quality in a specific domain. Some sites have started planting invisible text aimed straight at scrapers, a robots.txt with actual teeth. Researchers have shown that poisoning as little as 0.1% of a training set can measurably hurt performance on targeted tasks. Poisoning is cheap. Cleaning a poisoned dataset is expensive. For once, the asymmetry runs in your favour.
Yes, This Is Sabotage. Read the Context.
Some of you are already uncomfortable, and I get it. This looks like vandalism. So let me be honest about the context rather than dodge it.
These companies took your data without asking. They built products worth billions on your creative output, your technical answers, your personal writing, and handed back nothing except “you agreed to our terms.” When a system offers no honest way to leave, obfuscation becomes self-defence.
This is the sovereignty principle applied to data. As I argued in Sovereign Infrastructure, depending on systems you do not control and cannot inspect is a vulnerability. I self-host for that reason, not because it is the easy path. The same logic carries over here. If I cannot control whether my data gets collected, I can at least control what it is worth once it has been taken from me without real consent.
What This Looks Like in Practice
You can start today. None of this requires a lab.
Browser noise:
- Install AdNauseam to poison your ad profile
- Run separate browsers with different personas for different activities
- Clear all cookies now and then to break tracking continuity
Search pollution:
- Use TrackMeNot to generate background queries
- Spread your searches across engines so no single company holds the full picture
AI training resistance:
- Run any visual art through Glaze before you post it
- Think about what signals your scraped content sends to a model
- Use your
robots.txt, while remembering it is a request and not enforcement
Infrastructure level:
- Keep a Pi-hole or AdGuard Home for DNS-level blocking as your baseline
- Hand out per-service email aliases (a catch-all domain makes this trivial)
- Look at tools like Chaff that generate fake browsing traffic
The Obstacles Are Real
I would be selling you something if I skipped the downsides, so here they are.
Resource cost. AdNauseam burns bandwidth clicking ads. TrackMeNot generates traffic. You are spending your own resources to manufacture noise.
Collateral damage. Small publishers who live on ad revenue catch phantom clicks. Those clicks cost advertisers money, which eventually tightens the whole ad market. You might land a hit on people you never meant to.
Arms race. Collectors adapt. Google already blocked AdNauseam from the Chrome Web Store. Expect smarter fingerprinting and better poisoning detection over time.
Legal grey areas. Depending on where you live, some of these techniques may brush up against terms of service or computer fraud law. Know your jurisdiction before you act.
Ethical ambiguity. Poisoning LLM training data hits everyone who uses those models, not only the firm that scraped you. That is a genuine collective action problem, and I do not have a clean answer for it.
These costs are real. Whether they are worth paying depends on how you weigh privacy against convenience, your rights against collective impact, and going on offence against staying on defence.
Closing the Gap
Data poisoning is not a magic fix, and I would not trust anyone who sold it that way. It belongs inside a wider strategy that still includes blocking, self-hosting, encryption, and pushing for stronger privacy law through actual politics.
What it adds is the one thing pure defence cannot give you: it flips the asymmetry of effort. Degrading data is cheap for you and cleaning it is expensive for them. That shift makes mass surveillance less profitable and seeds doubt into systems that only work when the data is clean. You do not have to migrate your whole life to feel it. Pick one tool, run it for a month, and watch what changes.
The point I keep landing on is that hiding is not the only available response to surveillance. You can also make the surveillance unreliable, without breaking anything, just by feeding it data too noisy to use. When you cannot opt out, make them wish you had.
