Table of Contents
1. What is OPSEC?
2. Why it matters in 2026 (US & Europe)
3. Threat Modeling
4. Operating Systems
5. Windows Vulnerabilities
6. Smartphones
7. Hardware & Physical Limits of Anonymity
8. The Kernel
9. Browsers & Search Engines
10. VPNs
11. Tor
12. Emails & Messaging Apps
13. Passwords & 2FA
14. Social Media & Digital Footprint
15. Online Behavioral OPSEC
16. Anonymity in the Physical World
17. Ressources
1. What is OPSEC?
OPSEC which stands for Operations Security, originally comes from US military vocabulary. At its core it was a process used by the military to prevent critical information from falling into the wrong hands. Applied to our context, the definition is straightforward : OPSEC is the art of controlling what you reveal about yourself to whom, when, and how.
It covers your digital life and what you do online, your communications and who you talk to and how. It also includes your habits and recurring behaviors that could allow someone to identify you, the computer equipment and devices you use as well as your physical life and offline activities.
OPSEC is not just “put a VPN on and call it a day.” It’s a mindset, a way of thinking before acting.
2. Why It Matters in 2026
A lot of people still think “I have nothing to hide, this doesn’t concern me.” That’s genuinely the weakest argument in existence and here’s why.
On the US side, the PATRIOT Act and its successors are still in full effect. Federal agencies like the NSA, FBI, and CIA collect data on a massive scale including on foreign nationals often without individual warrants in certain legal frameworks. The NSA programs exposed by Snowden in 2013 didn’t disappear : they evolved, modernized and became more discreet.
In 2025 and 2026, several US states passed laws allowing surveillance of digital communications under the banner of national cybersecurity. Data brokers like Acxiom, LexisNexis, and Spokeo legally sell detailed profiles on you like your home address, estimated income, habits and social connections without you ever knowing. The big tech companies build hyper-precise advertising profiles on every user. Google often knows your real-time location, your search history, your purchases and who your close contacts are.
On the European side, the GDPR is supposed to protect you but its enforcement remains inconsistent depending on the country. The EU’s Chat Control project has been hanging over encrypted messaging like a sword of Damocles for years now.
The official goal is to scan private communications to detect illegal content but in practice it would completely destroy end-to-end encryption as a concept. In France specifically, the Intelligence Law, the black boxes installed at ISPs and social media surveillance have all massively expanded since the post-attacks and post-COVID era.
The 2024 SREN law extended surveillance and blocking powers even further. In Germany, the Netherlands, and Sweden, ISP log retention is mandatory and cooperation with Five Eyes intelligence sharing is active.
The “Five Eyes” alliance which includes the United States, the United Kingdom, Canada, Australia and New Zealand along with its extensions, “Nine Eyes” and “Fourteen Eyes” allows governments to share data on their own citizens while circumventing national laws. This is a legal loophole that has existed for decades.
The key point here is that you don’t need to be a criminal to be surveilled. You can be targeted because you hold particular political views because you’re part of a social movement, because you’re a journalist or whistleblower, because you use certain tools like Tor or VPNs that trigger algorithmic attention or simply because you’re a monetizable data point. Privacy is a fundamental right, not a privilege reserved for people with “something to hide.”
3. Threat Modeling
Before talking about any tools, you need to understand the concept of a threat model. This is the most important step that most beginners skip entirely and it’s why they end up either under-protected or massively over-complicating their setup for no real benefit.
The core questions you need to ask yourself are simple :
Who are you protecting yourself against ? Are we talking about advertisers and corporations, your government, malicious individuals, opportunistic hackers or intelligence agencies?
What exactly are you trying to protect ? Your real identity, your location, your communications, your online activities, your finances?
And what are the consequences if that information leaks ? Personal embarrassment, job loss, legal trouble, or physical danger?
For example, an activist living under an authoritarian regime does not have the same threat model as someone who just wants to stop seeing targeted ads. Adapt your efforts accordingly. Don’t overload yourself if your threat model is low but don’t underestimate yourself either.
The fundamental concept that flows directly from threat modeling is compartmentalization. Separate your identities, your activities and your devices. One identity for your professional life, one for your personal public presence, one for sensitive activities. These identities must never cross paths, EVER. A single slip is all it takes to link them together and destroy everything you’ve built.
4. Operating Systems
Your operating system is the foundation of everything. If your OS is compromised or riddled with telemetry, all the tools you put on top of it are practically worthless. This is probably the most critical choice you’ll make in your entire OPSEC setup.
Linux is the starting point for anyone serious about privacy. It’s open source, auditable and modular. For complete beginners who want to transition away from Windows without a brutal learning curve, linux distributions like Ubuntu, Mint or Fedora are excellent starting points. Mint in particular has an interface that feels familiar to Windows users, has a massive support community and works well out of the box on most hardware.
Once you’re comfortable with Linux basics, the more privacy-focused options become accessible.
Tails is an amnesic live operating system that you boot from a USB drive. When you shut it down, everything disappears : no traces left on the host machine. All traffic is routed through Tor by default. It’s ideal for sensitive punctual sessions but not designed for everyday comfortable use.
Whonix takes a different approach by running two separate virtual machines : a Gateway that handles all Tor routing and a Workstation where you actually work. Even if the Workstation gets compromised, an attacker cannot obtain your real IP address because it never touches the Workstation in the first place.
Qubes OS is what many security professionals consider the gold standard for compartmentalization. Every activity runs in a separate virtual machine called a qube : one for work, one for personal browsing, one for sensitive activities, one for your password manager. If one qube gets compromised, all the others remain completely intact. It requires powerful hardware and has a steep learning curve but the security model is very good. Running Whonix inside Qubes OS is considered by many to be the most secure desktop configuration currently available to regular users.
For macOS users, it’s better than Windows for privacy but it remains a proprietary OS. Apple does collect data even if it’s more discreet than Microsoft. With proper hardening it’s usable but you’ll never have the same level of freedom and auditability as with Linux.
5. Windows Vulnerabilities
Windows is the most widely used operating system in the world. It’s also by a significant margin the worst for privacy and you need to understand exactly why before you dismiss this section.
Since Windows 10, Microsoft has baked in massive data collection that is enabled by default and integrated into the system. This includes your browsing history if you use Edge, keystroke logging under the guise of “improving typing”, your location, your application usage history, clipboard content in Windows 11 and diagnostic reports sent to Microsoft servers constantly.
Windows Recall announced in 2024 and progressively rolling out is perhaps the most egregious example. This “feature” takes screenshots of your screen every few seconds and indexes them locally so you can “search your visual history.” In practice it’s an absolute goldmine for anyone with access to your machine or to Microsoft.
On the backdoor and government cooperation side, Microsoft is a known participant in the PRISM program revealed by Snowden. BitLocker encryption keys are saved on Microsoft servers by default when you have a Microsoft account which fundamentally undermines the purpose of drive encryption. Automatic updates can introduce changes to your system without your explicit consent.
Can you harden Windows ? Partially, yes. Tools like O&O ShutUp10, WPD or this software by Chris Titus https://christitus.com/ allow you to disable a significant chunk of telemetry. But you cannot audit the source code, updates can and do reactivate settings you’ve disabled and you fundamentally cannot know what’s running in the background.
6. Smartphones
The smartphone is arguably the most dangerous device you carry from a privacy perspective. It’s a GPS tracker, a microphone and a camera. Treating it with the same seriousness as your desktop OS is absolutely essential.
On the Android side, stock Google Android is a telemetry nightmare. Everything you do feeds back into Google’s data machine. The alternative that the security and privacy community has converged on as the gold standard is GrapheneOS installed on a Google Pixel device (I own one myself and I highly recommend it, you can do a lot with a Google Pixel running GrapheneOS).
GrapheneOS strips out all Google telemetry while keeping the underlying Android security model intact and actually improving on it significantly. It randomizes your MAC address by default to prevent passive WiFi tracking, it has a hardened memory allocator, it sandboxes apps more aggressively and it allows you to run Google Play Services in a completely isolated sandbox if you need access to certain apps : meaning Google’s services can’t see anything outside their own little box. The installation process requires some technical confidence but is very well documented on the official GrapheneOS website and the community on their forum and subreddit is helpful.
For iPhone users, iOS is better than stock Android for privacy but you’re still trusting Apple completely. Apple has cooperated with government requests, iCloud backups can expose your data and the system is entirely closed source and unauditable. If you’re in the Apple ecosystem and switching isn’t an option, disabling iCloud backups for sensitive data, using a strong passcode instead of Face ID (It’s recommended that you disable Face ID) in high-risk situations and being selective about app permissions are the minimum steps.
Disabling WiFi and Bluetooth when you’re not using them costs nothing and meaningfully reduces your passive tracking surface. For the most sensitive situations, airplane mode stops most emissions though some devices continue logging location locally even in airplane mode, which is worth keeping in mind.
7. Hardware & Physical Limits of Anonymity
Every device you own has unique hardware identifiers that can be used to trace you. Your network card has a MAC address, your phone has an IMEI, your hard drive has a serial number, your CPU may have an accessible serial number and your system has a UUID generated at OS installation. Each of these can serve as a fingerprint that links your activity across different contexts if exposed.
The firmware layer is where things get really problematic. The UEFI or BIOS firmware on your motherboard runs before your operating system even loads. Some firmwares contain documented backdoors particularly on enterprise hardware. A sophisticated malware can install itself at the firmware level and survive a complete disk format… Coreboot and Libreboot are open source firmware alternatives available on certain machines most notably older ThinkPad models and they’re worth considering for high-security setups.
Intel Management Engine and AMD Platform Security Processor are perhaps the most troubling elements. These are separate processors embedded directly in modern CPUs. They run their own proprietary operating system, they’re permanently active even when your machine appears to be off or in standby and they have direct access to your memory and network interfaces. The firmware is entirely proprietary and cannot be audited by anyone outside Intel or AMD.
For smartphones, the baseband processor is the equivalent problem. This is a dedicated chip that handles all cellular communications like GSM, LTE, 5G. It runs its own real-time operating system that is completely separate from and inaccessible to Android or iOS. It has access to memory, microphone and location. Nobody outside the manufacturer can audit it and it exists on every single smartphone including those running GrapheneOS.
8. The Kernel
Complete, perfect anonymity does not exist and anyone telling you otherwise is either naive or selling something.
The kernel is the core of an operating system. It manages all interactions between hardware and software and it sees absolutely everything that happens on the system. Even on Linux, the kernel can contain undiscovered bugs, zero-days that no one knows about yet. Kernel modules can be compromised. If the kernel is compromised, nothing running on top of it can be considered truly secure.
Think of it as a stack of trust layers. At the very bottom is the physical hardware which you fundamentally cannot audit at the silicon level. Above that is the firmware which is partially auditable if you’re using Libreboot. Then comes Intel ME or AMD PSP which is not auditable and always present. Then the kernel which is auditable on Linux. Then the operating system and applications which are auditable if they’re open source. Then the network which you can partially control. And at the very top is human behavior which is consistently the weakest link in any security chain.
Every single one of these layers represents a potential attack vector. Cold boot attacks can extract data from RAM immediately after a forced shutdown. Evil maid attacks happen when someone has physical access to your machine while you’re away and installs a hardware keylogger or modifies the firmware. DMA attacks via Thunderbolt or USB-C ports allow direct memory access that bypasses OS-level protections. Supply chain attacks mean the hardware could be compromised before it even reaches you.
9. Browsers & Search Engines
Google Chrome is essentially a data collection tool that happens to also browse the web. Every piece of telemetry goes back to Google, it’s tied to your Google account if you use one and its fingerprinting surface is huge and can be compromised. Microsoft Edge has the same fundamental problems with Microsoft instead of Google. These are not acceptable tools for privacy-conscious use.
LibreWolf is the recommended starting point for beginners. It’s a Firefox fork that comes pre-configured for privacy, telemetry is already removed, uBlock Origin is already installed / configured and sensible defaults are set.
Brave Browser. It’s a popular web browser because it focuses on privacy, speed and security. Unlike many traditional browsers, Brave automatically blocks ads and trackers that follow users across websites, helping pages load faster and reducing data collection. It also offers built-in features such as private browsing with Tor, protection against harmful websites and support for Chrome extensions since it is based on Chromium.
For search engines, Google obviously tracks everything you search to build advertising profiles. DuckDuckGo doesn’t track you and produces reasonable results but it’s based in the US and subject to American law. Startpage acts as a proxy to Google results without the tracking. SearXNG is probably the best option for the privacy-conscious because it’s an open source meta-search engine that you can either self-host or use through a public instance combining results from multiple sources without feeding any single corporation your queries. Brave Search has built its own independent index and doesn’t track users.
About browser extension, uBlock Origin is absolutely non-negotiable ! Install it, keep it updated and use it on every browser. Privacy Badger from the EFF learns to block invisible trackers over time. Cookie AutoDelete purges cookies from sites you’re no longer visiting. Decentraleyes and its successor LocalCDN intercept requests to content delivery networks like Google Fonts or jQuery CDNs.
10. VPNs
VPNs are probably the most misunderstood and most aggressively marketed tool in the entire privacy space.
What a VPN does : it masks your IP address from the websites you visit, it encrypts your traffic between you and the VPN server and it hides your activity from your ISP.
What a VPN does not do : it doesn’t anonymize you completely, it doesn’t protect you if you’re logged into your real accounts, it doesn’t hide your identity if you make behavioral mistakes and it does absolutely nothing against malware.
The fundamental problem with VPNs is that you’re simply displacing trust. You don’t trust your ISP, so you route your traffic through a VPN instead but now you need to trust the VPN provider completely. They can see everything your ISP used to see. If they keep logs and cooperate with authorities, your supposed anonymity is entirely fictional.
Choosing a VPN requires looking at a few hard criteria. The no-logs policy needs to be independently audited by a reputable third party and not just claimed in marketing copy. The client software should ideally be open source. They should accept privacy-respecting payment methods like cash or Monero. A working kill switch that cuts internet access if the VPN drops is essential to prevent IP leaks. And checking whether they’re based in a Five/Nine/Fourteen Eyes jurisdiction is worth doing, though it’s not the only factor.
Mullvad is consistently the top recommendation in the privacy community. It doesn’t require an email address to sign up : you get an account number, nothing else. It accepts cash and Monero. Its no-logs policy has been independently audited multiple times.
ProtonVPN is another strong option based in Switzerland, fully open source and independently audited.
IVPN is smaller but has an equally serious approach to privacy.
On the avoid list : any free VPN (you are the product), PureVPN which cooperated with the FBI despite claiming to keep no logs, IPVanish which transmitted logs it claimed not to keep and Hola VPN which literally routes your traffic through other users’ connections and sells bandwidth.
11. Tor
Tor is a network that anonymizes your traffic by routing it through three encrypted relays : an entry node, a middle node and an exit node before it reaches its destination. Each node only knows the previous and next node in the chain. No single point in the network can see both the origin and the destination simultaneously.
The entry node knows your real IP but not your destination. The exit node knows the destination but not your real IP. The middle node knows neither.
Using Tor incorrectly destroys its protections completely. The most common and most fatal mistake is logging into personal accounts like Google, Facebook, your real forum profile while using Tor. The moment you authenticate, you’ve identified yourself completely, regardless of how many relays your traffic went through. Downloading files and opening them while connected can trigger connections that bypass Tor entirely. Modifying the Tor Browser window size breaks the uniformity that makes all Tor users look identical to fingerprinting systems. Installing extensions in Tor Browser similarly breaks that uniformity. Using HTTP instead of HTTPS means the exit node can read your traffic in plaintext. Torrenting via Tor is both selfish ! It destroys network performance for everyone and can be dangerous as many torrent clients will make connections that reveal your real IP.
The VPN plus Tor debate is ongoing. Routing your traffic as VPN then Tor means your ISP doesn’t see that you’re using Tor and the VPN sees your real IP but not your destination. This is useful if Tor is blocked or flagged in your country. Routing as Tor then VPN means the VPN doesn’t see your real IP but the exit node sees your traffic toward the VPN. In most cases, Tor alone used correctly is sufficient and preferable to adding complexity that introduces new trust requirements.
12. Emails & Messaging Apps
Email is structurally insecure by design. Gmail reads your email content for advertising targeting and hands over data to government requests routinely. Outlook does the same under Microsoft’s framework. Yahoo has had catastrophic breaches. None of these are acceptable for anything sensitive.
ProtonMail is the most widely recommended alternative. It’s based in Switzerland, uses end-to-end encryption between ProtonMail users and has a solid track record.
Tutanota is a German alternative with a similar approach. The important nuance is that end-to-end encryption only works when both sender and recipient are on the same platform : emailing a Gmail user from ProtonMail means ProtonMail can see the message content.
For alias email management, SimpleLogin allows you to create unlimited email aliases that forward to your real address, so you never expose your actual email to services you sign up for. One alias per service and if one starts receiving spam you just disable it.
For messaging, Signal remains the gold standard. It uses the Signal Protocol which provides end-to-end encryption, collects minimal metadata, stores almost nothing on its servers and is fully open source. The protocol itself is so well regarded that WhatsApp uses it for encryption but WhatsApp is owned by Meta, collects enormous amounts of metadata about who you talk to and when and is entirely closed source, making it unacceptable despite the underlying protocol.
Session is a strong alternative to Signal with one major advantage: it doesn’t require a phone number to register. Your identity is just a public key. It runs on a decentralized network.
SimpleX goes even further : there are literally no user identifiers at all in the protocol design, not even a public key that persists across conversations.
Briar is particularly interesting for high-risk situations because it can route messages through Tor and even works peer-to-peer via Bluetooth or WiFi when internet access is unavailable or unsafe.
![[Image: scam.gif]](https://external-content.duckduckgo.com/iu/?u=https%3A%2F%2Fstatic.cracked.st%2Fimages%2Fsmilies%2Fscam.gif)
![[Image: ban2.gif]](https://external-content.duckduckgo.com/iu/?u=https%3A%2F%2Fstatic.cracked.st%2Fimages%2Fsmilies%2Fban2.gif)
FUCK TELEGRAM DON’T USE IT !
Telegram deserves a specific mention because it’s popular and widely misunderstood as a privacy tool. Regular Telegram chats are not end-to-end encrypted : they’re stored on Telegram’s servers in a format that Telegram can read. Only “Secret Chats” have E2EE and those don’t work in group conversations at all. Telegram has cooperated with authorities in multiple documented cases. It’s a convenient messaging app not a privacy tool !
13. Passwords & 2FA
Using the same password across multiple services means a single breach anywhere gives an attacker access everywhere. Using simple or memorable passwords means they can be cracked or guessed. Storing them in your browser means the browser becomes a single point of failure.
The solution is a password manager. Every single account gets a unique password of at least 16 characters, randomly generated by the manager.
Bitwarden is the top recommendation for most people because it’s fully open source, can be self-hosted (alternative is Vaultwarden https://github.com/dani-garcia/vaultwarden).
KeePassXC is the choice for those who want nothing cloud-connected at all because it’s entirely local, fully open source and the database is just a file you control.
Two-factor authentication adds a second layer that means a stolen password alone isn’t enough to access your account. However, SMS-based 2FA is the weakest form available.
But SIM swapping attacks where an attacker convinces your carrier to transfer your phone number to their SIM are surprisingly easy to execute and completely bypass SMS 2FA. Use a TOTP authenticator app instead.
Aegis is the recommendation for Android : it’s open source, allows encrypted backups of your TOTP seeds and has no telemetry.
Raivo is a reasonable option for iOS.
For the highest level of account security, hardware security keys like YubiKey or Nitrokey are the gold standard (I recommend this method : it’s not that expensive and it’s a good idea to have two -> a main one and a backup). They’re physical devices that must be present to authenticate, making remote attacks essentially impossible.
14. Social Media & Digital Footprint
Every post, every like, every connection you make on social media is building a profile on you. These profiles are sold to data brokers, handed over to governments on request and can be used against you years after the fact in ways you never anticipated when you posted. The permanence of internet content is not a metaphor : IT’S LITTERAL.
The first step is auditing your existing presence. Search your real name on multiple search engines and see what comes up. Check your email addresses on haveibeenpwned.com to see if you’ve been caught in data breaches. Use justdeleteme.com to find instructions for deleting accounts on platforms you no longer use. Every dormant account is a liability : it’s a credential that can be breached, a profile that can be scraped and data sitting in a company’s servers that you’ve lost control of.
When creating new accounts, the rule is strict compartmentalization. Never use “Login with Google” or “Login with Facebook” BECAUSE these services track every site where you’ve authenticated through them. Never reuse usernames across platforms. Search your intended username on Google before using it. You’d be surprised how many people use the same handle everywhere and have inadvertently linked their entire online history. Profile pictures can be run through reverse image search to link pseudonymous accounts to real identities. Loyalty cards at supermarkets and retail chains are tracking systems for your purchasing behavior : physically handed you in exchange for small discounts while they build a detailed model of your consumption habits.
15. Online Behavioral OPSEC
Technology is only one part of the equation. The behavioral side is consistently where people fail and sophisticated adversaries know this. The best encryption in the world doesn’t help if you accidentally tell everyone who you are through your writing patterns and habits.
Every person has a recognizable writing style : choice of vocabulary, sentence structure, punctuation habits, characteristic spelling errors, how you structure arguments. This is called linguistic fingerprinting and automated tools exist specifically to analyze it. If you write in a distinctive way on your pseudonymous account and the same way on your real identity accounts, they can be linked purely through text analysis.
Connection timing is another underestimated vector. If you consistently post between 9am and 6pm Paris time and then disappear on French public holidays, you’ve essentially disclosed your time zone and country to anyone paying attention. Metadata like this accumulates invisibly over time and builds a profile even when you think you’re being careful. The accumulation of small details is how most de-anonymization actually happens.
Never discuss your security setup in detail publicly. Revealing what VPN you use, what OS you run, what your workflow looks like gives an adversary a specific attack surface to target. Before posting anything, ask yourself whether it could contribute to identifying you, not just in isolation but in combination with everything else you’ve ever posted.
16. Anonymity in the Physical World
This section is for the more paranoid among you. If your threat model is average, you don’t need most of this. But if you’ve read this far and your situation warrants serious physical OPSEC, here’s what the real world looks like in 2026.
Public space is massively surveilled in ways that would have seemed dystopian fifteen years ago. CCTV cameras are installed in all major cities. Facial recognition is already in use in the United Kingdom and throughout China and is currently being tested in various pilot projects across Europe and North America. ANPR (automatic number plate recognition) cameras track vehicle movements on a large scale across the entire road network. IMSI catchers, also called Stingrays are fake cell towers deployed by law enforcement that capture the IMEI and communications of every phone in a given area.
Your phone in public is a tracking device by default. Your carrier triangulates your position constantly through cell tower data. Your WiFi radio broadcasts probe requests containing your MAC address while scanning for known networks. Your Bluetooth does the same. For sensitive situations, the only reliable option is leaving the phone behind entirely or putting it in a Faraday bag.
Cash is the correct tool for any purchase that should remain private. Every card transaction is timestamped, geolocated and permanently logged. Contactless payments via Apple Pay or Google Pay add another layer of corporate surveillance on top of the banking layer. For online transactions where privacy is paramount, Monero is the only cryptocurrency that is genuinely private by default. Don’t use Bitcoin because the blockchain is entirely public and transactions can be traced with relatively modest effort.
For public transit, contactless card or app-based payments create a complete log of your movements. Cash tickets where they still exist eliminate this trace. Registered transit passes linked to your identity are a complete movement tracking system. Tollways photograph every plate that passes through and retain that data. Airlines and trains require identity documents making them essentially impossible to use anonymously under normal circumstances.
In terms of visual anonymity in surveilled spaces, the basics are a cap worn low and a mask which meaningfully degrade facial recognition accuracy on most deployed systems. Sunglasses add another layer of disruption. Infrared LED arrays built into glasses or hats can blind infrared cameras used by some recognition systems though their effectiveness varies by system. These are niche tools for extreme scenarios, not everyday measures.
17. Ressources
If you want to go really deep into the details like advanced techniques, hardware, real life and more, I strongly recommend The OPSEC Bible, accessible via Tor :
http://opbible7nans45sg33cbyeiwqmlp5fu7l…5yd.onion/
And for those who don’t have Tor yet or want a solid first clearnet resource :
https://www.privacyguides.org
Privacy Guides is one of the best public references out there, maintained by a serious community, updated regularly, and covering almost every recommended tool and practice. Bookmark both.
And this ebook :
https://mega.nz/file/6l1SCC7Y#uwaMPFO6c7…_fdpkGsAZw
For communities where you can keep learning and ask real questions, the Reddit communities worth following are r/privacy for general privacy discussion with a very active user base, r/PrivacyGuides which is directly connected to the privacyguides.org project and has high-quality discussions, r/TOR for everything related to the Tor network, r/opsec for technical and behavioral OPSEC discussions specifically, r/GrapheneOS if you’re going the mobile privacy route and r/selfhosted if you want to start hosting your own services and reducing dependence on third-party providers.
