PSA to the BDSM/Kink Community: You have no privacy, you’re all being spied on, and every single Pro-Domme in your community is most likely an intelligence asset.
To those of you reading this, hello. I’m sure that headline I wrote grabbed your attention, either because you just thought the topic was interesting, or because you’re into the BDSM/kink scene and sweating bullets at the possibility of this being true. Regardless, thanks for you for reading, and I hope you find this informative.
To cut to the chase and answer your question: yes, the headline of this article is very likely true, and it’s very likely far worse than you can imagine. Just so I’m clear, I’m saying that the global BDSM community has been compromised and infiltrated at every level. Every member, especially any Pro-Domme, has had their phones tapped and all their electronic communications dumped and sorted through. Every conversation you’ve ever had, every erotic photo you’ve sent, it’s all been dumped and catalogued.
Who is doing this? Why? How? These are all questions I’m sure are running through your head right now; and rest assured that I will answer all of them and more in due course. Before I get into that though, let me answer some other questions I’m sure are being asked. Who am I? What proof do I have? And why am I doing this?
The Backstory
For reasons of anonymity, I’ll refrain from giving out any personal info.
Note: For the purposes of this article, I’ll use Singapore’s BDSM community as the case study. I’ll explain why I chose Singapore later, but for now just run with it.
As far as concrete proof? There’s nothing I can offer aside from my own opinion and supporting arguments. And barring a massive leak from an insider, there’s not going to be any documents I can provide showing this is happening.
Then why should you listen to me? Because it doesn’t take an expert to realize this is happening. Anyone with a basic understanding of intelligence gathering (in this case signals intelligence, or SIGINT) and cybersecurity can tell you with reasonable certainty that this is happening; if for no other reason than just how easy it is.
The number of insecure apps you have running on your phone at any given moment (not to mention the security flaws of the phone itself) and the treasure trove of compromising information that a member of the kink scene (especially a pro-domme) could have on their smartphone makes it both incredibly easy and rewarding to spy on you. I’ll dive deeper into the why and how later, but for now, let me ask a question:
To the Singapore kink community: Why is your community allowed to exist? That’s heavy, but I want you to ponder it. You may even come to the same conclusion I have if you’re quick enough. Next, let’s get into the “who” and “why.”
Who, and Why?
(Note: I’ll use the terms BDSM and kink interchangeably in this).
The idea that you’re being spied on is shocking I’m sure. After all, you’re all law-abiding citizens (I hope). Why would anyone want to spy on you? In short, blackmail, but before I get into detail on the who and why I want to make a few important points.
For the duration of this article, I’ll be speaking specifically to the pro-dommes of Singapore’s kink community, since I believe you are the main targets of electronic surveillance. However, this doesn’t mean that dommes are the only targets, just the focus. Personally, I believe everyone in the kink community is being spied on. Some more than others, but spied on nonetheless.
I chose Singapore because it checks a few important points. The main ones being its economic and geopolitical importance. Despite its size, Singapore is an economic powerhouse. It has incredibly strong banking, real estate, and tech sectors and because of its location it has immense strategic importance as the world’s busiest shipping port. All this had led Singapore to be regarded as the most important economic hub in Southeast Asia. Other reasons include its strong conservative values, and the amount of international business (i.e travelling rich businessmen) it attracts.
With those points made, I’d also like to include some terminology that are used in the cybersecurity and intelligence communities. Most of these terms you can probably guess the meaning of, but I want to provide clarification just in case. Also, some terms may not be used as the article explains, be warned.
Threat Vector: Any vulnerability that can be exploited to attack someone’s system. Basically a way for me to break into whatever I’m targeting and steal your stuff.
Attack Vector: Like a threat vector, it’s just the one(s) used in an actual attack. Basically, which weapon I choose to use.
Attack Surface: Total number of vulnerabilities present on a given system that can be exploited in an attack. All the ways I can break into your stuff.
Threat Actor: Someone who wants to break into a system. There are six total, but for the purposes of this article we’ll focus on one, state actors/advanced persistent threats (I may write a separate article on the other threat actors you need to worry about).
Zero-Day Exploit: An exploit on a system that the public isn’t aware of yet. These are vulnerabilities that could or are being used by threat actors. The cybersecurity community just hasn’t found out about them yet.
Risk Assessment: An assessment done to determine the threats/risks an organization or entity may face. In the IT world this mainly revolves around cyber threats, but a risk assessment can be applied to any industry.
SIGINT: Stands for signal intelligence, means any intel gained from electronic communications that are vulnerable (hint, they all are).
Honeypot: Espionage term for using a planned sexual/intimate encounter to obtain/create blackmail material. This is one of the oldest and most popular techniques in espionage because of how effective it is.
Okay, back to blackmail. To understand why the Singaporean govt. would want to spy on you, let’s use one of the terms I just listed: risk assessments. Again, risk assessments are used in a wide range of industries to help organizations protect their assets. To do this, they look at two categories: threats and vulnerabilities; threats being people/things that could or want to harm us, and vulnerabilities being any weakness that can be exploited.
Now, for Singapore, the risk assessment is going to be huge in scope. You have multiple categories to consider ranging from economic, social issues, environmental factors, to international politics/relations and so on. For the sake of time, let’s stick to one: international politics/relations.
When I say international politics, I mean the relationship that Singapore has with other countries, and how that plays into its economic status and overall sovereignty. In terms of overall risk, one of Singapore’s biggest threats, if not the biggest, is China. This may be confusing to some given the close economic ties between both countries, but this doesn’t prevent them from being rivals (just look at the U.S and China).
China poses a threat to Singapore in multiple areas. One example would be the Thai Canal, a project that has been discussed for years and would create an Asian version of the Panama Canal through Thailand that would bypass the Malacca Straits, significantly reducing shipping times and costs. Now, Singapore obviously doesn’t want this to happen, it would ruin their position as an international shipping hub and cause catastrophic damage to their economy.
China however, does. Despite its export-oriented economy, China still imports a large amount of natural resources, including oil, and it relies on international shipping to do this. Having an artificial shipping canal through Thailand to transport its goods through would serve China’s interests from both an economic and security standpoint by cutting down shipping costs/time and shipping the goods through a country that isn’t a major U.S ally (more on that soon). China has signaled interest in funding the project, and if it were to be a significant investor it would likely have a lot of control over the canal.
China also poses a significant threat to Singapore’s security and sovereignty. Why? Well, aside from being run by a ruthless dictatorship with aspirations for global domination; any regional conflict involving China would also draw the U.S in. And Singapore would play a very important role in that conflict. Remember, Singapore is the world’s largest maritime shipping hub, and a lot of the oil that China buys from the Middle East flows through the Malacca Straits. Any hypothetical war against China would involve the U.S (or any rival) trying to cut off China’s supply lines. In addition, Singapore is a major logistical resupply and repair centre for the U.S Navy, whose ships make regular port calls to Singapore. The Changi Naval base is one of the few bases globally that can accommodate a U.S aircraft carrier, and there is a logistical command unit based stationed in Singapore that helps coordinate U.S navy efforts in the region.
The Singaporean government knows this, and they know that if a war were to break out between the China and the U.S that both sides would immediately begin applying pressure to Singapore (who would do everything in its power to remain neutral) and force it to pick a side.
I can guarantee that Singapore has run multiple scenarios on this, and they are also well aware that, if they were somehow forced into siding against China, they wouldn’t stand a chance. China’s military is around 2,000,000, roughly 40% of Singapore’s entire population (50% if you exclude non-citizens). And that isn’t taking into account the millions of soldiers they could draft if needed. Hell, if we’re just talking about China trying to deny the U.S access to Singapore, all they’d have to do is threaten to launch a few dozen of the hundreds of ICBMs they have at Singapore’s military or critical infrastructure. And again, Singapore knows all this.
So how does spying on a bunch of kinksters and Pro-Dommes factor into this? Since Singapore is outclassed from a military perspective, so it would have to turn to other means to gain an edge. This is where intelligence gathering comes in. There are endless reasons why Singapore (or any nation for that matter) would want to cultivate intelligence assets in another country. In this case, Singapore is looking for any information that could affect its security. Ideally, they’ll want to get it from both SIGINT and HUMINT sources to cover all their bases, so in addition to trying to intercept electronic communications (text message, email) they’ll also try to cultivate assets who have access inside China.
Okay, so who do you target? Ideally government officials, but a good alternative would be businessmen. Since business and government in China are closely tied together (state owned companies for example) and many Chinese businessmen are relatives of CCP members.
To cultivate these assets, traditionally blackmail material would be used, ideally embarrassing personal info (something sex related) or proof of corruption. Now, in China’s case, blackmail through proof of corruption isn’t going to get very far since corruption is built into every level of China’s government. So that leaves personal info, and the best kind is, again, anything sexually related, things like cheating, being gay, or having weird/taboo fetishes.
Great, so now Singapore just has to develop an intelligence gathering network to get all those juicy devious secrets, right? Wait, no they don’t, because that intelligence network already exists.
Remember that question I asked earlier? Why is the Singapore kink community allowed to exist? Well, it’s probably because the Singaporean government is using you all as a massive honeypot. To any intelligence community, the amount of blackmail that could be gathered from you is a figurative goldmine, and all it would probably take is a few phone calls (more on the technical side later).
If this is hard to believe, consider the following. Singapore does not have a very kind view on pornography or sex work in general. For those reading this that aren’t in Singapore, pornography isn’t banned outright, but the laws surrounding it are so strict that it might as well be. You can’t possess, share, make, or show it, just watch it. How Singapore defines porn is also very broad. Under Singaporean law, pornography is considered obscene content. Obscene content is defined as any content that could corrupt or deprave the minds of viewers, which is a very VERY broad interpretation, and kink/BDSM would definitely fall under it.
Scrolling through some of your (Pro-Dommes) X profiles, I can easily find content that authorities would consider obscene. Now, penalties for this in Singaporean law can range from a fine to imprisonment. A local case from late 2021 had a SG local OnlyFans creator named Titus Low Kaide get charged with posting obscene photos and videos to his account. He was eventually fined $3,000 SGD and given a 3-week jail sentence.
Now consider the average Singaporean view towards something like BDSM, especially the older generation. Even though it’s been steadily growing in popularity amongst the younger crowds, it is still very taboo and generally unaccepted. A perfect example of this would be the cancelled rope bondage event that was supposed to take place in September 2020. Back in 2020 a group at National Singapore University called TFreedom wanted to host an event. It was swiftly cancelled after sparking outrage, and a petition against the event got almost 12,000 signatures. With the petition’s organizer saying it promoted “violent sexual fetishes.” A counter-petition in support of the event only got about 2,500 signatures.
So considering all this, how could the Singaporean govt. ever consider to allow to you operate unimpeded? Pretty much every single kink or fetish you have is probably looked at with disgust by the average Singaporean, especially the older generations. Shibari? Impact play? Humiliation? Financial domination (findom), which is basically just glorified simping? Pegging? Swinging?
Everything you do would certainly be obscene under Singaporean law. You possess and are actively sharing videos/photos of it on X and other places like Telegram (not as secure as you think). And even if the stuff you post wasn’t illegal, the mass disgust that Singaporean society would have towards it would probably cause the laws to be changed so it is.
The last thing the Singaporean govt. wants are women becoming Pro-Dommes or OnlyFans models and men going broke to vie for their attention. They want people to get married and have kids, start businesses, hold regular jobs, etc.
So why haven’t they clamped down yet? Are you too small to be considered a problem? Doubtful, and even then, that’s probably more of a reason to crack down now. Stamp you out before you become a bigger issue.
So, what’s the reason? Again, I propose it’s because they’re using you as an ad-hoc intelligence network. I’d like to believe that’s not the case, but I’m not that naïve.
*** Note: To anyone else not in Singapore that’s reading this. If you’re active in the lifestyle and you live in a very conservative country/city cough cough Dubai and you wonder why the authorities haven’t clamped down on your community yet. Well, this might be why.
How?
So how is this all this going to work? How big is it, and what tools are they using? If I were the person in charge of this operation this is how I would do it. Not saying this is how it’s actually being run, this is just my thought process and how I would do it.
The first thing is to establish scope. How big is this going to be? We’ve already established our targets, the kind of data we want, and what our priorities are (protect Singapore and her interests). So now we need to establish what data we’re going to prioritize, which will be based on our targets.
To make things simple, we’ll use three categories. Tiers 1, 2, and 3 with Tier 1 being the highest. Here’s the breakdown:
Tier 1: Priority, this is going to be any incriminating data that can be linked to Chinese businessmen. Ideally, you’d want to snag govt. officials, but I doubt you’re landing fish that big. Foreigners who do frequent business in China may also be targets, but given China’s insular culture (they’re not Chinese) I doubt they’re hearing anything important.
Tier 2: Blackmail on targets that aren’t a priority, but it would still be good to have. These are mainly going to be foreign businessmen or officials from countries aside from China, and they’ll be targeted for the same reasons Chinese businessmen are.
Tier 3: Everyone else, these are likely just going to be low-level foreigners and locals that are just starting their careers (entry level employees, college seniors, etc.). They’re not useful yet, but given a few years after they’ve gained experience/promotions they could have access to info the Singaporean govt. would want.
After priorities are established, we can begin with the collection. How is this going to happen? Are they going to hack your phones? Do a SIM swap attack? No, they’re probably going to just make a phone call. The path of least resistance is the best, and this is a state actor you’re dealing with. They have access to more tools than you can think of, and one of them is just leveraging companies for your info. If you need an example, just look at the level of cooperation the U.S intelligence community has with tech companies like Google and Facebook.
All they’d have to do is call whoever your telecom provider is and ask for a copy of all your text messages or calls. Hell, given the level of surveillance already in Singapore they may not even need that. There may already be a backdoor in your telecom provider’s system that intelligence services can use to dump your info whenever they want.
After that comes analysis and sorting. I want to make a point here that I think is important. While the size and scope of this operation may be huge in terms of collection, the actual manpower involved is likely going to be small. Maybe a team of just 20 or so (that’s just a wild guess). In the old days, a large team of analysts would have gone through your info by hand, but those days are long gone. Now, they’ll be using some sort of algorithm that’s been developed/trained to sort through your data. That curated data will be combed through by a team of analysts, and anything of interest will work its way up into the hands of case officers who will decide which assets to cultivate. The only limit is how quickly and accurately data can be processed.
And that’s it. That’s how easy it would be. At least in terms of collection and analysis.
Now, I’d like to go into the technical details of how they’re able to do this and give a brief overview of just how many tools a state actor would have to compromise your “private” communications and just how vulnerable you are, because I’m sure there’s some denial going on right now.
Before I do though, here’s a quick summary. To any pro-domme reading along, understand this: no matter what form of electronic communication you use, email, SMS, messaging apps, whether it’s encrypted or not, it’s compromised.
Let’s do a quick breakdown of what, if any, you’re using to protect client privacy electronically; and, at a glance there’s not much. Looking through the websites of various Dommes in Singapore, most are using Google Dropbox or Gmail as way to establish contact and vet potential clients. Some are using the messaging app Telegram, but as I mentioned earlier, it’s not as secure as you think it is.
First, Gmail. While Gmail may offer email encryption, the encryption is not end-to-end and it holds the keys used to encrypt your emails (which are stored on their servers). So if anyone, like a state actor, comes knocking, Google can hand over all your emails to them if asked. There’s also the fact that Google sells your info and has used the service to track your purchases and has scanned your emails for advertising. Good rule of thumb, if a service is being offered to you for free, then YOU ARE THE PRODUCT.
Second, Telegram. Encryption isn’t enabled by default. You have to turn it on manually and even then, this is only for messages between individual users NOT GROUP CHATS. They also store chat messages on their servers, which they can read. They also collect users IP addresses and metadata. Finally, while they say they’ve never shared data with any government. An article in the German news site Der Spiegel claims they actively share data with the German government. So, make of this info what you will.
Now, let’s assume that some of you Dommes are more security-minded than your peers. Maybe you know how insecure telecom providers are and you’ve moved away from that to VoIP and wi-fi only communications with apps like Signal or Sessions. Or maybe you use an encrypted email service like ProtonMail or Tutanota instead of Gmail. Great! It still doesn’t matter.
Even if the application you use is end-to-end encrypted, the amount of software vulnerabilities on your phone (which I assume is what you’re using to communicate) from all the apps you’ve downloaded would make accessing those encrypted messages incredibly easy. Every single app you use (banking, email, social media) introduces an untold number of threat vectors that increases your phone’s total attack surface by an immense amount. Even if you were forward thinking and had a separate phone that was strictly for work, disconnected from any cellular service, and had only the bare minimum of apps needed to do your job (and ideally paid for in cash), there are a number of zero-days on a phone’s hardware and OS that could be leveraged to gain access.
Even if you somehow managed to find a completely secure phone and messaging app (which doesn’t exist), if those emails or messages are stored on someone else’s servers (like Gmail or Telegram) all I’d need to do is just ask for them and whoever has your info will give it to me. If they refuse? Then I can just use a warrant. That’s what happened with ProtonMail, one of the encrypted email services I mentioned earlier. They got issued a court order to hand over private communications to French authorities. Who were the French going after? Terrorists? Drug traffickers? No, they were going after a climate activist. And they were able to arrest him because of the info ProtonMail provided. How many court orders does ProtonMail receive? In their 2022 annual transparency report they received 6,995, 5,957 of which they complied with. The others they contested, but that just means they probably put up a fight before the courts overruled them and forced them to grant access.
Need another example? In 2021, U.S political commentator and journalist Tucker Carlson made allegations that his Signal account (another private messaging app) had been hacked by the NSA and that private messages related to a requested interview with Vladimir Putin were going to be leaked. Did the NSA obtain these messages by breaking Signal’s encryption? Likely no, again the path of least resistance. The NSA probably used a zero-day exploit in one of the apps on Tucker’s phone, or on the OS itself, or they just went to his cell provider.
Beginning to see the picture? There’s no safe harbor, no application you can use that will guarantee you or your clients’ privacy. You’re outclassed in every way that matters. You’re going up against teams of hackers and analysts whose entire job revolves around finding ways to break into your shit. While you were spending years learning how to be a domme, they were spending years learning how exploit your systems, and they have limitless resources at their disposal. Even if you somehow managed to lock down everything, you’re just one person, all they’d have to do is wait for you to make a mistake, and trust me, you will.
So is that it? Is there no hope? Are you all screwed? Well, yes and no. Again, there’s nothing you can do that’s full proof. There are, however, steps you can take that would at least make it harder for people to get a hold of your information, but this is going to depend on changing your personal habits and how you communicate rather than what phone or app you use.
First, before we talk about possible counter measures, there’s something you need to do. Fact check me, run everything I’ve said through with anyone in the cybersecurity community that you trust and see if they agree with my claims. I may be the first to write about this, but that doesn’t mean I’m right. There’s a lot I could be wrong about and I hope this is just a paranoid delusion, but my research into this tells me I’m not. So, leverage any contacts you have (I know the community is mostly white collar) and see what they have to say.
Possible Countermeasures
Okay, if you’re reading this far then that means you’ve (hopefully) reached out to some other contacts in the cybersecurity community to confirm my suspicions. With that done, we’ll talk about possible steps you can take to make your information more secure and help protect you and your clients privacy.
Before I get into this though, let me make some more disclaimers (sorry!).
The recommendations I’m going to make are just generalizations based on what I little I know about your (the Singapore BDSM community) situation. Take my recommendations into consideration and use them as a baseline, but the only one who will know what’s best in terms of protecting your privacy is you. You understand your circumstances better than anyone else.
Tying into point 1, these recommendations are directed at the Singapore BDSM community and its unique circumstances. What your threat model looks like (who’s trying to steal your info) will depend on your situation. There isn’t a “one size fits all” to this so before you consider any of my recommendations, consider your own situation. How are you vulnerable, and what resources are at your disposal?
As always, take everything I say with a truckload of salt. Get second and third opinions from people you can trust. I’m just a stranger on the Internet, so verify everything I say.
Disclaimers are done, but I have one final thing that I need to say, and unlike my previous statements about seeking informed opinions, this isn’t something you need to cross-check with anyone else, because you know it’s true.
Before you even begin to consider what appropriate counter measures you need to take, you need to inform all your clients about the fact that you’re probably compromised. That may shock some of you, but it’s the truth. You promised your clients complete privacy and discretion and unfortunately (through no fault of your own) that is a complete lie. It’s very likely you’ve been spied on and it’s very likely that the personal info of your clients has been compromised.
It sucks, and it will very likely cause some of them to never come to you again, but you owe it to them as a professional and as a person who gave their word. You would never tolerate someone who lies to you or is disrespectful, so return that same courtesy to them. BDSM and Kink is about trust, and if your clients find out about this and learn you never told them you could be compromised when you realized it, they will never trust you again. So just be honest. Again, a lot may leave, but plenty of others will respect you for being honest and hopefully stay with you.
Does that mean you need to cancel all your sessions and stop collecting tribute? No, but you should make it clear to everyone who comes to you that until you develop ways to protect your info, you can’t promise them anything.
Now, let’s consider possible countermeasures. I said before the steps you take to protect your privacy will ultimately depend on your own circumstances, so to keep things simple I’m going to provide suggestions that:
Aren’t too technical so you can understand what I’m talking about.
Have general guidelines under them that can serve as a baseline, regardless of where you are or what resources you have.
With those two points in mind, the first recommendation I have is that you need to severely restrict, if not outright remove, all forms of electronic communication you use for private conversations. Text messaging, email, messaging apps like Telegram, it all has to go or be restricted only to general info with no personal or incriminating information.
TLDR, you’re going to have to go Stone Age.
Why? Why can’t you just use encrypted apps for email and messaging? Again, because there is nothing that is completely secure. There are unknown backdoors and vulnerabilities in every “secure” messaging app out there. And even if the app itself is somehow completely secure, there are an endless number of other vulnerabilities on the apps on your phone or the phone itself that attackers can exploit, see Tucker Carlson.
And if they can’t get backdoor access to your phone but those communications are stored on another server? Then I’ll just get a warrant to see those messages. Again, if your “private” messages are stored on someone else’s hardware, then it’s not secure.
If you’re still having a hard time digesting this, let me give you an analogy using terms you’re familiar with. Basically, it’s like going into a dungeon, but the roles are reversed. You’re a complete amateur going up against pros who have years, in some cases decades, of experience and limitless resources. And if you try to go up against them, they’re going to humiliate you in ways you never thought possible. They’re not going to make you their bitch. You’ve been their bitch for years; they’re just going to establish that fact with you.
This is their turf, their kingdom, and as far as their concerned you’re just a filthy peasant shaking your fist angrily while they laugh at you from their throne. You can’t beat them at their own game; so, the only winning move is to not even play. To be clear, this doesn’t mean you can’t use electronic communications. You just have to be much more careful about what method you use, what info you share, and more realistic about how protected those communications are.
How do you this? Well, to start, you need to do a personal assessment. What are you using electronic communication for? Is it just to establish contact with potential clients and schedule sessions, or are you doing things more explicit than that? Do you offer online sessions and humiliating tasks as part of your services? What kind of info are you exchanging? And if the messages you’re sending through texts are tied to services you offer, can you find a non-digital way to offer these services? If not, can you find a more secure way to talk to your clients, or do you need to cancel these services because you can no longer guarantee privacy?
Those are just some of the many questions you need to ask yourself. I haven’t even covered just the absolute privacy and blackmail clusterfuck financial domination (findom) represents, but don’t worry, I’ll get to that.
For now, let’s do a little bit of roleplay and pretend that I’m an experienced pro-domme who offers a wide range of services ranging from the relatively tame (spanking, tying someone up) to the extreme (crossdressing, feminization, pegging, anything involving bodily fluids, etc.). I also have my own website and use unsecured electronic messaging to talk to my clients and I have all sorts of debauchery and incriminating info on my phone. I’m also sharing erotic photos and videos from sessions, humiliating orders, and messages from subs on social media sites like X and Instagram to advertise and brag because I’m a confident bitch who doesn’t care what people think about me.
With this profile in mind, let’s make another list of points that can serve as general guidelines for the steps I (and you) should take to protect my clients privacy.
Do a threat model by seeing how much of my personal information is out there and accessible to the public. This may seem weird to some of you, but trust me this something you must do. In fact, it’s the first thing you should do, I’ll cover this more later.
Do an assessment of what parts of my business I can take offline, and what parts I want to or must keep digital. Once I’ve determined that, take everything I can offline and find ways to provide more security for anything that must remain digital.
Purchase new hardware (laptop, phone, etc) that will be used exclusively for my business. There can be absolutely NO crossover between my business and any personal devices.
Develop secure habits to minimize or eliminate exposure of my personal data. This will not only protect my privacy but my clients as well (more on this later).
!* Disclaimer: The following steps are just a detailed breakdown of the points made earlier based on what I would advise doing. What you do will obviously depend on your own circumstances and what resources you have, as well as the advice you’re given.
Okay, so with all that said. Here’s a more detailed breakdown. After releasing a PSA to my clients, the next thing to do is find out how vulnerable I am and what I can do to protect myself. Since I know next to nothing about cybersecurity, I’ll reach out to experts to give me advice. I’m also going to have what’s called a penetration test (or pentest) done. Pentesting is when you have an organization to conduct a simulated attack against you to find undiscovered vulnerabilities on your systems and how an attacker would exploit them. For this I’ll hire a private investigator (PI).
In this case, I’ll have two tests done. The first one is what we call a black box, the PI will have no personal info given, just my social media handles or website. The second test will be a grey box test, where the PI is given a piece of personal info (first name, email address, a phone number). The purpose is to see what an attacker, in this case a regular person, could find out about me in real world circumstances. Trust me, you’ll be absolutely shocked at the kind of personal info that can be pulled up. Once the tests are done, I’ll see what the PI managed to find and have him explain IN DETAIL how he found it (hint, he probably just used open-source tools or websites that sell my personal info). I’ll also find cybersecurity experts who can advise me on what I should do to protect myself and my clients’ info.
Once I’ve gathered the info from the PI and consulted experts, I’ll do a thorough breakdown of my business and see what parts I can take offline and what parts will have to remain digital. For the offline stuff, I’ll want to shift things like my calendar and any personal info about my clients to something like a journal. Nobody should know what my schedule is or who I’m seeing, and the only way to full proof that is by going manual. So, I’ll use something like a journal to keep my schedule organized and store it in a secure location. I’ll also want to use aliases (think codewords) for my clients and their fetishes. Whatever words I choose will need to be completely random with no correlation to them. If I want to make things really secure, I’ll develop a personal pseudo-language that only I know so that if my journal is stolen it would look like complete gibberish. I may also want to consider some sort of failsafe that could destroy journal if someone tries to steal it.
Another thing that I’ll need to take offline is payments. Cash only, FOR EVERYTHING. Most of you are probably already doing this, at least for in person sessions, but if your subs are sending doing things like buying you gifts with their credit cards, or sending you things on Amazon, or God forbid something like findom and transferring money directly into your bank account that shit needs to stop NOW. If I want to blackmail somebody, nothing would be more damning than bank statements, and for something like findom? I can’t think of anything more life ruining than people finding out I send a woman money, often hundreds or thousands of dollars, either for stupid reasons or just no reason at all other than just wanting to send a pretty girl money. It’s simping in its purest form. I’d lose my friends, family, and easily my job if something like that leaked.
So yes, cash for everything. If I’m receiving any form of payment other than cash, it can be traced, gift cards, items purchased online, and yes, cryptocurrency. I can receive gifts, but they should be paid for in cash as well and not something unique. If any of my services require an electronic form of payment, then I either need to stop offering it or give a disclaimer to any client that the payments they make can be tracked. In addition, I’d also recommend that any cash withdrawn to pay for my services should be done over an extended period in small amounts of varying quantities to hide the purpose of the withdrawals.
For the parts of my business that will still use electronic communication, I need to find security-minded alternatives that I can use (notice I didn’t say secure). For email, ideally, I would only use it to establish initial contact with potential clients; this way all the client needs to do is set up a free burner email with no personal info tied to it to contact me. If I’m interested in taking them as a client, I’ll set up a meeting at a secure physical location where they can hand me their personal info so I can vet them. Before they come, I will recommend they bring a burner phone that they paid for in cash so we have a (hopefully) more secure way to communicate, something as simple as a flip phone will do. Once I’ve got their info. I will get the phone number of their burner and tell them to expect a message from me soon. I also might give them a random code phrase to let them know it’s me.
If I decide to use email for things like offering services, then I need to be extremely careful about what info is exchanged between my clients and me. I also should look into setting up a personal email server for myself to store my emails, so they aren’t stored on someone else’s hardware. Any email service I use will need to also be well vetted. If it’s encrypted, I need to make sure the service isn’t holding my keys so even if the feds come calling they (hopefully) can’t decrypt my emails. I also need to see what info they would be able to release about me (look at ProtonMail example from earlier) and how I can minimize exposure. The same goes for any other electronic messaging service I will use. Again, nothing is completely secure online, so I’ll do everything I can to minimize exposure and release a disclaimer that electronic communications can be compromised before offering those services.
After getting my business sorted, I’ll need to purchase new hardware exclusively for my business. I really need just a laptop, a smartphone is just convenient, everything I need can be run from a laptop, it just requires a little set up. Before I start setting up the laptop I’ll have the built in camera, microphone, Bluetooth adapter (if able), and speakers all physically removed so they can’t be used to spy on me. If I need to use any of those, minus Bluetooth of course, I can buy wired external plugin devices. I’ll also make sure the device isn’t roaming and talking to other devices nearby unless I explicitly allow it. Same thing for a phone if I feel I absolutely need one (you don’t).
I’ll also want to consider buying faraday bags for all of my devices when I’m not using them and use a Wi-Fi spectrum analyzer to ensure quality. I would also turn off any personal devices (wifi and Bluetooth enabled, unplug them if you can) I have that are in close proximity when I’m using my business devices, and put them in faraday bags as well for good measure. Again THERE CAN BE NO CROSSOVER WITH MY PERSONAL AND BUSINESS DEVICES. Ideally, I wouldn’t even let them on the same wi-fi network. And I need to make sure the devices are never on and in close proximity because if my personal devices are compromised and connected to the same wi-fi network, or they’re just roaming, they can be used to break into my business devices.
All of this will be paid for in cash and in person of course, ideally spread across multiple locations and using proxies (people I can trust) to make my purchases for me to reduce suspicion and exposure.
Finally, we have habits. This is going to be the lynch pin of my entire cybersecurity posture, and it ties into everything I’ve already done. There’s no encrypted app or service that is going to protect me if I’m still running around with laptops or smartphones that have dozens of apps and hundreds of zero-day vulnerabilities on them. My biggest weakness is me, more specifically my desire for convenience, and if I don’t change how I act then any hardware or software I use is just pure theatre.
So, how do I do this? Well, for starters I’m going to take the pentest results I got from the PI I hired and see just how much of my personal info is open to the public and I can either get that info purged or at least restricted. This probably won’t protect me from a state actor, they’ve been spying on me for years, but this will help protect me from other threat actors like corporate entities, hacktivists, script kiddies/trolls, and criminal organizations, all of whom would be very interested in knowing who me and my clients are.
Some of you are probably thinking, “well can’t I just use one of those data clearing services that go to data brokers and get my data removed?” Again, that’s nothing but pure theatre. Sure, the data broker might remove the info, but if I’m not changing my habits they’ll just buy it again during the next collection and nothing will change. The only way to keep my info safe is to not give it away at all, and any info I do have to give needs to be fake and easily disposable. Something I can drop at a moment’s notice. I’ll use the pentests and advice of the PI as a framework and start clearing every app I have. I can’t just remove them from my phone, I need to delete my account. Every online service, especially the ones that are free, are collecting and selling my data. So, I need to close my account, and if I NEED the service, reopen a new account at some point later on a new device that can’t be traced back to me. Give them a fake name, a burner email account (ideally one for each service), fake address, and a fake phone number (more on that). If I must pay for anything I’ll use a gift card that I paid for in cash and dispose of it once I’m done (don’t reload it, that opens the possibility to you being traced). Then I would use a data sanitization service to have my personal info removed from the bins of the various data brokers for me and continue to monitor to see if my real personal info leaks so I can find out how it got leaked and then take action to correct it. I’ll also want to look into submitting opt-out notices to data brokers so they no longer collect my data if it happens to leak.
Another thing I’ll need to do is make sure any photos, videos, docs, basically anything I post is cleared of metadata.
Metadata is data about data, it can include anything from your device info, your GPS coordinates, to even your name (like a Microsoft Word document) and can easily be used to ID to you by a seasoned hacker as if you gave them your full name. So, this obviously needs to go. You can either do it yourself or use an app/service. I’ll also need to check if content I post to any websites like Twitter is automatically stripped of metadata by the website or if I need to do that manually. This goes double for anything sent over text messaging or chat apps, any photos I’ve sent over text messaging still have metadata in them and if there enough of them they can be used to establish a pattern of where I am and God forbid where I live (hope you haven’t taken any photos in your house!) I’ll also need to advise my clients to do the same and make sure they’re purging any metadata from any photos or videos they send me.
I’ll also want to look at my website and make sure the DNS data behind can’t be tied to me. In case you’re wondering, yes DNS registrant information can be public, and depending on how you acquired your website your name or personal info could be in the open. Thankfully, the DNS records I’ve seen don’t show that info. However, that doesn’t mean I’m safe. Even if my info is kept private, companies that I use to host my website can be compelled to release my info to law enforcement. And if the threat actor I’m facing isn’t a state actor, they could use social engineering to acquire my info by pretending to be law enforcement. This may not work depending on the security policies of the company in question, they may ask for a warrant or court order, but you’d be surprised how being confident and playing a role well can get you past hurdles. There’s a reason most hacks and breaches are done through social engineering, and with open-source tools hackers are perfectly capable of faking official documents like a court order. So I’m not safe. Again, this would be where I need to look into setting up some sort of proxy or private LLC (I’d consult a lawyer about this, they’d be able to advise you on this way better than I can).
I mentioned VOIP and fake phones earlier, so let’s cover that. You may not know this, but it is possible to purchase multiple phone numbers over VOIP. Ideally, I’ll find a privacy-focused service that I can purchase several VOIP numbers from. I’ll divide these VOIP numbers amongst my clients so that way if one number becomes compromised not all my clients will be affected. I’ll also use VOIP from a web browser to reduce my attack surface. If I wanted to be extra secure I could consider periodically rotating my numbers along with my clients and re-establishing communications over completely new numbers/burners.
Finally, I need to consider physical security. What do I mean? I mean I need to consider ways to harden and protect my place of business (and probably my personal residence too) from electronic surveillance. Part of this will depend on where my dungeon is located and whether it’s shared with others. If I own or rent it I can look into doing things like lining the building with some form of a faraday cage to prevent electronic signals from entering or leaving the building. I’ll also have a strict NO ELECTRONICS policy inside the dungeon itself. I’d also want to consider constructing an access control vestibule (also called a mantrap) where any clients will be required to turn off any electronics) and place them in provided faraday bags. After that I’ll scan them with a multi-spectrum wi-fi analyzer for any devices they may have missed or have hidden (you’d be surprised how small cameras have gotten). I’ll conduct periodic scans for hidden cameras or devices that could have been placed in the dungeon without my knowledge. If I co-own a dungeon or rent out then I’ll talk with my landlord or fellow dommes and see if they’d be okay with these security measures, if not then I’ll need to find a new place for my dungeon.
!* Note: Physical security is also something the community at large needs to consider. If you have a BDSM club/community dungeon you frequent, then you need to take steps to harden it against electronic surveillance. Consider the steps I listed above as some possible steps you can take.
Lastly, there’s one other possibility we need to consider here. In cybersecurity, we always have to look at the worst-case scenario in risk assessments, and unfortunately, the worst-case scenario here is that you may not be able to be a pro-domme anymore. Hell, depending on the laws of where you work you could be thrown in prison. It sucks, but we must consider this possibility. Either because of your subs panicking and cutting off contact (and their wallets) or because the country you live in isn’t exactly friendly to your profession and, if you’re no longer useful to them, getting thrown in prison.
It's something I’m sure nobody wants to consider, but I’d be doing everyone a disservice if I failed to bring up this possibility. It’s terrifying I’m sure, but I don’t want to leave you without hope. To every domme reading this, you didn’t get into this space because you wanted to follow what society told you to do. You knew what you wanted to do, and you put in the time and effort to make it happen, and that isn’t easy. It takes grit. And while the exact skill sets you’ve learned aren’t transferrable to other industries (good luck putting shibari and impact play on your job application) there are a variety of soft skills you’ve acquired that can easily help you find work in another area; or maybe you were frugal and have saved up quite a nest egg for yourself to the point where you can semi-retire. Regardless, if you’ve managed to make it as a pro-domme then you are very likely extremely disciplined, focused, determined, and you don’t give a damn what other people think about you. Those are things that few people have, and they are things you can leverage into pursuing your goals, and depending on what you want to pursue you may even have devoted clients who would gladly help you transition into a new career.
If you’re scared it’s okay, anyone would be scared in this situation. But you were probably scared when you first stepped into being a pro-domme. You’ve done it before, and you’ll do it again. Just put in the work and you’ll get there.
Conclusion
And that’s it. It took way longer than I thought (23 pages!), but I hope I’ve made a good case for my argument. And to anyone who’s not worried about being spied on, let me remind you, this is global. Every community in every city is being spied on, especially if that city is a major economic or political hub (LA, SF, NYC, Washington, London, Tokyo, etc.)
Even if you think you’re just a small time domme and your clients are all locals that aren’t in possession of sensitive info or have influential roles that doesn’t make you safe. I’m not just thinking about someone’s current position if I’m an analyst, I’m considering where they’ll be in 5 or 10 years. That county prosecutor you’re whipping could be an influential mayor of a major city or a state AG within a decade, and intel analysts, at least the smart ones, are thinking long game. They can be patient, and if you’re offering up your personal info on a silver platter then there’s no reason they shouldn’t take it.
And let me repeat myself because it’s important. FACT CHECK EVERYTHING I SAY. I’m not an expert in this space yet, and I still have a lot to learn. So, leverage as many trusted contacts as possible and ask them if they think the case I’m making is legit and have them vet my suggestions. Again, I pray that I’m wrong about all of this, but based on my own research and consulting I’m confident that I’m right.
Also, don’t think for a moment that it isn’t possible for you to protect yourself. BDSM and pro-dommes have been around far longer than smartphones, and the pros in those days were able to make it work. Talk to them and see how they did things and see what you can incorporate into your own security practises. Also, there’s are several reasons I didn’t make any hardware or software recommendations. Partly because I’m not an expert, but mostly because there is no such thing as a secure software or hardware solution and, most importantly, you are going to have to be the one who implements all this. I don’t know your personal circumstances or what resources you have access to; it’s why I kept my guidelines and overall strategy as generalized as I could.
You’ll ultimately have to decide what measures you take to secure your privacy. Consult and get as many informed opinions as you can, but understand that going forward this is going to have be something you manage yourself. You can get help, but you’re not going to be able to pawn this off to one of your subs. Like BDSM, this is a lifestyle, and you’ll have to periodically check to make sure your environment is still as secure as you can reasonably make it. There’s going to be a lot of convenience you’ll have to sacrifice, but you’re a badass, you can do it.
IMPORTANT PSA
To anyone in the community who is nervous and wants to confirm this is happening. Don’t waste your time trying to get official proof of this. Unless you know somebody that may be directly involved in this that can provide official proof (like govt. documents) then you’re not going to find anything. And even if you do manage to find actual proof, that has the potential to open a whole other can of worms you do not want to deal with. Just leverage contacts that you can trust and have them evaluate the feasibility of my argument, though to be honest, if you’ve read this far you probably believe what I’m saying.
Take the time you need to confirm this is happening, and immediately begin planning on how your countermeasures.
Lastly, there’s a lot I didn’t cover here, like the potential of actual spies in your communities or the actual number of threats you’re facing (it’s WAYYYY bigger). Mostly because I feel I’ve made my point. If there’s enough interest, maybe I’ll write a follow up.
Best of luck.