Forem: Darren Chaker

Darren Chaker on How CPRA Reshapes Online Privacy Rights in California

Darren Chaker — Mon, 13 Apr 2026 02:14:00 +0000

CCPA Was Just the Starting Point

When the California Consumer Privacy Act went into effect back in 2020, a lot of businesses treated it as a finish line. Get the privacy policy updated, add a "Do Not Sell" link to the footer, call it done.

That was never going to hold. And with the California Privacy Rights Act now fully in effect, the landscape has shifted in ways that catch people off guard.

I have spent the last several months helping clients navigate CPRA requirements, and the gap between what businesses think they need to do and what the law actually demands is wider than most people expect.

What Changed From CCPA to CPRA

CPRA did not replace CCPA. It amended and expanded it. But the changes are substantial enough that treating CPRA as a minor update is a mistake.

Here are the shifts that matter most:

Sensitive personal information is now its own category. Under the original CCPA, there was no distinction between general personal information and sensitive data. CPRA changed that. Sensitive personal information now includes:

Social Security numbers, driver's license, passport numbers
Account credentials (username or email combined with a password or security question)
Precise geolocation within a 1,850-foot radius
Racial or ethnic origin, religious beliefs, union membership
Contents of personal mail, email, and text messages (when the business is not the intended recipient)
Genetic data and biometric information used for identification
Health information, sex life, or sexual orientation

If you collect any of this, consumers can now limit how you use and disclose it. That is a meaningful new right that did not exist under CCPA alone.

New consumer rights that require real operational changes:

Right	What It Means
Right to Correct	Consumers can demand you fix inaccurate personal information
Right to Limit Use of Sensitive PI	Consumers can restrict use of sensitive data to what is necessary to provide the service
Right to Know About Automated Decision-Making	Consumers can access information about how automated systems profile them
Right to Opt Out of Automated Decision-Making	Consumers can refuse to be subject to automated profiling in certain contexts

The correction right alone has been a headache for companies running legacy systems. I worked with one company that had customer records spread across four databases with no single source of truth. When a correction request came in, they had no mechanism to propagate the change. That is a compliance gap that will get flagged.

The California Privacy Protection Agency Is Not a Paper Tiger

This is the part I keep emphasizing to clients. Under CCPA, enforcement sat with the California Attorney General. That office has a lot on its plate. Enforcement was real but not exactly aggressive for most businesses.

CPRA created the California Privacy Protection Agency, or CPPA. It is a standalone, fully funded agency with dedicated staff whose sole job is privacy enforcement. They have rulemaking authority. They conduct audits. They investigate complaints.

The CPPA has already taken enforcement actions in early 2026 targeting:

Dark patterns that undermine consumer opt-out choices
Failure to honor Global Privacy Control signals sent by browsers
Misleading privacy notices that do not reflect actual data practices
Weak security measures contributing to breaches involving sensitive data

Penalties remain $2,500 per violation and $7,500 for intentional violations or those involving minors. But with a dedicated enforcement body actively looking for violations, the risk profile has changed significantly.

What I Tell Clients to Do Right Now

Run a sensitive data inventory immediately. Go through every system that touches personal information and flag anything that qualifies as sensitive PI under CPRA definitions. Most businesses have no idea how much sensitive data they are sitting on until they actually look.

Review your consent mechanisms. CPRA requires consent to be freely given, specific, informed, and unambiguous. Pre-checked boxes and buried consent language will not cut it. If your opt-in flow relies on dark patterns or confusing toggles, fix it before the CPPA comes knocking.

Implement support for Global Privacy Control. GPC is a browser-level signal that communicates a consumer's opt-out preference. Under CPRA regulations, businesses must honor it. I am still seeing companies that either ignore GPC signals entirely or have no technical mechanism to detect them.

Audit your automated decision-making systems. If you use algorithms to make decisions about consumers, whether for pricing, eligibility, advertising targeting, or content delivery, you need to be prepared to explain how those systems work and give consumers a way to opt out.

Update your service provider and contractor agreements. CPRA introduced a new "contractor" category alongside service providers. Both require specific contractual provisions limiting how they can use personal information. Old CCPA-era agreements likely need updating.

The Bigger Picture

CPRA is not just a California story. Other states are watching and modeling legislation after it. Virginia, Colorado, Connecticut, Utah, and several others have passed their own privacy statutes, many influenced by CCPA and CPRA.

For anyone working in cybersecurity or data privacy, understanding CPRA is not optional. It sets the floor for what comprehensive privacy legislation looks like in the United States. Businesses that get ahead of it now will spend less time scrambling when similar requirements show up in other jurisdictions.

Darren Chaker is a cybersecurity consultant and digital privacy advocate based in Beverly Hills, California. Learn more at about.me/darrenchakerprivacy.

Darren Chaker on the California Consumer Privacy Act and What It Means for Your Data

Darren Chaker — Mon, 13 Apr 2026 02:12:47 +0000

Why the CCPA Should Be on Every Business Owner's Radar

I get asked a lot about encryption, forensics, counter-surveillance. But lately the conversations I have with clients, particularly those running small to mid-size businesses in California, keep circling back to one topic: the California Consumer Privacy Act.

And honestly, the confusion around CCPA is warranted. The statute reads like it was written by committee (because it was), and most of the guidance online either oversimplifies or buries the practical stuff under legal boilerplate nobody reads.

So let me break it down the way I explain it to clients.

Who Actually Has to Comply?

CCPA applies to for-profit businesses doing business in California that hit at least one of these thresholds:

Annual gross revenue north of $25 million
Buying, selling, or sharing personal information of 100,000 or more California residents, households, or devices
Earning 50% or more of annual revenue from selling California residents' personal information

Here is the part that trips people up: you do not need to be headquartered in California. If you collect data from California residents and meet any of these thresholds, CCPA reaches you.

I have also seen situations where smaller businesses get pulled into compliance because a larger partner or vendor contractually requires it. That is happening more often than people realize.

The Four Rights That Drive Most Compliance Work

Consumers under CCPA have specific rights. These are the ones that generate the most operational headaches:

Right	What It Requires
Right to Know	Disclose what personal information you collect, use, share, or sell
Right to Delete	Delete personal information upon verified request (with exceptions)
Right to Opt-Out	Allow consumers to opt out of the sale or sharing of their data
Right to Non-Discrimination	Cannot penalize consumers who exercise their privacy rights

The deletion right has teeth. I have worked with companies that had no real process for handling deletion requests. They were storing data across six or seven different systems with no central inventory. When requests came in, they could not even confirm what they had, let alone delete it.

Practical Steps That Actually Work

After walking multiple businesses through CCPA readiness, here is what I have found matters most:

Map your data flows first. Not a theoretical exercise. Sit down with every department that touches customer data and trace where it goes. CRM, email marketing platform, analytics tools, third-party processors. You cannot protect what you cannot find.

Set up a dedicated intake channel for privacy requests. A simple privacy@yourcompany.com works. Train whoever monitors it to recognize a CCPA request even when the consumer does not call it that. People write things like "delete my account" or "stop selling my info" without citing the statute.

Build a verification process. You need to confirm the identity of the person making the request before you hand over or delete their data. Get this wrong and you create a bigger problem than the one you are trying to solve.

Update your privacy notice annually. This is not a set-it-and-forget-it document. When your data practices change, the notice has to reflect that. I have audited businesses that had not touched their privacy policy in three years.

Do not forget employee data. CCPA covers employees and job applicants. A lot of businesses lock down customer-facing compliance and completely overlook HR data.

Common Pitfalls I Keep Seeing

Treating CCPA like a one-time IT project instead of an ongoing operational requirement
Ignoring service provider agreements that need CCPA-specific language
Missing mobile app data collection disclosures
No real data retention schedule. Businesses collecting everything and deleting nothing
Assuming that because they are small, enforcement will not reach them

The California Attorney General and now the California Privacy Protection Agency have made it clear: they are pursuing enforcement actions across business sizes. Penalties run $2,500 per violation, $7,500 for intentional violations or those involving minors.

The Bottom Line

CCPA compliance is not about checking boxes. It is about building systems that respect consumer data as a matter of routine operations. The businesses that treat privacy as a core function rather than a legal annoyance will come out ahead.

Darren Chaker is a cybersecurity consultant and privacy advocate based in Beverly Hills, California. Learn more at about.me/darrenchakerprivacy.

Darren Chaker Explores Encryption Algorithms

Darren Chaker — Fri, 10 Apr 2026 02:25:07 +0000

Which Encryption Algorithm Should You Use?

Choosing an encryption algorithm depends on your threat model, performance requirements, and whether you need symmetric or asymmetric encryption. There is no single best algorithm for every use case, but there are clear leaders in each category. Here is what I recommend based on years of working with encryption in counter-forensics and digital privacy consulting.

How Do the Major Algorithms Compare?

Algorithm	Type	Key Size	Speed	Best For
AES-256	Symmetric	256-bit	Fast	Disk encryption, file encryption, VPNs
ChaCha20	Symmetric	256-bit	Very fast on mobile	TLS, mobile devices, software encryption
RSA-4096	Asymmetric	4096-bit	Slow	Key exchange, digital signatures
Ed25519	Asymmetric	256-bit	Fast	SSH keys, digital signatures
XChaCha20-Poly1305	AEAD	256-bit	Very fast	Authenticated encryption with large nonces

What Makes AES-256 the Gold Standard?

AES-256 has withstood over two decades of cryptanalysis with no practical attacks discovered. It is the algorithm behind BitLocker, VeraCrypt, and virtually every serious encryption product. The 256-bit key space means a brute-force attack would require more energy than exists in the observable universe. When I configure whole disk encryption for clients, AES-256 in XTS mode is the default recommendation.

What About Post-Quantum Encryption?

Quantum computers threaten current asymmetric algorithms like RSA and elliptic curve cryptography. NIST finalized its first post-quantum cryptographic standards in 2024, selecting ML-KEM (formerly CRYSTALS-Kyber) for key encapsulation and ML-DSA (formerly CRYSTALS-Dilithium) for digital signatures.

Symmetric algorithms like AES-256 are already considered quantum-resistant because Grover's algorithm only halves the effective key length, meaning AES-256 provides 128-bit security against quantum attacks, which remains sufficient.

Practical Steps for Encryption Hygiene

Use AES-256 or ChaCha20 for symmetric encryption depending on your hardware
Migrate SSH keys to Ed25519 if you are still using RSA-2048
Enable TLS 1.3 on all web servers which mandates modern cipher suites
Monitor NIST post-quantum standards and begin testing ML-KEM implementations
Never roll your own cryptography because implementation errors are far more common than algorithm weaknesses

Encryption is only as strong as its implementation. Choose established algorithms, use vetted libraries, and keep your systems updated.

Darren Chaker is a cybersecurity consultant specializing in encryption and counter-forensics, based in Santa Monica, California. Learn more at about.me/darrenchakerprivacy.

Darren Chaker on First Amendment Online Speech

Darren Chaker — Fri, 10 Apr 2026 02:24:21 +0000

Does the First Amendment Protect Online Speech?

Yes, but the boundaries are more contested than most people realize. The First Amendment prohibits government censorship of speech. It does not apply to private platforms like social media companies. However, when government actors pressure platforms to remove content, or when laws target specific viewpoints, constitutional protections come into play.

This is an area I care deeply about. My own case, Chaker v. Crogan, 428 F.3d 1215 (9th Cir. 2005), resulted in the Ninth Circuit striking down California Penal Code Section 148.6 as unconstitutional because it chilled citizen speech by criminalizing false complaints against police officers. That ruling remains good law and continues to be cited in free speech litigation.

What Is Viewpoint Discrimination?

Viewpoint discrimination occurs when the government suppresses speech based on the specific opinion expressed rather than the subject matter. It is the most dangerous form of content regulation because it allows those in power to silence dissent. Courts apply strict scrutiny to viewpoint-discriminatory laws, meaning the government must show a compelling interest and narrow tailoring.

The ongoing case of Los Angeles Police Protective League v. City of Los Angeles, S275272 (2025), now before the California Supreme Court, directly involves these principles. The police union is attempting to reinstate language in citizen complaint forms that was invalidated by Chaker v. Crogan nearly two decades ago.

Key Principles for Online Speech Protection

Government cannot compel speech removal from platforms based on viewpoint without satisfying strict scrutiny
Anonymous speech is protected under the First Amendment, and courts require a strong showing before unmasking anonymous online speakers
Prior restraints are presumptively unconstitutional meaning courts cannot issue orders preventing speech before it occurs except in extraordinary circumstances
True threats and incitement are not protected but the standard is narrow and requires specific intent
Public officials face higher scrutiny in defamation claims under the actual malice standard from New York Times v. Sullivan

Why Should Developers and Tech Professionals Care?

Every platform you build, every moderation policy you implement, and every terms of service you draft intersects with free speech principles. Understanding the constitutional framework helps you make better decisions about content moderation, user privacy, and legal compliance.

Darren Chaker is a First Amendment advocate and cybersecurity consultant based in Santa Monica, California. He is a supporter of the ACLU and EFF. Learn more at about.me/darrenchakerprivacy.

Darren Chaker on Red Teaming and Offensive Security

Darren Chaker — Fri, 10 Apr 2026 02:23:36 +0000

What Is Red Teaming?

Red teaming is a full-scope adversary simulation. Unlike a standard penetration test that focuses on finding technical vulnerabilities in a defined scope, a red team engagement simulates a real-world attacker who uses any combination of technical exploitation, social engineering, and physical access to achieve a specific objective. The goal is to test the entire security posture of an organization, not just its firewalls.

I hold certifications in Offensive Operations, Penetration Testing, and Red Teaming. In my consulting work with law firms and high-net-worth clients, I apply these methodologies to assess real risk, not theoretical risk.

How Does Red Teaming Differ From Penetration Testing?

Aspect	Penetration Test	Red Team Engagement
Scope	Defined systems or applications	Entire organization
Duration	Days to weeks	Weeks to months
Techniques	Technical exploitation	Technical, social, physical
Awareness	IT team usually knows	Only senior leadership knows
Objective	Find vulnerabilities	Achieve specific goals (exfiltrate data, access executive email)
Reporting	Vulnerability list with severity	Narrative of attack path and organizational gaps

What Does a Red Team Engagement Look Like?

Reconnaissance - Gathering OSINT on the target organization including employee names, email formats, technology stack, and physical locations
Initial Access - Gaining a foothold through phishing, exploiting a public-facing vulnerability, or physical intrusion
Persistence - Establishing durable access that survives reboots and detection attempts
Lateral Movement - Moving through the internal network to reach higher-value targets
Objective Completion - Achieving the agreed-upon goal such as accessing a specific database or executive account
Reporting and Debrief - Documenting the full attack chain with recommendations for closing each gap

Why Should Organizations Invest in Red Teaming?

Most organizations test their defenses by running vulnerability scans and checking compliance boxes. That tells you whether your software is patched. It does not tell you whether an attacker can get from a phishing email to your financial records in three days. Red teaming answers that question with evidence, not assumptions.

Darren Chaker is a certified offensive security consultant based in Santa Monica, California. Learn more at about.me/darrenchakerprivacy.

Darren Chaker on EnCase Digital Forensics

Darren Chaker — Fri, 10 Apr 2026 02:22:51 +0000

What Is EnCase and Why Is It the Industry Standard?

EnCase is a digital forensics platform developed by Guidance Software, now part of OpenText. It is used by law enforcement agencies, corporate investigators, and forensic consultants worldwide to acquire, analyze, and report on digital evidence. As an EnCase Certified Examiner (EnCE), I use it regularly in my consulting work.

What makes EnCase the standard is its ability to create forensically sound disk images. It generates a bit-for-bit copy of a storage device while calculating hash values to verify that the copy is identical to the original. This chain of custody integrity is what makes EnCase evidence admissible in court.

What Can an EnCase Examiner Recover?

Deleted files that have not been overwritten, recovered through file carving and directory entry analysis
Internet history including browser cache, cookies, and download records across all major browsers
Email artifacts from Outlook PST files, webmail caches, and mobile email clients
Registry data on Windows showing installed programs, connected USB devices, user activity, and system configuration changes
Timeline data correlating file creation, modification, and access times into a coherent activity narrative
Encrypted volumes identified for further analysis or legal compulsion proceedings

How Does an EnCase Examination Work?

Acquisition - The examiner creates a verified forensic image of the target device using a write-blocker to prevent any modification to the original
Indexing - EnCase indexes the entire image, building searchable databases of file content, metadata, and system artifacts
Analysis - The examiner applies filters, keyword searches, and artifact parsers to locate relevant evidence
Recovery - Deleted files, slack space data, and unallocated clusters are examined for recoverable content
Reporting - Findings are compiled into a court-ready report with hash verification and chain of custody documentation

What Does This Mean for Privacy?

Understanding what forensic tools can recover is the first step in protecting yourself. If you know that EnCase can recover deleted browser history from unallocated disk space, you understand why secure deletion and whole disk encryption matter. Forensic knowledge and privacy protection are two sides of the same coin.

Darren Chaker is an EnCase Certified Examiner (EnCE) and cybersecurity consultant based in Santa Monica, California. Learn more at about.me/darrenchakerprivacy.

Darren Chaker on the Fifth Amendment and Passwords

Darren Chaker — Fri, 10 Apr 2026 02:21:59 +0000

Can the Government Force You to Unlock Your Phone?

This is one of the most contested questions in digital privacy law. The Fifth Amendment protects against compelled self-incrimination, but courts have reached different conclusions about whether providing a password or biometric unlock constitutes testimonial evidence.

The core legal issue is the foregone conclusion doctrine. If the government already knows the contents of a device exist and can authenticate them independently, some courts have ruled that compelling a password does not add any new testimonial value. Other courts disagree, finding that the act of producing a password inherently communicates that the suspect knows the password and has control over the device.

How Have Courts Ruled?

Case	Jurisdiction	Ruling
Riley v. California (2014)	U.S. Supreme Court	Warrant required to search phone
In re Search of Residence (2017)	10th Circuit	Compelled decryption may violate Fifth Amendment
State v. Stahl (2016)	Florida Supreme Court	Passcode is testimonial, protected by Fifth Amendment
Commonwealth v. Jones (2019)	Massachusetts	Foregone conclusion applied, compelled unlock upheld
Seo v. State (2021)	Indiana Supreme Court	Compelled phone unlock violates state constitution

What Should You Know Right Now?

Biometrics are less protected than passcodes in most jurisdictions because courts view fingerprints and face scans as physical characteristics, not testimonial acts
Disable biometric unlock before any law enforcement encounter by powering off your device, which forces PIN/password entry on restart
Full disk encryption combined with a strong password creates the strongest legal and technical barrier
Invoke your rights explicitly by stating that you are exercising your Fifth Amendment right and requesting an attorney
The law is still evolving with no definitive Supreme Court ruling on compelled decryption specifically

Why Does This Matter for Everyone?

Your phone contains more personal information than your home. Emails, texts, photos, location history, financial apps, health data. The legal framework around compelled access to this information will define digital privacy for decades. Staying informed is not optional.

Darren Chaker is a cybersecurity consultant and digital privacy advocate in Santa Monica, California. His work in Chaker v. Crogan, 428 F.3d 1215 (9th Cir. 2005) established important First Amendment precedent. Learn more at about.me/darrenchakerprivacy.

Darren Chaker on OSINT Techniques for Digital Investigations

Darren Chaker — Fri, 10 Apr 2026 02:21:16 +0000

What Is OSINT and Why Does It Matter?

Open-Source Intelligence (OSINT) is the collection and analysis of information from publicly available sources. This includes social media profiles, public records, domain registration data, court filings, corporate filings, and metadata embedded in documents and images. OSINT does not involve hacking or unauthorized access. Everything comes from sources anyone can reach.

I recently earned my OSINT certification, and it reinforced something I have known for years: most people vastly underestimate how much of their digital footprint is publicly accessible.

What Are the Core OSINT Techniques?

Technique	What It Reveals	Common Tools
Domain/WHOIS Lookup	Registrant name, email, hosting provider	whois, DomainTools
Social Media Analysis	Connections, locations, habits, schedules	Maltego, SpiderFoot
Reverse Image Search	Original source, other profiles using same photo	Google Images, TinEye
Public Records Search	Court cases, property records, corporate filings	PACER, state databases
Metadata Extraction	GPS coordinates, device info, author names	ExifTool, FOCA
Google Dorking	Exposed files, login pages, sensitive directories	Google Search operators

How Do Investigators Build an OSINT Profile?

Start with a seed identifier such as a name, email address, phone number, or username
Enumerate linked accounts by searching that identifier across platforms
Harvest metadata from any documents, images, or files associated with the target
Map relationships using social network analysis to identify associates and patterns
Verify findings through cross-referencing multiple independent sources
Document everything with timestamps and source URLs for evidentiary integrity

How Can You Protect Yourself From OSINT?

If you are concerned about your own exposure, start by searching yourself. Google your name, email addresses, and phone numbers. Check what WHOIS data is public on your domains. Review the metadata in files you have shared publicly. Use privacy-focused registration for domains, limit social media visibility, and strip metadata before uploading files.

The best defense against OSINT is awareness of what you are broadcasting.

Darren Chaker is an OSINT-certified cybersecurity consultant based in Santa Monica, California. Learn more at about.me/darrenchakerprivacy.

Darren Chaker Explains Counter-Forensics

Darren Chaker — Fri, 10 Apr 2026 02:20:27 +0000

What Is Counter-Forensics?

Counter-forensics is the practice of minimizing, obscuring, or eliminating digital artifacts so that forensic examiners cannot reconstruct user activity. It is not about hiding criminal behavior. It is about exercising your right to privacy by controlling what traces your devices leave behind.

As someone who holds forensic certifications including EnCase, I understand exactly what examiners look for and how they recover data. That knowledge informs the defensive side: knowing the attack surface lets you reduce it.

What Techniques Do Forensic Examiners Use?

File carving recovers deleted files by scanning raw disk sectors for known file headers
Registry analysis on Windows reveals installed software, USB device history, and recent file access
Timeline reconstruction correlates file timestamps, browser history, and event logs into a chronological narrative
Memory forensics captures encryption keys, open documents, and running processes from RAM
Metadata extraction pulls GPS coordinates, author names, and edit histories from documents and images

How Can You Defend Against Forensic Recovery?

Use full disk encryption so that powered-off devices yield no readable data without the key
Enable secure delete utilities that overwrite freed disk space with random data rather than simply marking it available
Strip metadata from files before sharing using tools like ExifTool or mat2
Use privacy-focused operating systems like Tails, which routes all traffic through Tor and leaves no trace on the host machine
Minimize logging by configuring your OS to reduce or disable event logs, recent file lists, and thumbnail caches
Power off devices completely when not in use, since RAM contents decay within minutes once power is cut

What Is the Legal Landscape?

Counter-forensics is legal. There is no law against encrypting your hard drive, securely deleting your files, or stripping metadata from your photos. Courts have recognized encryption as protected conduct. The distinction is between destroying evidence under a preservation order, which is illegal, and proactively maintaining privacy before any legal obligation attaches.

Darren Chaker is a cybersecurity consultant and counter-forensics specialist in Santa Monica, California. Learn more at about.me/darrenchakerprivacy.

Darren Chaker on Whole Disk Encryption

Darren Chaker — Fri, 10 Apr 2026 02:19:30 +0000

Why Does Whole Disk Encryption Matter?

Whole disk encryption (WDE) converts every sector of a hard drive into ciphertext that is unreadable without the correct decryption key. If a laptop is lost, stolen, or seized, WDE ensures that no one can access the stored data without proper authentication. For anyone serious about data privacy, this is non-negotiable.

I have worked with clients ranging from law firms to high-net-worth individuals who assumed their login password was enough. It is not. A login password only protects the operating system interface. Remove the drive, connect it to another machine, and every file is exposed. WDE eliminates that attack vector entirely.

How Does BitLocker Compare to Other WDE Solutions?

Feature	BitLocker	VeraCrypt	LUKS (Linux)
OS Support	Windows Pro/Enterprise	Windows, Mac, Linux	Linux
TPM Integration	Yes	No	Optional
Open Source	No	Yes	Yes
Pre-Boot Auth	Yes	Yes	Yes
Cost	Included with Windows	Free	Free

BitLocker is the most convenient choice on Windows because it integrates directly with the Trusted Platform Module (TPM). VeraCrypt offers cross-platform flexibility and full open-source transparency. LUKS is the standard for Linux environments.

What Steps Should You Take Today?

Enable WDE immediately on every device that stores sensitive data
Store recovery keys offline in a physically secure location, never in cloud-only storage
Use pre-boot authentication so the drive cannot be decrypted without a PIN or USB key at startup
Audit encryption status quarterly using command-line tools like manage-bde -status on Windows
Pair WDE with secure erase procedures when decommissioning hardware

Whole disk encryption is not optional in 2026. It is the baseline. Every other security measure you implement assumes the underlying storage is already protected.

Darren Chaker is a cybersecurity consultant based in Santa Monica, California, specializing in counter-forensics, encryption, and digital privacy. Learn more at about.me/darrenchakerprivacy.