cross-posted from: https://links.hackliberty.org/post/303031

These are the steps I take against companies who block Tor (e.g. a grocery store, bank, DNS provider… whoever you do business with who have started using Cloudflare):

  1. GDPR art.17 request to delete my email address & any other electronic means to reach me, but nothing else.
  2. Wait 30 days for them to comply.
  3. GDPR art.13 & 14 request to disclose all entities personal data was shared with + art.15 request for all my data (if I am interested) + art.17 request to erase all records. These requests are sent together along with criticisms for their lack of respect for privacy and human rights and shaming for treating humans like robots (if that’s the case).

The reason for step 1 & 2 is to neuter the data controller’s option to respond electronically so they are forced to pay postage. It’s a good idea as well because they would otherwise likely use Microsoft for email and you obviously don’t want to feed MS. It may be feasible to skip steps 1 & 2 by withdrawing consent to use the email address (untested).

A few people doing this won’t make a dent but there is a threshold by which a critical mass of requests would offset their (likely uncalculated) cost savings by arbitrarily marginalizing the Tor community. It’s a way to send a message that cannot be ignored.