cross-posted from: https://infosec.pub/post/9048075

I simply make a GDPR request. Write to a Tor-hostile data controller making an Article 15 request for a copy of all your data. Also ask for a list of all entities your data is shared with.

The idea is that if a website blocks Tor (or worse, uses Cloudflare to also share all traffic with a privacy offender), then they don’t give a shit about privacy. So you punish them with some busy work and that busy work might lead to interesting discoveries about data abuses.

Of course this only works in the EU and also only works with entities that have collected your personal data non-anonymously. After getting your data it generally makes sense to also file an Article 17 request to erase it and boycott that company.