In Part 1, we looked at the sensors that watch and listen—microphones, cameras, GPS, and the hidden motion detectors most parents don't know exist. We saw how every app with permission can listen in the background, how camfecting turns cameras into windows for malicious actors, and how location data builds a predictive profile of your child's entire life.
In Part 2, we tackled the data that can never be reset—biometrics. We saw how facial mapping and voice printing create permanent keys to your child's identity, and how generative AI can use that data to clone their face and voice.
It's easy to feel overwhelmed because the data collection pipelines are everywhere and the sensors are always on. The permanence of biometric data is unsettling. But you aren't powerless.
You just can't stop every data point from leaving your child's device, but you can plug the biggest holes. You can reclaim the physical layer of your child's digital life. And you can do it today, in about twenty minutes.
This is the hardware lockdown, but isn't a one-time fix. It's a habit, a mindset. A way of living in the digital world with your eyes open and your defenses up.
Knowing What You're Up Against
The first step is to know what you're up against. Every app on your child's device has requested—or been granted—permissions to access specific hardware sensors. Most of these permissions were accepted without a second thought when the app was installed.
Start by going to Settings > Privacy & Security on iOS (or Settings > Privacy > Permission Manager on Android). Tap each sensor category: Camera, Microphone, Location, Contacts, Photos, Motion & Fitness. Review which apps have access.
You'll likely see things that make you pause. Why do shopping apps want access to my microphone and my photos? Do games really need to know my location? Does a photo editor need access to my Contacts? Ask yourself what benefits you're getting from these permissions. Write down the worst offenders. You'll address them next.
The "Necessary" Filter
Now, turn off the permissions that aren't strictly necessary for the app to function. the rule of thumb is that if you cannot explain and justify why an app needs a sensor, it doesn't get access.
For the microphone, only allow access for voice calls, recording apps, or voice memos. A social media app doesn't need microphone access unless your child is actively creating video content—and even then, "While Using" is sufficient.
For the camera, only allow access for photo/video apps and video calls. A shopping app doesn't need camera access. A game doesn't need camera access.
For location, only allow maps, ride-sharing, or weather apps. And even then, set it to "While Using"—never "Always Allow."
For contacts, only allow messaging and phone apps. A game has no business reading your child's address book.
If an app refuses to function without a permission it has no legitimate need for, delete the app. There is almost always an alternative. An app that demands unnecessary sensor access is telling you something about its business model.
Cutting the Background Feed
This is my biggest permissions pet peeve, and the single most impactful change you can make.
"Always Allow" means the app can access the sensor even when the app is closed and the screen is off. It means the microphone can listen, the GPS can ping, and the camera can scan in the background, 24 hours a day.
Change every permission to one of these: "While Using the App" (the sensor is only active when the app is open and on screen) or "Ask Every Time" (the app must request permission each time it wants to access the sensor). Is it a little annoying to have to grant permission every time you open an app? Totally. But security and privacy in this day and age isn't going to be easy—and it's designed that way on purpose.
"Always Allow" is the default for many apps because it maximizes the data they can collect. Switching to "While Using" or "Ask Every Time" cuts off the background data stream immediately. The app goes from 24/7 surveillance to on-demand access only.
The Biometric Decision
In Part 2, we covered the permanence of biometric data. Now it's time to decide: Should your child use FaceID, TouchID, or a passcode?
As I discussed, biometrics are convenient and fast, but they are permanent. If the data is breached, it cannot be reset. And biometrics can be used against a sleeping or unconscious person.
Passcodes are less convenient and a bit slower. But they are changeable. If a passcode is compromised, you create a new one. A passcode can't be extracted from your child's physical characteristics.
My recommendation is to use a strong alphanumeric passcode for device unlocking. Yes, it takes an extra two seconds. Those two seconds are the cost of sovereignty. Use passcodes for high-security apps like banking and email, and disable biometric login for these apps if possible. If you choose to use biometrics for convenience on low-security apps, accept the trade-off consciously and know what you're giving up.
The Hardware Kill Switch
Software permissions can be changed and settings can be overridden by updates. Malware can bypass controls. The only 100% guarantee that a sensor is off is a physical barrier.
Buy physical sliding covers for the front and rear cameras. Slide them closed when the camera isn't be used. This is the only way to guarantee that no one—no app, no hacker, no data collection pipeline—can see through that lens.
Consider physical microphone blockers (small plugs that fit into the microphone port) for devices that support them. These create a physical disconnect between the microphone hardware and the device's audio processing.
For situations where you want to ensure the device can't transmit any data—no GPS, no cellular, no Wi-Fi—place it in a Faraday bag. These bags block all electromagnetic signals. It's extreme, but effective for travel, sensitive conversations, or periods of digital rest.
The Analog Defense: A Safe Word
This step addresses the generative AI threat we covered in Part 2. As voice cloning and real-time deepfakes become more accessible, your child needs a defense that doesn't rely on technology.
Establish a family safe word. Choose a word or phrase that only your family knows. It should be unusual and random—not a pet's name or a birthday, something a data broker couldn't guess from your child's digital footprint.
The rule is simple: If anyone calls, messages, or video chats claiming to be a family member and asks for money, personal information, or an unusual favor, your child has to ask for the safe word. If the caller doesn't know it, your child hangs up. No exceptions and no guilt.
Generative AI can clone a voice in seconds. It can puppet a face in real time. But it can't know a word that exists only in your family's offline conversations.
Making It Work for Different Brains
The hardware lockdown assumes a certain level of executive function: the ability to navigate settings menus, remember passcodes, and follow multi-step procedures. For neurodivergent children, these assumptions don't always hold.
Children with executive functioning differences may struggle with the sequential steps of a permission audit. Breaking the lockdown into smaller chunks—one sensor per day, one category per session—can prevent overwhelm and reduces the chance of abandonment.
A 12-character alphanumeric passcode is more secure than FaceID, but it's also harder to remember. If your child has working memory challenges, consider a shorter but still strong passcode (8 characters, mix of letters and numbers or even random words containing numbers connected by special characters) rather than defaulting to biometrics out of convenience. Write it down and store it securely offline—not in a notes app on the same device.
The Settings screen is visually dense—long lists, small text, nested menus. For children with sensory processing differences, this environment can be overwhelming. Consider doing the audit for them initially, then walking them through the results rather than making them navigate the interface themselves.
The principle is simple: Adapt the lockdown to the child, not the child to the lockdown. You want sovereignty, not compliance. If a particular step creates more distress than protection, modify it. A 70% lockdown that your child can sustain is better than a 100% lockdown that triggers shutdown and gets reversed.
Reclaiming Sovereignty
The hardware leak is real. Those sensors are always on. The data is permanent and the generative AI threat is growing. But you can lock it down.
By auditing permissions, banning "Always Allow," choosing passcodes over biometrics, installing physical barriers, and establishing a safe word, you're helping to reclaim your child's digital sovereignty. You're teaching them that their data belongs to them—not to the data brokers, not to the classification models, not to the machine.
This is not a one-time event. Devices update and apps request new permissions. Operating systems reset defaults. Locking down is a practice. Revisit it on the regular—at least monthly. Check for new apps and verify that old permissions haven't been silently re-enabled by an update.
The digital world is constantly evolving. But with these tools, you and your child are ready to face it with intention—not surrender. Do the lockdown today. Start by auditing permissions. It takes five minutes.