β οΈ Critical Disclaimers
- OPSEC is about behavior, not just technology - Human errors defeat the best tools
- Perfect OPSEC is impossible - Focus on improving your security posture
- Context matters - OPSEC requirements vary greatly by situation and threat model
- Legal implications vary - Some OPSEC practices may be restricted in your jurisdiction
- We do not encourage illegal activities - This information is for educational and legal protection purposes
π― What is OPSEC?
Operational Security (OPSEC) Definition
OPSEC is a process that identifies critical information and analyzes friendly actions attendant to military operations and other activities to:
- Identify those actions that can be observed by adversary intelligence systems
- Determine what specific information adversaries need
- Assess adversary capabilities to collect information
- Analyze vulnerabilities in your operations
- Apply countermeasures to reduce risks
In simpler terms: OPSEC is about protecting information that, if known by adversaries, could harm you or compromise your objectives.
π The OPSEC Process
Five-Step OPSEC Process
1. Identify Critical Information
Questions to ask:
- What information could harm me if revealed?
- What are my most sensitive activities?
- What patterns in my behavior could be revealing?
- What information do I post publicly?
Examples: Location data, communication patterns, financial information, personal relationships
2. Analyze Threats
Consider who might want to target you:
- Government agencies and law enforcement
- Corporate competitors or employers
- Cybercriminals and hackers
- Stalkers or domestic abusers
- Social engineering attacks
Assess their capabilities: Technical skills, legal authority, resources, motivation
3. Analyze Vulnerabilities
How can adversaries access your information?
- Digital footprints and metadata
- Social media and public records
- Communication interception
- Physical surveillance
- Social engineering
- Insider threats
4. Assess Risk
Calculate risk level:
- Likelihood: How probable is the threat?
- Impact: How severe would the consequences be?
- Detection: How easily can threats be identified?
- Mitigation cost: What resources are needed for protection?
Risk = Likelihood Γ Impact
5. Apply Countermeasures
Implement protective measures:
- Technical solutions (encryption, VPNs, Tor)
- Behavioral changes (communication habits, timing)
- Physical security measures
- Legal protections
- Social engineering resistance
π§ Mindset and Psychology
Security Mindset
π€ Paranoid but Functional
Balance security with usability:
- Assume you're always being watched
- Question the security of every action
- But don't let paranoia paralyze you
- Focus on the most important threats first
π Continuous Improvement
OPSEC is an ongoing process:
- Regularly review and update your threat model
- Learn from mistakes without self-blame
- Stay informed about new threats and techniques
- Practice new security measures regularly
βοΈ Risk vs. Convenience
Make informed trade-offs:
- Perfect security is impossible and impractical
- Identify your "good enough" security level
- Increase security for high-risk activities
- Accept some risk for essential convenience
π± Digital OPSEC Fundamentals
Information Compartmentalization
π The Compartmentalization Principle
Don't put all your eggs in one basket. Separate your digital life into distinct compartments so that compromise of one doesn't affect others.
Identity Separation
Create distinct digital personas:
- Legal identity: Official documents, banking, work
- Social identity: Friends, family, social media
- Research identity: Sensitive topics, activism
- Shopping identity: Online purchases, retail accounts
Never cross-contaminate: Each identity should have separate emails, passwords, and browsing habits.
Communication Channels
Use different channels for different purposes:
- Work: Company email, Slack, Teams
- Personal: Personal email, SMS, social media
- Sensitive: Signal, encrypted email, Tor
- Anonymous: Throwaway accounts, public WiFi
Device Separation
Isolate activities by device/environment:
- Work device: Only for work-related activities
- Personal device: Social media, entertainment
- Secure device: Sensitive communications
- Burner device: High-risk or temporary activities
Communication Security
Encryption Everything
Default to encrypted communications:
- Use Signal or Element for sensitive conversations
- Enable disappearing messages for temporary topics
- Use encrypted email (PGP) for important correspondence
- Avoid SMS and unencrypted email for sensitive topics
Timing and Patterns
Avoid predictable communication patterns:
- Don't always communicate at the same times
- Vary response times to messages
- Use delayed sending for non-urgent messages
- Be aware of metadata that reveals patterns
Voice and Writing Style
Avoid identifiable communication patterns:
- Don't use distinctive phrases or slang
- Vary your writing style and vocabulary
- Be careful about specific knowledge that identifies you
- Consider using text-to-speech for voice anonymity
π Network and Location OPSEC
Network Anonymity
Tor Usage
Use Tor for sensitive activities:
- Always use Tor Browser, not just Tor proxy
- Don't log into personal accounts over Tor
- Disable JavaScript for maximum security
- Use .onion sites when available
- Be aware that Tor is slower and may be monitored
VPN Considerations
VPNs provide some protection but have limitations:
- Choose no-logs VPN providers carefully
- Pay with cryptocurrency or cash when possible
- Use different VPN servers for different activities
- Remember: VPN providers can still monitor you
- Consider VPN + Tor for high-security needs
WiFi Security
Protect your network activities:
- Always use VPN on public WiFi
- Don't auto-connect to open networks
- Use different networks for different activities
- Consider mobile data for sensitive tasks
- Be aware of WiFi tracking and fingerprinting
Location Privacy
π Location is the Most Sensitive Data
Your location reveals more about you than almost any other data: where you live, work, sleep, who you visit, your daily patterns, political affiliations, religious beliefs, medical conditions, and personal relationships.
π± Mobile Device Location
- Turn off location services when not needed
- Use airplane mode in sensitive locations
- Leave phone at home for sensitive meetings
- Use Faraday bags to block all signals
- Consider separate phones for different activities
π Transportation OPSEC
- Pay cash for public transportation
- Avoid using ride-sharing apps for sensitive trips
- Be aware of license plate readers
- Consider walking or cycling for short distances
- Use different routes to avoid pattern recognition
π’ Physical Meetings
- Choose neutral, public locations
- Arrive and leave separately
- Don't use the same meeting places repeatedly
- Be aware of surveillance cameras
- Consider counter-surveillance techniques
π° Financial OPSEC
Payment Privacy
Cash Transactions
Cash provides the highest payment privacy:
- No digital trail or bank records
- No identity verification required
- Immediate transaction finality
- Works during digital surveillance
Limitations: Increasingly rare acceptance, large amount reporting requirements, physical security risks
Prepaid Cards
Middle ground between cash and credit:
- Buy with cash for anonymity
- Use for online purchases
- Limit financial exposure
- Dispose of when depleted
Limitations: May require ID for activation, limited acceptance, fees
Cryptocurrency
Digital cash alternatives:
- Bitcoin: Pseudonymous, requires mixing for privacy
- Monero: Private by default, harder to trace
- Zcash: Optional privacy features
Considerations: Volatile value, limited acceptance, regulatory scrutiny, technical complexity
Banking and Financial Records
π¦ Traditional Banking
- Assume all transactions are monitored
- Use different accounts for different purposes
- Be aware of Suspicious Activity Reports (SARs)
- Understand legal reporting requirements
- Consider credit unions for better privacy
π° Alternative Financial Services
- Money orders for anonymous payments
- Peer-to-peer payment apps (with caution)
- Foreign exchange services
- Precious metals for long-term storage
- Barter and trade systems
π΅οΈ Social Engineering Defense
Information Awareness
π You Are Your Own Worst Enemy
Most OPSEC failures come from human error, not technical compromise. Social engineers exploit trust, authority, urgency, and fear to trick people into revealing information or taking harmful actions.
Phone Social Engineering
Common tactics:
- Impersonating authority figures (police, IT, management)
- Creating false urgency ("Your account will be closed!")
- Requesting verification of existing information
- Building rapport before making requests
Defense: Verify caller identity independently, don't provide information over the phone, hang up and call back on official numbers
Email Phishing
Common tactics:
- Fake login pages that steal credentials
- Malicious attachments or links
- Spoofed sender addresses
- Appeals to emotion (fear, greed, curiosity)
Defense: Verify sender independently, check URLs carefully, don't click suspicious links, use 2FA everywhere
Social Media Intelligence
What attackers can learn:
- Personal interests and hobbies
- Family and friend relationships
- Work information and colleagues
- Location and travel patterns
- Political and religious beliefs
Defense: Limit public information, review privacy settings, use different names/photos for sensitive accounts
Information Diet
π€ Need-to-Know Basis
- Don't share information unless necessary
- Provide minimal information when required
- Question why information is being requested
- Use compartmentalization to limit exposure
- Train family and friends on information sharing
π Cover Stories
- Prepare plausible explanations for activities
- Keep cover stories simple and consistent
- Practice responses to common questions
- Don't over-elaborate or volunteer extra details
- Remember: silence is often the best answer
π¨ High-Risk Scenarios
Protest and Activism OPSEC
β οΈ Protest Surveillance
Mass surveillance at protests includes cell phone tracking (IMSI catchers), facial recognition, license plate readers, social media monitoring, and undercover officers. Plan accordingly.
Phone Considerations
Options (ranked by security):
- Leave phone at home: Maximum security
- Burner phone: Separate device with minimal data
- Faraday bag: Blocks signals but still have phone
- Airplane mode: Limited protection, easy to accidentally enable
Remember: Phones can be seized, searched, and used to identify you
Physical Identity
Anonymity techniques:
- Wear common clothing without distinctive features
- Consider face coverings (where legal)
- Avoid carrying ID unless legally required
- Change appearance after events
- Use different transportation to/from events
Group Coordination
Secure communication:
- Use Signal or Briar for group chat
- Enable disappearing messages
- Don't discuss illegal activities in writing
- Use code words for sensitive topics
- Meet in person for critical planning
Journalism and Whistleblowing
Source Protection
Journalist responsibilities:
- Use SecureDrop or similar secure submission systems
- Meet sources in secure locations
- Use encrypted communications (Signal, PGP email)
- Don't store source information with story notes
- Consider using separate devices for source communication
Information Security
Data protection:
- Encrypt all devices and storage media
- Use secure operating systems (Tails, Qubes)
- Store sensitive data offline when possible
- Use secure deletion for temporary files
- Have legal support for potential subpoenas
βοΈ Legal and Regulatory Considerations
Know Your Rights
π¨ Legal Disclaimer
This information is general and varies significantly by jurisdiction. Always consult with qualified legal counsel familiar with your local laws and situation.
US Constitutional Rights
Key protections:
- Fourth Amendment: Protection against unreasonable searches
- Fifth Amendment: Right against self-incrimination
- First Amendment: Freedom of speech and association
- Sixth Amendment: Right to counsel
Limitations: Border searches, national security exceptions, third-party doctrine
Digital Privacy Rights
Current legal landscape:
- Limited privacy rights for digital communications
- Third-party doctrine reduces protection for data shared with companies
- Different rules for content vs. metadata
- Rapidly evolving laws and court decisions
International Considerations
Cross-border issues:
- Data stored in other countries may have different protections
- International intelligence sharing agreements
- Varying encryption and privacy laws
- Extradition and mutual legal assistance treaties
π οΈ OPSEC Tools and Techniques
Technical Tools
Operating Systems
- Tails: Amnesic live OS, routes through Tor
- Whonix: VM-based with Tor integration
- Qubes: Compartmentalized security through VMs
- Hardened Linux: Secured mainstream distributions
Encryption and Privacy
- VeraCrypt: Full disk and container encryption
- Signal: Secure messaging with perfect forward secrecy
- Tor Browser: Anonymous web browsing
- OpenPGP: Email and file encryption
Network Security
- VPN: Hide IP address and encrypt traffic
- Tor: Onion routing for anonymity
- I2P: Anonymous network layer
- Freenet: Censorship-resistant communication
Physical Security
π Home Security
- Secure physical access to devices
- Use privacy screens for windows
- Secure disposal of sensitive documents
- Consider security cameras and alarms
- Be aware of smart home device surveillance
π Travel Security
- Use different routes to avoid patterns
- Be aware of surveillance at borders
- Consider leaving devices at home
- Use temporary devices for international travel
- Encrypt all devices and data
π OPSEC Failures and Lessons
Common OPSEC Failures
π₯ Real-World OPSEC Failures
- Reusing usernames: Same username across platforms reveals connections
- Metadata leaks: Photo geolocation data reveals locations
- Writing style analysis: Distinctive language patterns identify authors
- Timing correlation: Activity patterns link different accounts
- Social connections: Friends and contacts reveal identity
- Payment information: Credit cards and bank accounts trace back to real identity
- Device fingerprinting: Unique device characteristics allow tracking
Learning from Mistakes
π Self-Assessment
- Regularly audit your digital footprint
- Try to correlate your own activities
- Look for patterns an adversary might notice
- Test your security measures periodically
- Update procedures based on new threats
π Continuous Learning
- Study documented OPSEC failures
- Stay current with surveillance techniques
- Practice new security measures
- Learn from others' experiences
- Adapt to changing threat landscape
π OPSEC Checklist
Daily OPSEC Practices
β Daily Checklist
- β‘ Use encrypted messaging for sensitive topics
- β‘ Check privacy settings on new apps
- β‘ Vary your daily routines and timing
- β‘ Be conscious of what you share publicly
- β‘ Use VPN for sensitive internet activities
- β‘ Clear browser data regularly
- β‘ Be aware of your physical surroundings
ποΈ Weekly Review
- β‘ Review and update passwords
- β‘ Audit app permissions and access
- β‘ Check for unusual account activity
- β‘ Secure delete sensitive temporary files
- β‘ Update software and security patches
- β‘ Review social media posts and privacy
- β‘ Practice emergency security procedures
π Monthly Assessment
- β‘ Review and update threat model
- β‘ Test backup and recovery procedures
- β‘ Audit financial transactions and patterns
- β‘ Review communication security practices
- β‘ Update emergency contact procedures
- β‘ Research new security tools and techniques
- β‘ Practice compartmentalization discipline
π Further Learning
π Recommended Reading
- "The Art of Invisibility" by Kevin Mitnick
- "Little Brother" by Cory Doctorow
- EFF Surveillance Self-Defense - Comprehensive guide
- OPSEC for Everyone - Practical handbook
- Security Engineering by Ross Anderson
π Practical Exercises
- Create and maintain separate online personas
- Practice using Tails for sensitive activities
- Set up and use Signal for communications
- Conduct a personal digital footprint audit
- Practice counter-surveillance techniques
π― Start with Small Changes
OPSEC doesn't require becoming a digital hermit. Start with small, sustainable changes to your daily habits: use Signal for sensitive conversations, vary your routines slightly, and be more conscious of what information you share. Build your security practices gradually over time.
Back to Protection Guides