Home / Privacy / OPSEC

OPSEC Guide

Operational Security for the Digital Age

18 min read Updated 2024 Essential

What is OPSEC?

Operational Security (OPSEC) is a systematic process for protecting sensitive information from adversaries. Originally developed by the U.S. military during the Vietnam War, OPSEC principles are now essential for anyone seeking to maintain privacy and security in the digital world.

Core Principle

"The adversary knows what you've revealed. Assume everything public is compromised. Your security is only as strong as your weakest action."

The Five Steps of OPSEC

1

Identify Critical Information

Determine what information, if exposed, could harm you. This includes your real identity, location, daily patterns, associates, financial details, and any activity you wish to keep private.

2

Analyze Threats

Identify who might want your information and why. Threats range from hackers and corporations to governments and personal adversaries. Each has different capabilities and motivations.

3

Analyze Vulnerabilities

Find weaknesses in your current practices. How might an adversary obtain your critical information? Consider technical, physical, and social attack vectors.

4

Assess Risk

Evaluate the likelihood and impact of each vulnerability being exploited. Focus resources on high-probability, high-impact risks first.

5

Apply Countermeasures

Implement security measures to mitigate identified risks. Balance security with usability—overly complex measures may be abandoned.

Compartmentalization

Compartmentalization is the practice of separating different aspects of your life to prevent one compromise from affecting others.

Identity Separation

  • Use different usernames for different purposes
  • Maintain separate email addresses for each identity
  • Never cross-reference between identities
  • Use different writing styles if possible
  • Keep separate devices or virtual machines
identity-separation
# Bad Practice - Identity Linkage
Personal Email: john.smith@gmail.com
Anonymous Username: john_s_1985
→ Easily linked by name and birth year
 
# Good Practice - Full Separation
Personal: Separate device, real identity
Anonymous: Tor + random username + new email
→ No connection between identities

Common OPSEC Mistakes

Username Reuse Using the same username across platforms allows identity correlation
Timing Patterns Posting at consistent times reveals your timezone and schedule
Writing Style Unique phrases, spelling, and grammar can identify you (stylometry)
Photo Metadata Images contain EXIF data including location and device information
Oversharing Revealing personal details that can be correlated over time
Payment Links Using personal payment methods for anonymous activities

Digital OPSEC Practices

Network Security

  • Use Tor or VPN for sensitive activities
  • Never access anonymous accounts from your home IP
  • Be aware of WebRTC and DNS leaks
  • Use HTTPS everywhere

Device Security

  • Full disk encryption on all devices
  • Use separate devices or VMs for sensitive work
  • Keep software updated
  • Disable unnecessary services and radios

Account Security

  • Unique, strong passwords for every account
  • Use a password manager (offline preferred)
  • Enable 2FA with hardware keys when possible
  • Use anonymous email services for sensitive accounts

Physical OPSEC

Digital security means nothing if physical security is compromised.

Camera Awareness

Know where surveillance cameras are located

Awareness

Phone Discipline

Leave phone at home for sensitive meetings

Practice

Cash Usage

Use cash to avoid transaction records

Practice

Route Variation

Vary your routes and routines

Practice

OPSEC Mindset

Key Principles
  • Assume Compromise: Act as if your adversary is always watching
  • Minimize Exposure: Share only what's necessary
  • Verify, Then Trust: Confirm security before relying on it
  • Plan for Failure: Have contingencies when things go wrong
  • Continuous Improvement: Regularly review and update practices
⚠️

Remember: OPSEC is a process, not a product. The best tools are useless without proper practices. One mistake can undo years of careful security.

Related

Learn More

Threat Modeling

Identify and prioritize your threats.

Digital Hygiene

Daily practices for security.

Tails OS

Amnesic operating system.