OPSEC

Staying Private Online: What Works, What Doesn't

Beltway Breaker

11 min read

Staying safe online (hereinafter OPSEC, “operational security”) is like every other sphere of information online: social media discourse about it is flooded with disinformation, exaggerations, and paranoia (some warranted, some not). We have found during our time in activist spaces that many people hear something about being “secure” or “insecure,” but don’t necessarily know what makes something more or less secure, or how secure they need to be depending on the activity. This piece for people just starting their activism will use some myths about digital security as a framework to help you ask yourself the right questions about what OPSEC posture you really need.

A key point we want to make, up front, is that OPSEC isn’t meant to make you invulnerable–the point of good OPSEC is to make you a harder target for a malicious actor, so they give up and go after someone else. They would prefer to spend as few resources as possible on surveillance, tracking, and identifying people, so if you can increase the resource burden, you become a less attractive target. When in doubt about any single activity or another–just don’t do it online. The best OPSEC is, after all, having no trail at all.

Why Trust Us?

We are trained in open-source intelligence (OSINT) and cybersecurity. OSINT is the act of using openly-available information (usually online) to produce actionable intelligence. That means we understand both “defense” and “offense,” so we are familiar with what does and doesn’t hide activity online. Working in this field has also made us aware of how to ask (and answer) questions the average internet user might not know how to approach.

Some Definitions (that don’t invoke the Oxford English Dictionary!)

These are the concepts you may be less familiar with that we cover in the rest of the article.

Data at Rest: This is data that is not going anywhere; i.e. sitting on a hard drive. A malicious actor must have access to the location (device) the data is stored in order to compromise it. Data at rest can be safe if it is encrypted, but data must also be accessible to be valuable. For example, if a hard drive is in a safe in your closet, it’s pretty much as safe as can be (but not very useful). On the other hand, data held with big data service companies like Meta and the others, you have to consider not just the possibility of a third party actor’s access to your data, but also that company’s potential visibility of your information.

Data in Transit: This is data moving from one point to another, e.g. when you download a file from the internet or send a text message. A malicious actor must be collecting information from somewhere along the path the data travels in order to compromise it, and must be able to read it (see VPN, below).

An image of two cell towers connected by lightning, simulating data transiting the two towers. A man sits in between with headphones on, representing someone listening in on the communication. Below, text reading "Data in Transit"

VPN: A “virtual private network,” which encrypts data in transit, is like putting your data in a box that says “this is going to Timbuktu,” with a smaller box inside that has your address on it, so nobody except the sender, receiver, and sending company know the actual destination. Anyone with substantial capabilities (likely only nation-state actors) may be able to see the source and destination, but likely not the content, making it a very effective and accessible OPSEC measure (trustworthy VPN sites like Proton or Mullvad will run you between $5-12/month, or so, and they often have deals that will bump that down even further).

Attack Surface: This is how vulnerable a particular asset is to malicious activity. A public google drive folder without a password hosting your credit cards, middle school journal entries, address, SSN, and your favorite ice cream flavor, that your family all over the world has the link to? Huge attack surface. A cell phone with an 8-digit PIN, face ID turned off (protecting data at rest), using Signal messenger for all messaging (protecting data in transit) that you retain positive control over at all times? Much smaller attack surface.

TOR: TOR is a privacy-focused web browser commonly used to access the "dark web,” but can be used for regular internet browsing as well. When you use TOR, you send your internet traffic to a large list of distributed TOR devices (and anyone globally can create a TOR relay, to allow TOR traffic to pass through a device they own), and TOR traffic can exit through any of those devices. This makes it very, very difficult for anyone else to see where the traffic actually came from. It is also great for protecting data in transit because it is encrypted. However, it is also very slow as a result of all of the increased security, so only use it if deemed truly necessary (we’ll get into this more below, but likely very rare).

Simple stylized block text reading "Stay safe online effectively"

What facts about you will determine your personal OPSEC posture?

First, think about your personal exposure level. Is there someone monitoring you, specifically? Are you sure? Does someone actually care enough about you to be monitoring your traffic and trying to read it? For most, probably 99% of people, this probably doesn’t apply, and you don’t have to go crazy on OPSEC. If you are getting involved with planning and organizing activities like neighborhood ICE Watches or protests/demonstrations, you’ll want a bit better OPSEC. If you know you are already the target for some state actor (have had your face scanned by ICE's new mobile app, or are very actively anti-regime online), the steps you need to take are probably outside the scope of this article, and you hopefully are already doing/have done more than the most basic of things to protect yourself.

If you’re part of an ICE Watch, or heckling speakers at white nationalist events, you might have to worry about government entities or neo-Nazi agitators. If you’re passively attending protests, and doing some community organizing, you’re probably not a priority target to the government, but may be to certain right-wing malicious actors. They’re all only getting more capable, and only broadening their potential targets, and increasingly, the right-wing malicious actors are integrating into and providing information to the government.

Second, OPSEC, like everything under capitalism, costs money. Are you willing, and able, to dish out a bunch of cash for VPNs, advanced home networking equipment, extra cell phones, and other stuff? Do you need to? OPSEC, like any security measure, will increasingly impose costs on you. Consider whether these costs are worth it for you.

Third, evaluate your attack surface, including against who you think would be most interested in your information. If you do things like set up alternate accounts for protest organizing, or have a second cell phone, while this may help security, it will also increase your attack surface - ensure that all of your new accounts and devices are sufficiently protected. Understand that using the same credit card for a personal amazon account and an organizing account is a link, and consider whether you're OK with that risk.

Malicious actors online range from governments to dudes in basements (DIBs), and have a wide range of different capabilities you want to be aware of to try and counter. DIBs are a threat to anyone with a credit card they use online, so they don’t really care about you specifically. Protecting yourself against them is more of “basic cyber hygeine” (strong passwords, don't click suspicious email links) than “good OPSEC.” Staying secure from state actors is obviously going to be more difficult - ensure basic cyber hygiene at a bare minimum, and consider that every new account, device, or individual you add to your organization increases that attack surface.

Two concentric circles, mimicking an eye. The outer circle is black with white text, the inner circle is white with read text. The text reads "Learn OPSEC"

OPSEC Myths: Debunked!

This section seeks to dispel some of the things we've heard around activist spaces regarding good OPSEC - none of these are meant to be personal attacks. No shame on anyone who has heard these things and believed them-OPSEC and online security are both complex and always changing.

My Internet Service Provider (ISP) can see my internet traffic if I don’t use a VPN.”

False! As long as you see a little shield or lock icon in the search bar of your browser (standard for all modern browsers) your data is encrypted in transit between you and the site you are visiting, and your ISP can’t see it. This is why you can pay for things online without DIBs stealing your credit card number every time. While ads for VPN services say that their service keeps your internet traffic private from your ISP, technically, your browser already does some of that by default. The difference is that a VPN provides a second layer of encryption that hides the source and destination of the data to anyone-except the VPN provider, so only use a trustworthy one (VPN providers that don't keep their own logs are considered among the better/more trustworthy for good OPSEC, but again - your needs may vary, this won't apply to most VPN users).

So, I don’t need a VPN at all?”

False! Merely visiting some sites can be suspicious, so you’ll want to use a VPN to mask that you were the one accessing a particular site. VPNs have gotten much better in terms of their impact on your connection speeds, so they probably won’t slow your browsing speeds down in most areas, if you already have decent internet service. If you’re concerned that you regularly visit sites that are suspicious, keep your VPN on more often, or all of the time.

I need to use TOR for all of my activist work, including signing up for an event on a Microsoft/Google form.”

False! Remember the difference between data at rest and data in transit. TOR protects data in transit, but is pretty slow. While using TOR isn’t necessarily suspicious, your ISP is aware of you using TOR and could flag it as potentially suspicious activity. You will probably be OK with using a regular, but secure, web browser (like Brave) 99% of the time. The second, and more important issue here, is where the data is being stored. Using TOR to put data into a Microsoft form won’t protect any of that data once its living on Microsoft servers, so TOR is both overkill and missing the point. This would be similar to driving a complicated, 90-mile route and switching cars multiple times to get to Microsoft’s headquarters 10 miles away with a big sign that has your name and contact information on it. You can go overboard on OPSEC and also do it the wrong way! This also applies to VPNs.

So I should never use a big provider’s services?”

Somewhat false. If you’re signing up for a potluck, a Google form is probably fine. If you’re signing up to protest outside of FOX News to bring attention to the ongoing genocide in Gaza, use a secure alternative. Moving a way from big, US-based providers is probably a good idea overall if you’re willing to sacrifice a little convenience.

Black text on a read background reading "Who's watching you and why?". Between the text, a cut-out of a woman's eye, evoking Orwell's 1984 big-brother surveillance.

I also use TOR to get to Google Drive, so my data is safe.”

False! Similar to the form issue – this is data at rest. Once your data is on Google’s servers, its in Googles hands. TOR and/or a VPN would only mask that you were the one who accessed that google drive. If you’re concerned about security of data on Google drive, look into non-US alternatives like Proton (Switzerland) or CryptPad (France), who put privacy first.

Google is training its AI on my phone’s notifications.”

Sort of false. This has been going around on social media, and is likely not true, beyond using it for AI summaries, something Apple is also doing, and something that will likely remain a norm, so long as the feature is enabled on your device. You should be concerned about implementing any AI or “smart” features and should have them turned off anyway, since those can be used to train AI, but at present, those are more about your Gmail inbox than your phone.

I need to hide notifications on my lock screen.”

Partly true, but depends on your situation. If you’re just attending protests and meeting up with friends, you don’t necessarily need to do this. If you’re organizing, or engaging in any higher-risk-of-confrontation behavior, this isn’t a bad idea. This prevents malicious actors from seeing the names of your friends without them having to open your phone up, which could implement them in whatever you were doing. Remember, this is most effective when combined with other measures – a strong password and ensuring your face or fingerprint ID is disabled, to ensure they can’t just force you to unlock your phone.

I need to use face paint or specific anti-camera clothing to avoid facial recognition.”

False! A cloth mask and a hat, and maybe sunglasses, are all you really need. (404 media article)

I need a really good, paid antivirus software.”

Somewhat false. In order to function, antivirus software can see everything on your device, and can slow it down noticeably; it will also find false positives. Neither Apple nor Microsoft want their products to be vulnerable to malware; for users who have good basic cyber hygiene, you’re probably safe with Windows Defender or Apple's built-in security software. If you really want, download a free antivirus once a month or so and run a scan, but anything else is overkill, unless you're frequently downloading software from questionable websites or visiting sketchy sites in general.

My location services are off, so I am not being tracked.”

False! If you have cell service, your phone is hitting cell towers constantly, which can be used to triangulate your current and previous locations. There are workarounds for this, but they’re complicated and not necessary for the average person.

OK, I turned off my phone, now it surely can’t track me.”

False! Your phone is never really off (unless you crush or melt down the silicon inside), which is one of the reasons that if you leave it in a drawer for a few weeks turned off, it will have lost some battery. The only sure-fire way to not be tracked somewhere by your phone is to leave it at home. If you’re going to an anti-fascist book club at a cafe, you can turn your phone off if you want peace of mind. If you’re planning on direct action of any kind, leave your phone on, and at home, so it looks like you never left your house.

My wearable smart devices aren’t an OPSEC concern.”

False! Your wearable devices are using a wireless protocol (usually Bluetooth) to connect to your phone. They are constantly broadcasting information about themselves in order to connect with your phone – or anyone else’s. Part of this hardware address is globally unique, meaning that address will never bee seen anywhere – aside from the device on your wrist. An ICE agent walks through a protest with a fairly simple device, and run a script to record any device that shows up; they can then correlate that device ID to different protest actions, which can put you at risk. Again – your level of risk depends on your situation, how involved you are in certain actions, and what you’re doing there.

I should get off of [insert social media platform here].”

Both true and false! These companies are all tracking you, reading your messages, training AI on your activity, or are owned by authoritarian governments with their own agendas. This applies to TikTok as well as any American service, given how American tech CEOs have bent the knee to the Trump Administration. Social media posts can be scraped by malicious actors like Palantir for surveillance, or by right-wing weirdos who want to shame people for posting about Charlie Kirk. However, the market share of these big service providers makes it impossible to ignore them as tools. If you’re organizing action, you should be keeping the high-level organizing to Signal. But, if you’re doing outreach that requires social media, it is no contest that Facebook, Instagram, and TikTok will give you the widest reach. You may want to consider separate accounts, at least, when it comes to organizing, if you’re able. Ultimately, you probably won’t be able to get everyone in your life to switch to Signal, but so long as you remain aware of what you’re sending where, and keep everything sensitive on Signal, you should be good to go.

For further info on good OPSEC measures, see the excellent work that organizations like the Electronic Frontier Foundation (EFF) and outlets like WIRED have put together (available also on our tech resources page), as a starting point.

Read more