Operational Security (OPSEC) is the practice of protecting sensitive information and activities from observation, analysis, and exploitation. Originally military doctrine, now essential for journalists, activists, and anyone with something worth protecting.

OPSEC isn't about paranoia - it's about understanding what you're protecting, from whom, and making rational decisions about tradeoffs.

The OPSEC Mindset:

• What do I need to protect?
• Who wants to access it?
• What are they capable of?
• What's the cost of compromise?
• What protection is proportionate?

What would harm you if exposed?

• Sources: Names, contact methods, identifying details
• Methods: How you gather information
• Plans: What you're working on, when you'll publish
• Location: Where you are, where you'll be
• Associations: Who you work with, who you know

Who might want this information?

• Subjects of investigation: Most common threat
• Competitors: May want your story
• Governments: Surveillance capabilities vary
• Criminals: If your work threatens their interests
• Random actors: Stalkers, trolls, opportunists

How might information leak?

• Digital: Metadata, tracking, interception
• Physical: Surveillance, document theft
• Human: Social engineering, loose talk
• Patterns: Predictable behavior reveals intent

Probability x Impact = Priority

Focus protection on:

• High probability + high impact (critical)
• Low probability + high impact (worth protecting)
• High probability + low impact (nuisance)

Match protection to threat:

• Don't use military-grade encryption for grocery lists
• Don't use plaintext for source communications
• Do be consistent once you've decided

Sensitivity	Tool	Rationale
High	Signal (disappearing messages)	E2E encryption, minimal metadata
Medium	Encrypted email (ProtonMail)	Better than Gmail, not perfect
Low	Regular channels	Unnecessary protection draws attention

Golden rule: Assume any unencrypted digital communication is permanent and readable.

• Compartmentalization: Separate devices for separate activities
• Full disk encryption: Always, everywhere
• Strong passwords: Unique, complex, managed
• Updates: Security patches immediately
• Physical security: Don't leave devices unattended

Content isn't everything. Metadata reveals:

• Who you communicate with
• When and how often
• Where you are
• What devices you use

Strip metadata from shared files. Be aware of what your patterns reveal.

• Unique passwords: Password manager, always
• 2FA: Hardware keys for critical accounts
• Compartmentalization: Separate accounts for separate purposes
• Recovery: Secure backup of credentials

• Surveillance detection: Know what normal looks like
• Counter-surveillance: Vary patterns when warranted
• Meeting security: Appropriate locations, no devices

• Secure storage: Locked, encrypted backups
• Secure disposal: Shredding, secure deletion
• Need to know: Don't carry what you don't need

• Device security: Burner phones, clean laptops
• Border crossings: Know your rights, minimize exposure
• Hotel security: Physical and digital

The biggest vulnerability is usually human:

• Need to know: Don't share more than necessary
• Loose talk: Be aware of who's listening
• Social engineering: Verify requests through known channels
• Bragging: Resist the urge to discuss sensitive work

• Trust development: Slow, verified
• Compartmentalization: Different groups know different things
• Cover stories: Plausible explanations when needed

Your patterns reveal intent:

• Suddenly visiting a location repeatedly
• Searching for specific people online
• Contacting former employees
• Requesting specific documents

Think about what your behavior pattern says.

OPSEC should match actual threat level:

Threat Level	Appropriate Measures
Routine journalism	Basic digital hygiene, secure communication with sources
Sensitive investigation	Compartmentalized devices, encrypted storage, careful patterns
High-risk investigation	Air-gapped systems, counter-surveillance, legal preparation
Active threat	Physical security, professional consultation, organizational support

Over-protection:

• Creates operational friction
• Draws attention
• Isn't sustainable

Under-protection:

• Exposes sources
• Compromises stories
• Endangers you

• Inconsistency: Using Signal for sources, then discussing them on regular phone
• Convenience: Choosing easy over secure when it matters
• Complacency: Assuming past safety predicts future safety
• Overconfidence: Believing your adversary isn't capable
• Loose talk: Discussing sensitive work in inappropriate settings

OPSEC connects to:

• Threat Modeling: Systematic risk assessment
• Source Handling: Protecting confidential sources
• PGP: Encrypted communication
• Yubikey: Hardware authentication
• Digital Security Incident Runbook: When things go wrong

• CPJ Journalist Security Guide
• EFF Surveillance Self-Defense
• Freedom of the Press Foundation

Security & Opsec
Crypto	PGP · PGP Communication Guide · Key Management
Incident	Security Incident Runbook · Threat Modeling · Account Recovery
Hardware	Flipper Zero · HackRF · Yubikey
Culture	Hacker Culture · Operational Security