Operational Security
Operational Security
Operational Security (OPSEC) is the practice of protecting sensitive information and activities from observation, analysis, and exploitation. Originally military doctrine, now essential for journalists, activists, and anyone with something worth protecting.
Core Principle
OPSEC isn't about paranoia - it's about understanding what you're protecting, from whom, and making rational decisions about tradeoffs.
The OPSEC Mindset:
- What do I need to protect?
- Who wants to access it?
- What are they capable of?
- What's the cost of compromise?
- What protection is proportionate?
The OPSEC Process
1. Identify Critical Information
What would harm you if exposed?
- Sources: Names, contact methods, identifying details
- Methods: How you gather information
- Plans: What you're working on, when you'll publish
- Location: Where you are, where you'll be
- Associations: Who you work with, who you know
2. Analyze Threats
Who might want this information?
- Subjects of investigation: Most common threat
- Competitors: May want your story
- Governments: Surveillance capabilities vary
- Criminals: If your work threatens their interests
- Random actors: Stalkers, trolls, opportunists
3. Analyze Vulnerabilities
How might information leak?
- Digital: Metadata, tracking, interception
- Physical: Surveillance, document theft
- Human: Social engineering, loose talk
- Patterns: Predictable behavior reveals intent
4. Assess Risk
Probability x Impact = Priority
Focus protection on:
- High probability + high impact (critical)
- Low probability + high impact (worth protecting)
- High probability + low impact (nuisance)
5. Apply Countermeasures
Match protection to threat:
- Don't use military-grade encryption for grocery lists
- Don't use plaintext for source communications
- Do be consistent once you've decided
Digital OPSEC
Communication
| Sensitivity | Tool | Rationale |
|---|---|---|
| High | Signal (disappearing messages) | E2E encryption, minimal metadata |
| Medium | Encrypted email (ProtonMail) | Better than Gmail, not perfect |
| Low | Regular channels | Unnecessary protection draws attention |
Golden rule: Assume any unencrypted digital communication is permanent and readable.
Devices
- Compartmentalization: Separate devices for separate activities
- Full disk encryption: Always, everywhere
- Strong passwords: Unique, complex, managed
- Updates: Security patches immediately
- Physical security: Don't leave devices unattended
Metadata
Content isn't everything. Metadata reveals:
- Who you communicate with
- When and how often
- Where you are
- What devices you use
Strip metadata from shared files. Be aware of what your patterns reveal.
Accounts
- Unique passwords: Password manager, always
- 2FA: Hardware keys for critical accounts
- Compartmentalization: Separate accounts for separate purposes
- Recovery: Secure backup of credentials
Physical OPSEC
Awareness
- Surveillance detection: Know what normal looks like
- Counter-surveillance: Vary patterns when warranted
- Meeting security: Appropriate locations, no devices
Documents
- Secure storage: Locked, encrypted backups
- Secure disposal: Shredding, secure deletion
- Need to know: Don't carry what you don't need
Travel
- Device security: Burner phones, clean laptops
- Border crossings: Know your rights, minimize exposure
- Hotel security: Physical and digital
Human OPSEC
The biggest vulnerability is usually human:
Personal Discipline
- Need to know: Don't share more than necessary
- Loose talk: Be aware of who's listening
- Social engineering: Verify requests through known channels
- Bragging: Resist the urge to discuss sensitive work
Social Dynamics
- Trust development: Slow, verified
- Compartmentalization: Different groups know different things
- Cover stories: Plausible explanations when needed
Pattern Discipline
Your patterns reveal intent:
- Suddenly visiting a location repeatedly
- Searching for specific people online
- Contacting former employees
- Requesting specific documents
Think about what your behavior pattern says.
Proportionate Response
OPSEC should match actual threat level:
| Threat Level | Appropriate Measures |
|---|---|
| Routine journalism | Basic digital hygiene, secure communication with sources |
| Sensitive investigation | Compartmentalized devices, encrypted storage, careful patterns |
| High-risk investigation | Air-gapped systems, counter-surveillance, legal preparation |
| Active threat | Physical security, professional consultation, organizational support |
Over-protection:
- Creates operational friction
- Draws attention
- Isn't sustainable
Under-protection:
- Exposes sources
- Compromises stories
- Endangers you
Common Failures
- Inconsistency: Using Signal for sources, then discussing them on regular phone
- Convenience: Choosing easy over secure when it matters
- Complacency: Assuming past safety predicts future safety
- Overconfidence: Believing your adversary isn't capable
- Loose talk: Discussing sensitive work in inappropriate settings
Integration
OPSEC connects to:
- Threat Modeling: Systematic risk assessment
- Source Handling: Protecting confidential sources
- PGP: Encrypted communication
- Yubikey: Hardware authentication
- Digital Security Incident Runbook: When things go wrong
References
| Security & Opsec | |
|---|---|
| Crypto | PGP · PGP Communication Guide · Key Management |
| Incident | Security Incident Runbook · Threat Modeling · Account Recovery |
| Hardware | Flipper Zero · HackRF · Yubikey |
| Culture | Hacker Culture · Operational Security |