Operational Security (OpSec) for Activists: Protecting Yourself in a Digital Age

ByJohn Locke

**7min Read**

Information is power and your information is priceless. Operational Security, or OpSec, is the practice of protecting sensitive information and minimizing your risk of exposure. It’s not just about high-tech solutions; it’s a methodology about developing a mindset of awareness and taking consistent, practical steps to protect yourself, your fellow activists, and your organization.

We’ve created this article as a starting point for understanding and implementing basic OpSec.

Why OpSec Matters:

  • Doxing: Preventing the public release of your personal information (address, phone number, family details).
  • Harassment and Threats: Minimizing your vulnerability to online and offline harassment, intimidation, and threats.
  • Surveillance: Reducing the risk of being monitored.
  • Legal Risks: Protecting yourself from potential legal repercussions.
  • Protecting Sources and Contacts: Safeguarding the identities and information of people you work with.
  • Maintaining Effectiveness: Ensuring your cause can continue uninterrupted by attacks or disruption.

Key Principles of OpSec:

  • Need-to-Know: Only share information with people who absolutely need to know it. Don’t discuss sensitive topics in public or on insecure platforms.
  • Compartmentalization: Divide information and tasks into separate compartments. This limits the damage if one part is compromised.
  • Consistency: It’s king. Make it a habit. Make it a practice.
  • Risk Assessment: Understand your specific threats and vulnerabilities. What are you trying to protect, and from whom?
  • Layered Security: No single measure is foolproof; use multiple layers of protection.

Practical OpSec Steps:

Digital Security:

  • Strong, Unique Passwords: Use a different, strong password for every online account. Don’t reuse passwords. We suggest using a password manager (like Bitwarden, KeePassXC, 1Password, or LastPass) to generate and store these passwords securely.
  • Two-Factor Authentication (2FA): Enable 2FA on all accounts that support it. Use an authenticator app (like Google Authenticator, Authy, or Aegis) whenever possible, rather than SMS-based 2FA.
  • Encrypted Messaging: Use end-to-end encrypted messaging apps like Signal or Wire for sensitive communications. Avoid texting or unencrypted email for sensitive topics.
  • VPN (Virtual Private Network): Use a reputable VPN (like Mullvad, ProtonVPN, or IVPN) to encrypt your internet traffic and mask your IP address, especially when using public Wi-Fi.
  • Secure Email: Consider using an encrypted email provider (like ProtonMail or Tutanota) for sensitive communications.
  • Device Software Security: Keep your computer and phone’s operating systems and software up-to-date to patch security vulnerabilities. Use strong passwords or biometric locks on your phone.
  • Social Media Awareness: Make your profiles private.
    • Regarding posts:
      • Don’t share personal or identifying information unless absolutely necessary.
      • Adjust your privacy settings to limit who can see your posts. Be aware that even seemingly harmless information can be pieced together to create a profile.
    • Regarding photos:
      • Before you even take a photo, go into your phone’s camera app settings and turn off location services (or geotagging). This prevents your phone from embedding the date, time, and GPS location into the photo’s metadata (EXIF data).
      • Even if you don’t actively share your location on Facebook, Instagram, or Twitter, they can still access and use the location data embedded in your photos for things like targeted ads.
      • Uploading to sites like Imgur can help, but it’s not a guaranteed solution. You might need to remove the EXIF data from your photos before uploading them to Imgur (or any other site) to ensure your location is completely private. Imgur has settings to help with this, but it’s best to be proactive.
      • If you have previously given location access to a social media platform, and have since turned off that access, the prior posts may still have location information attached.
  • Phishing Awareness: Be wary of suspicious emails, links, and attachments. Don’t click on links or open attachments from unknown senders. Verify the sender’s identity before providing any information.

Social Settings:

  • Pseudonyms: Use pseudonyms consistently online and in your organizing work. Don’t use your real name unless absolutely necessary.
  • Loose Lips Sink Ships: Don’t discuss sensitive information in public places or with people you don’t implicitly trust.
  • Trust Your Gut: If something feels wrong, it probably is. Don’t be afraid to question things or remove yourself from a situation that feels unsafe.
  • Know Your Rights: Learn your rights regarding interactions with law enforcement.

Building a Culture of OpSec:

  • Training: Provide OpSec training to all members of your group.
  • Communication: Establish clear communication protocols.
  • Regular Review: Regularly review and update your OpSec practices.
  • Community Support: Build a culture of mutual support and accountability.

Conclusion:

Stay informed, stay vigilant, and stay safe. Each of these steps highlights parts in an ongoing process. Even if you don’t follow every step, each step is part of the process of reducing risk and allows you to protect yourself, your fellow activists, and your work.