Operational Security and Your Digital Life
I. Definitions
Operations security (OPSEC) is a process that identifies what information can be seen by threat actors, whether that information could be weaponized, and possible mitigation actions.
Your digital life is every interaction you have, all personal identifying, financial, and health information, your preferences, your habits, and any history that can be obtained both publicly and privately that has ever been recorded or digitized.
Your digital life is a incredibly rich field for various actors to observe, record, analyze, sell, and exploit for profit, harm, or control. Some of this information you give away without thinking (social media), some you give to one party but it is shared without your knowledge to other parties (data brokers, big tech), or it is taken without your consent (criminals, governments).
II. Threats
It would be impossible to list them all but a few examples:
Mass surveillance by governments to fight crime, terrorism, civil unrest, and control the population. This is across the board blanket information on everyone that is stored for later use from feeding algorithms for social credit systems to lists of people who are threats that need to be disappeared. The only variable is how explicit the government in question is doing it.
Corporate surveillance by public and private companies for marketing, market share, or selling for profit. Your data is incredibly profitable. Entire mega companies have built their entire business model on it like Google, Meta, and various Data Brokers. This information is collected and stored. It is then used internally, sold for profit, acquired by governments, or stolen by nefarious actors.
Criminal or Nefarious Surveillance for harm, control, or profit. This is a catch all from partners in a controlling relationship, angry ex's wanting revenge, religions and groups watching their members, terrorists and cults looking for people to recruit or indoctrinate, and foreign espionage to plain old criminals who want your information to sell to other criminals, looking for blackmail opportunities, to steal your financial or social accounts, or identity theft.
III. Mitigation
To do this properly a security self audit should be performed to determine exactly what assets you have to protect, how at risk they are, ranking their priority, and specific steps that are needed to protect them. I will detail how to do this for the average person in a later post but until then we will stick to generalities.
It is impossible to to block or hide all information all the time. Not only is it impossible but it would be exhausting to even try. This is where most people interested in privacy get confused, lost, and give up the idea of privacy because the only path they see to achieve it is living in a underground faraday cage out in the woods.
The only viable path is obscurity and compartmentlizion. Compartmentation of your devices, accounts, and digital selves is wildly misunderstood and not applied properly. Done incorrectly this can be disastrous if you are too casual with something that you thought was hidden or putting a spotlight on yourself by attempting to be obscured.
IV. Tactics For Everyone
Common advice I give to everyone. I don't care what your thoughts are on privacy and security, you should be doing this.
Do not give your personal email or phone number to anyone except friends and family. This just opens you up to spam, phishing attacks, and an identifying tracer. Use a email alias service or a throw away email account to give to stores and online accounts. Get a VOIP number for that dating app or service quote. When your real number rings, recieves texts, or get a email you know it is from someone you know and trust.
Use cash locally if you can and for everything else get a virtual debit or credit card with a spending limit or fixed amount. Do you really need your entire paycheck, emergency savings, life savings tied to a single card / account? Are you really entering your real credit card or banking information into a random website to buy something? Even if it's not a scam site, how well are they protecting it while in transit or storage? You will probably get the money back in case of fraud but why feed the beast and besides it's a total hassle to get your accounts frozen, wait for reimbursement, open and change accounts. Just avoid it. For extra credit you can use visa gift cards purchased with cash to obscure your financial transactions if you choose. Every financial transaction doesn't have to be public record.
Stop using unencrypted phone calls and SMS texts. Switch to encrypted options such as Signal or SimpleX and make anyone who wants to have contact with you reach out to you on it. Even if you "have nothing to hide" there is no reason for you to broadcast every personal conversation, comment, or shared meme with Ma'bell, the government, and anyone else listening and recording. Seriously, just stop.
V. Compartmentation of Your Digital Selves
I will keep this very high level as this article has already run longer than I intended but will cover this in much greater detail in the future.
You can break down all digital activities and interactions into several broad categories or digital selves. Then build separate systems for use in each category depending on the activity and need. The trick is to preplan what activities go where. Using the wrong account on the wrong system means they are now burned. Letting the systems overlap and contaminate each other then you risk exposing anything ever done on those systems. The separation can be accomplished with multiple accounts and devices, isolated virtual machines, or operating systems that enable compartmentation such as Qubes OS or Tails.
VI. Breakdown
- Public
This is the default. This is you. Your real name, address, and details. This is unavoidable and would be weird and attract attention if you didn't have one.
Use this for any KYC activities that you have to log into such as taxes, bank accounts, utility bills, etc. Clearnet only, you have nothing to hide.
Awareness: If it has to be public then put your best foot forward. Only show them what you want them to see and make it good and boring. Blend into the crowd of normies not important enough to pay attention to.
- Private No logins to KYC services. Traffic routed through a VPN. Use of sudo anonymous account names. You are Neo, not Mr. Anderson.
Use for most social media that is not public facing. Shopping and browsing that would be embarrassing or misunderstood if made public. Encrypted to protect against criminals and looky loos. A good default if people just don't need to know.
Awareness: Do not be confused by the word private. The goal is to make it to difficult, to expensive, or just not worth the effort to determine exactly who you are and what you are doing but it's not impossible. Only use this with the knowledge that someday it might get doxxed. That potential only increases with time and frequency of use of accounts. Not to be used for anything that could be considered illegal or has the potential to get you fired or cancelled.
- Anonymous Only single use non KYC logins. Single purpose accounts and names that are burned after achieving that purpose. Traffic routed only through Tor. Encryption by default.
Use if you are a whistle blower, freedom fighter, activist, or for shady activities.
Awareness: Be very careful and deliberate with this system as to not accidentally compromise it with something that would have been better served by a different system. Rotate and clean accounts and systems often. Don't carry stuff over after a cleaning to a new system. Reusing names and handles is how people get busted.
- Nemo
Nemo doesn't exist. There is no record that they ever existed. Only amnesiac systems are even used and never a login. If files or traces are left behind they are encrypted, hidden, and have plausible deniability.
Enjoy anon, more to come.