Dependency removed: Assumptions that your behaviour patterns are invisible - OPSEC protects what you do, not just what you store.
Operational security (OPSEC) is distinct from privacy. Privacy protects data. OPSEC protects behaviour - your patterns, associations, timing, and exposure. A privacy-focused person who always connects to Tor at the same time every day, from the same location, has privacy-protected content but OPSEC-exposed behaviour.
In resilience contexts, OPSEC is especially relevant for community organizers, journalists, activists, and anyone whose activities might attract unwanted attention from well-resourced adversaries.
- Separate identities per context - personal, professional, public, and anonymous identities use different devices, accounts, and communication channels
- Device segregation - one device per identity tier; no cross-contamination of accounts or data
- Pseudonymity vs. anonymity - pseudonymous identities are durable but linkable; anonymous identities have no history; knowing when to use each
- What metadata reveals - time of communication, frequency, participants, location, device type - often more revealing than content
- Metadata generated by devices - EXIF in photos, document metadata, browser fingerprinting, NTP time requests
- Exif scrubbing - ExifTool; MAT2; automatic stripping workflows before sharing images
- Timestamping and document sanitisation - removing author fields, revision history, and embedded metadata from documents
- Dedicated devices per threat model - high-value or sensitive work on a separate machine that does not also browse casually
- Air-gapped machines - physically isolated computers with no network interfaces; for the most sensitive operations
- Travel devices - minimal-footprint laptops and phones for border crossings; pre-loaded with only what is needed
- Mobile device hygiene - disabling unnecessary sensors and location services; airplane mode discipline
- Border crossing and device inspection - legal rights vary by jurisdiction; what to carry vs. leave at home; device encryption status
- Travelling with sensitive data - versus keeping data accessible remotely via encrypted access; threat model dependent
- Minimal-footprint travel loadout - a travel phone with no personal accounts; temporary credentials; wiped on return
- Remote wipe and duress procedures - remote wipe capability; duress PIN that wipes or presents a decoy profile
- Reducing data broker exposure - opt-out tools (DeleteMe, Kanary); manual removal from major people-search sites
- Monitoring your own exposure - Google Alerts for your name; Have I Been Pwned; dark web monitoring
- Public records - what is accessible about you in public registries and how to minimize it
- Privacy - encrypting and protecting the data itself
- Security - defending your infrastructure against attackers
- Communications - secure messaging channels