OPSEC / COMSEC
INTRODUCTION
As an online activist or investigative journalist operating online, protecting your privacy and
security is crucial. The work you do often puts you at odds with governments or other powerful
entities who may want to identify you or access your data. Implementing proper Operations Security
(OpSec) and Communications Security (ComSec) helps mitigate these risks.
This guide outlines best practices and tools for staying secure, and is intended to be general introduction.
If you are an operational activist or journalist operating in hostile environments, you should undertake more
professional and specific training.
OpSec BASICS
OpSec refers to minimising the amount of sensitive information about your activities that could be
used against you. Some basic OpSec rules:
- Compartmentalise information. Don't discuss all your plans and activities with any single contact.
- Avoid routines. Vary your schedule, routes taken, tools used etc. to make surveillance difficult.
- Don't reveal personal details unnecessarily. Be cautious when registering accounts or posting information publicly.
- Use separate devices for different activities and accounts. Don't cross-contaminate across operational devices/accounts.
- Assume you are being watched or monitored, especially when conducting sensitive activities. Act accordingly.
ComSec BASICS
ComSec involves securing communications to prevent interception or analysis. Basic rules:
- Encrypt sensitive data and messages in transit and at rest. Use end-to-end encryption (E2EE) tools like Signal or PGP.
- Use secure channels. Email is not secure. Messaging apps like Signal, Threema or Wire offer more security.
- Avoid plain language mentions of people, places, activities. Use vague terms or codewords when needed.
- Verify keys and identities when using cryptographic tools to prevent impersonation.
- Sanitise documents by removing metadata before sharing publicly. Use apps like MAT or
VeraCrypt. - Use VPNs and Tor to anonymise your internet traffic and obscure your location.
Device Security
- Keep devices updated with latest security patches. Out of date software is vulnerable.
- Use strong passphrases, multi-factor authentication, and password managers to secure accounts.
- Enable full-disk encryption on all devices to protect data if devices are lost/stolen.
- Use antivirus/antimalware software and firewalls to detect and prevent hacking attempts.
- Frequently back up important data in case of device failure, loss or compromise. Store backups securely.
Social Media Precautions
- Lock down privacy settings and limit sharing of personal info on social media accounts.
- Consider using pseudonyms not linked to your real identity when appropriate.
- Beware of social engineering attempts to gain access or information via posts/messages. Verify suspicious contacts.
- Geotagging posts can reveal location. Consider disabling location services on social apps.
- Review tagged photos/posts made by others that could compromise you before sharing widely.
Protecting Sources
When communicating with confidential sources:
- Ask sources to use E2EE secure tools like Signal or ProtonMail when possible.
- Avoid recording identifying details about sources in notes or on devices.
- Meet sources discreetly, varying meeting locations and times. Disable devices during meetings.
- Have sources review quotes and attributed information before publication to protect identities.
- Consider using anonymous/secure dropboxes to receive documents from sources anonymously.
Some Pro Tips
Always stop and consider privacy/anonymity before sharing images, photographs, videos, etc.
Can you be traced or identified from the location, surroundings, weather, etc in the image?
Don’t enter into any romantic or personal relationships with anyone you meet or work with through your online activism
and absolutely never, ever, under any circumstances, agree to send nude or compromising images to anyone.
Always stop and consider before hitting send on messages and emails.
Can someone screengrab your message and use it offensively now or in the future?
Never allow anyone online to get under your skin and make you angry.
Angry people make OpSec mistakes. If you feel a situation or argument becoming heated, disengage and take a time out.
Never let down your privacy guard or your “OpSec alert”.
Never reveal your personal identity or any identifiable information, even to activist friends or associates.
Never “grandstand” or draw attention to yourself. Always try to blend in the background and travel in the shadows.
Follow quietly, don’t lead and don’t allow ego or personal validation to interfere with or overshadow the cause/s you are fighting for.
Ensure people remember your message, not your name or boasts.
A good hacker never advertises or boasts, He/She has nothing to prove to anyone and is far too clever to compile evidence
for the watching authorities/adversaries.
Don’t use social media in your personal life and don’t have any of your real identity or personal data publicly accessible online.
If you really must use personal social media, keep it completely separate and sandboxed/compartmentalised from your activism,
preferably on different devices.
Use a pseudonym for your online persona that is totally unconnected to your identity and never use the same pseudonym
on personal accounts such as Netflix etc.
With vigilance in following these OpSec and ComSec best practices,
activists and journalists can better protect their work, sources, and themselves when operating online.
Make security an everyday habit.