OPSEC (Operational Security) is the discipline of identifying and protecting information that could be used against you. Originally a military concept, it’s now essential for journalists, activists, privacy advocates, and anyone who wants to maintain boundaries between their online and offline identities. This guide covers practical OPSEC for everyday privacy-conscious users.
Step 1: Define Your Threat Model
OPSEC without a threat model is security theater. Answer these questions honestly:
Who is your adversary?
- Advertisers and data brokers (most people)
- Stalkers or abusive individuals (requires stronger measures)
- Corporate surveillance (common for employees)
- Government surveillance (requires maximum OPSEC)
What are you protecting?
- Your home address
- Your real name linked to online activities
- Your political/religious views
- Sensitive professional communications
What are the consequences of failure?
- Job loss, doxxing, stalking, legal action?
Your threat model determines how much friction is acceptable. A journalist protecting sources has different needs than someone avoiding targeted advertising.
Step 2: Compartmentalization
The single most important OPSEC concept: never mix identities.
Identity Separation
Create distinct personas for different activities:
| Identity | Use Case | Browser Profile | Payment | |
|---|---|---|---|---|
| Real name | Job applications, government | Normal browser | Real email | Real card |
| Pseudonym A | Online community/forum | Separate Firefox profile | Alias email | Gift card/crypto |
| Pseudonym B | Research/sensitive topics | Tor Browser | Temp email | Cash/Monero |
Never cross-contaminate:
- Don’t log into pseudonym accounts from your real IP
- Don’t reuse usernames across identities
- Don’t reuse profile photos or writing style patterns
Browser Compartmentalization
Use Firefox Multi-Account Containers to isolate cookies per site/identity within one browser:
# Install from Firefox Add-ons store
# Create containers: Personal, Work, Shopping, Forums
# Assign sites to containers — they never share cookiesOr use separate browser profiles:
- Profile 1: Real identity (bookmarks, passwords, cookies all real-name)
- Profile 2: Pseudonymous identity
- Profile 3: Extra-sensitive (Tor Browser for maximum isolation)
Step 3: Account and Password Hygiene
Unique Passwords
Use a password manager (Bitwarden or KeePassXC) with a unique 20+ character random password for every account. This prevents credential stuffing: one breach doesn’t expose other accounts.
Username Uniqueness
Never reuse usernames across platforms. Tools like Sherlock can search for a username across hundreds of sites — if you use the same handle everywhere, your activities are trivially linkable.
python3 sherlock/sherlock.py your_usernameEmail Aliases
Use SimpleLogin or AnonAddy for email aliasing — every site gets a unique alias. Breach notifications tell you exactly which service leaked your data, and you can disable a specific alias without changing your real email.
Minimize Account Footprint
Delete accounts you no longer use. Use JustDeleteMe.com for direct deletion links.
Step 4: Network Security
VPN vs. Tor
| Tool | Use Case | Tradeoff |
|---|---|---|
| VPN | Hide activity from ISP, access geo-restricted content | Trusts VPN provider |
| Tor | High-anonymity browsing, hide activity from VPN provider | Slow, exit nodes untrusted |
| VPN over Tor | Hide VPN from entry node | Complex, niche use case |
Don’t trust free VPNs — they monetize user data.
DNS Privacy
Encrypt DNS queries to prevent ISP or network-level monitoring (see our DNS-over-TLS guide).
Mobile Security
- Enable full disk encryption on your phone (default on modern iOS/Android)
- Airplane mode when not in use in sensitive situations
- Disable Bluetooth and WiFi when not actively using them (prevent tracking via MAC address)
- Use Signal for sensitive communications — only secure messaging app with proper open-source auditing
Step 5: Communication Security
Signal for Sensitive Communication
Signal provides end-to-end encryption by default, minimal metadata retention, disappearing messages, and sealed sender (hides who is communicating with whom, to some degree).
Enable Disappearing Messages for sensitive conversations:
- 1 week default for ongoing contacts
- 24 hours for highly sensitive conversations
- Note sender when messages appear
Email: Assume Compromised
Email is inherently insecure. Even ProtonMail stores metadata (who emailed whom, when). For truly sensitive communication:
- Use Signal or Matrix/Element
- If email is necessary, use PGP encryption (Thunderbird + OpenPGP)
- Consider one-time encrypted note services (PrivNote, for lower-stakes use)
Metadata is the Message
A call record showing you spoke with a lawyer, a doctor, and a journalist tells a story even without content. Use Signal, which minimizes metadata retention. Avoid SMS — carriers log all SMS metadata indefinitely.
Step 6: Physical OPSEC
Your Home Network
Your ISP knows your real name and home address. Every device on your home network traces back to your identity.
- Keep sensitive browsing on Tor or VPN
- Don’t post photos from home that show unique landmarks
- WiFi SSID doesn’t need to include your apartment number or name
Smartphone Location
Your phone is a tracking device. It knows your location continuously. For high-stakes situations:
- Leave phone at home
- Or put in Faraday bag (blocks all signals)
- Use a separate “burner” device for sensitive activities
Smart Devices
Smart speakers (Alexa, Google Home) are always-on microphones in your home. Smart TVs have built-in tracking (ACR — Automatic Content Recognition). Disconnect or avoid these for strong OPSEC.
Step 7: Ongoing Maintenance
- Audit your digital footprint quarterly: search your name, pseudonyms, and email addresses
- Monitor HaveIBeenPwned.com for breach notifications
- Review app permissions on mobile — revoke location/microphone access for apps that don’t need it
- Social media audit: Review and delete old posts that reveal location, routine, or personal information
OPSEC is a practice, not a product. Start with the threat model, apply compartmentalization, and build from there — perfect OPSEC is impossible, but dramatically reduced attack surface is achievable with consistent habits.