“OPSEC is religion,” is a saying I repeat often. It suggests that guarding privacy and anonymity online should be considered a lifestyle choice, and as important as one’s personal spiritual convictions. While this is hyperbole, the emphasis is clear.
Operational Security (OPSEC) is the process a user takes to limit and prevent their sensitive information from being leaked or collected, either by a legitimate third party or a threat actor. It’s more than subscribing to a trustworthy virtual private network (VPN) service – though that is something I highly recommend. It’s a lifestyle centered on being informed, and practicing online behaviors that minimize your digital footprint, so data harvesters can’t scoop it up and sell it.
We are living in an era where the fight between privacy and forced transparency is a losing battle. This is because everyday users often pay no attention to the services they use or the permissions they grant to them and app developers. Likewise, they pay little heed to what they do with customer data, and who buys it from brokers.
It’s rather overwhelming just how far the scales have been tipped in favor of data-collecting giants like Google, Facebook, and many others.
As a former black-hat hacker, I always had to be cautious about my web activities and how I used certain services. I was evading the long arm of the law, having to erase or modify event logs from the systems I compromised. I also had to outmaneuver enemy hackers who were attempting to log my IP address and follow it with an attack. But that was almost 15 years ago.
Nowadays, as a hacktivist, cybersecurity researcher, and everyday internet user, maintaining a sanitized operational space for web usage is tricky, but doable. But the threat to privacy is more acute than ever before and cybercriminals aren’t the only threat to ordinary users. The collecting and selling of private data is a reality most of us know little about, and consequently we have little control over it as long as we are using mainstream technology services.
However, for almost every mainstream service, there is a privacy-focused alternative.
Search engine alternative
The one thing we all use on a daily basis is search engines, regardless of the devices we use and how we connect to the web. DuckDuckGo and StartPage are popular privacy-centered alternatives to the Google search engine because, unlike Google, there is no user-tracking.
This means that your search queries are not connected to your identity. Neither of these search engines collect data or build profiles based on users, nor do they use algorithms designed to personalize a user’s experience or deliver personalized search results. That’s because searches are anonymous. Users’ IP addresses and other identifiers aren’t logged, which makes it harder for third parties to collect and track them.
The right way to use a VPN
Using a VPN service is great, if you use it correctly. VPNs encrypt your web traffic, and create a secure tunnel between your device and the internet, anonymizing your web activities. But what happens when your VPN server fails? When this happens your IP address is exposed, rendering the service pointless.
Most VPN service providers offer “killswitch” protection. What this means is that if your VPN server crashes or drops your connection for any reason, the app will block all incoming and outgoing traffic to and from your network, effectively insulating your IP from accidental exposure.
Having a VPN subscription is vital, especially if you use public WiFi networks. Because of the possibility of wireless attacks, these can be very unsafe to use, especially when sending sensitive information across the internet such as credentials or financial information. Aside from the potential dangers, many VPN providers allow subscribers to pay using cryptocurrencies. This is great, when anonymizing payments adds an additional protection layer to your OPSEC plan.
There’s little point in having a practice of anonymity hygiene while continuing to use Google services like Gmail, simply because they will contaminate your OPSEC lifestyle. If you do need to use Google services such as for work, they should be used on separate devices, so as not to undermine the privacy you’re trying to maintain. Just be careful not to overlap anti-privacy habits with your OPSEC lifestyle on the same devices.
I use Tutanota and ProtonMail as my alternatives to mainstream email service providers. But merely using a service advertised as offering free end-to-end encryption and privacy by design doesn’t necessarily mean these alternatives are foolproof, or that law enforcement and legislation aren’t twisting their arms to cough up user data. That is why I research alternative services, to try to find legal cases where those companies were forced by court orders to expose customer information or provide encryption keys.
Both Tutanota and ProtonMail store encrypted data on their servers. For those who wish to add an extra layer of protection, I suggest sending PGP-encrypted emails between signed recipients. In this case PGP stands for “pretty good privacy” and allows you to send and receive secure communications.
Many of us can’t resist the temptation to overshare on social media, but the blurred lines between our private and online lives can potentially lead to consequences. In this digital age, scammers have become adept at quickly identifying our connections, including family and friends, then craftily duplicating our profiles to manipulate and deceive them, ultimately aiming to steal access or money.
Due to my family's unfortunate past encounters with hackers, and because of my own online presence, I've had to adopt a cautious approach to what I post. You won’t find me tagging them in photos, and I meticulously curate the content I share, considering not only what’s in the images but also who’s featured in them.
Limiting unnecessary information is a vital practice for me, especially after the FBI managed to learn the layout of my apartment unit from my YouTube videos years ago, just before they raided me. Even though I’ve turned over a new leaf as relates to staying on the right side of the law, that experience changed my perspective.
Nowadays, as I delve into the realm of investigating threat actors, I'm always on the lookout for subtle clues and artifacts hidden within videos and images. These digital breadcrumbs can hold the key to unmasking the identity of the person behind the screen, adding a thrilling layer of intrigue to my pursuit. Years ago, I was able to unmask the identity of a cyberbully just by watching his videos.
Avoiding clickbait ad tracking
Clickbait is content that’s been specially engineered to garner the maximum number of clicks, and comes with strings attached designed to track your searches and online behaviors.
Users can combat these marketing weapons by using ad blockers such as AdBlock Plus, uBlock Origin, or AdGuard. In turn, these ad blockers can prevent most pop-ups and ad banners.
Additionally, in your browser settings, you can disable third-party cookies, which in turn can prevent websites from tracking your online lifestyle and forcing personalized ads on the sites you visit.
I use Firefox since it comes with enhanced privacy features. DuckDuckGo and Brave also provide privacy-centered browsers, available across all platforms. Moreover, in your browser
settings, you can enable Do Not Track (DNT). This cues the websites you visit that you do not want to be tracked.
Private messenger wars
I can obtain your IP address from certain messaging platforms using packet-sniffing techniques. Yet, most popular end-to-end encrypted messengers like WhatsApp or Telegram which require a phone number in order to use their platform come with many advantages and disadvantages. Naming them all would amount to a new article, the most critical element users should undertake is research.
For instance, upon closer examination of the encryption details in Telegram, users will discover that private messages and group chats are not encrypted by default, except when private messages are initiated using the Secret Chat feature. Consequently, the use of a VPN is essential to preserving anonymity on platforms like these.
Disabling Geographical tagging data
Sometimes when family members or friends send me photos, I am able to view on a map where the photo was taken, the geographical coordinates, and another EXIF (Exchangeable Image File Format) data such as the type of camera and lens used, and pretty much everything needed to build a profile of where you visited, frequently visited locations, and more. Disabling geotagging is critical to minimizing your digital footprint, and limiting what outside entities can gather about you.
Whenever I am investigating online threats, one of the first things I look for is data that can reveal geographic information. Aside from the rich investigative benefits this embedded data offers, almost all popular online social media platforms strip the EXIF data from media uploaded by users.
The fight for privacy and control over your own data is truly a lifestyle. Although we live in a society where we demand instant gratification and hassle-free access to services, this is how data miners catch users, monetizing clicks and selling your data to manipulate what you see.
Additionally, online threats such as adversaries, stalkers, and competitors can weaponize your failure to protect your sensitive data, gathering it as leverage. What’s ironic to me is that my choice of words doesn’t amount to scare tactics: this is my everyday life, as I am surrounded by online adversaries, both known and unknown, ever looking for digital breadcrumbs that may fall their way.
“OPSEC is religion,” is therefore the mantra I recite, to ever remind myself of its importance while living in a digital world rife with snares, traps, and pitfalls.
Original article can be found here