We live in an age of increased surveillance and censorship. Social media is a bastion for fascism. Abusers target sex workers, queer users, and people of color and prey on them without fear. Whorephobes and bigots alike use our vulnerability to their advantage through social manipulation, doxxings, and swattings. It has never been a more dangerous time to be a marginalized person online. And our first line of defense is operations security.
“Operations security (OPSEC) is a process by which organizations assess and protect public data about themselves that could, if properly analyzed and grouped with other data by a clever adversary, reveal a bigger picture that ought to stay hidden,” CSO writes.
OPSEC is to online safety what sex education is to sex: a necessary part of modern life that is underfunded, underappreciated, and rarely discussed in an approachable way. This guide is our attempt to introduce OPSEC in an accessible way to sex workers, activists, marginalized users, and allies who may not necessarily have the tech literacy to know about these harm reduction practices.
(Please note that this is an introductory overview to digital and technical safety, and it may not provide the full protection you need in your specific circumstance. For more information, see the links at the end of this article.)
Why does operations security (OPSEC) matter?
Imagine you’re a sex worker from New York at a Black Lives Matter march. While you were spraypainting a statue, an NYPD officer successfully grabbed you, stole your phone, and forced you to use your FaceID login to unlock your messages. He was able to browse through your photos and text messages in detail. Luckily, your fellow protesters came in, dearrested you, and brought you and your phone back to safety. You’re shaken from the ordeal, but the worst is over, right?
Well, no. The NYPD officer saw signs that you were engaging in full-service work in your messages. You accessed a hacked public WiFi near the march, and officers were able to grab your Twitter and Instagram account names. The NYPD was able to identify your phone and track you on the walk home. The police now have your address and enough evidence of some kind to draft up a warrant, and they’re eager to enact revenge.
But instead of immediately arresting you, they break into your WiFi connection and keep tabs on your Facebook posts, Twitter DMs, and Instagram chats. It’s a gold mine for the cops: they know that you’re not just going to multiple protests, but you played a key role in pulling down multiple racist monuments. Not just that, they also have corroborating evidence to arrest a few of your fellow full-service workers joining you for the “vandalism.”
You didn’t know the cops were spying on you. How could you? The game was rigged against you from the start.
Or, imagine you were never arrested in the first place. You advertise on an escorting website where you had to upload your ID. The escorting website has been raided by the feds, and facial recognition technologies, such as Thorn’s SPOTLIGHT, build databases off of escort ads. When the cops are going through footage, they are able to link an image of your face from the protest to your escorting ad and have access to your ID and social media accounts.
This is not a dystopian future; this is now. This is not to instill fear; this is to encourage you to protect yourself, protect your data, and to protect each other.
So, what is operations security (OPSEC)?
It’s no secret that the government can track your online activity. But surveillance is actually much more prevalent than most people think. When you visit a website, your connection leaks a ton of information about where you are located, down to your country, state, city, and even a guesstimate of your latitude and longitude. Meanwhile at work, you’re forced to use surveillance software like Cocospy, which sends your boss information on your social media posts, text messages, call logs, and more. And if that isn’t enough, predators, police officers, and right-wing fascists can easily break into your WiFi network and snoop on your web traffic with a few apps and some tech knowledge. It doesn’t take much to steal your login information.
Good OPSEC grants you protection against hacking, data theft, doxing, and surveillance. OPSEC is preventative in nature: it requires you to understand your biggest threats and the potential ways they can harm you. Identifying and conceptualizing this is called threat modeling.
There are various design philosophies for threat modeling. The Electronic Frontier Foundation’s Surveillance Self-Defense project offers a great starting model based on five key questions:
- What do I want to protect?
- Who do I want to protect it from?
- How bad are the consequences if I fail?
- How likely is it that I will need to protect it?
- How much trouble am I willing to go through to try to prevent potential consequences?
Ars Technica also offers a valuable guide to threat modeling based off these four questions:
- Who am I, and what am I doing here?
- Who or what might try to mess with me, and how?
- How much can I stand to do about it?
- Rinse and repeat.
Threat models require careful consideration about the trade-offs to different protections. If you’re an online sex worker with a popular Twitter presence, it may be incredibly difficult or outright impossible to stop using social media. However, communicating with your full-service clients over a burner phone connected to Signal may be a good option to evade police surveillance.
What is encryption?
“Encryption is a process that encodes a message or file so that it can only be read by certain people,” Search Encrypt writes. “Encryption uses an algorithm to scramble, or encrypt, data and then uses a key for the receiving party to unscramble, or decrypt, the information.”
Let’s say you want to send an encrypted message to another user. The words you type in – or the “plaintext” – is algorithmically encoded into something called “ciphertext.” Ciphertext can only be decoded with its encryption key. When you send your message, the other user receives the decryption key and converts ciphertext back to plaintext.
End-to-end encrypted messaging
Some services offer encrypted messaging where the service holds the key to your messages. This means the site can choose to decrypt your messages and read them or send your messages to law enforcement upon request. This is why the best form of encrypted messaging is end-to-end encryption.
End-to-end encryption “means that messages are encrypted in a way that allows only the unique recipient of a message to decrypt it, and not anyone in between,” Wired reports. “In other words, only the endpoint computers hold the cryptographic keys, and the company’s server acts as an illiterate messenger, passing along messages that it can’t itself decipher.”
Sex workers, privacy advocates, organizers, and journalists commonly rely on end-to-end encryption to respond to their threat model. Thanks to social media and smartphones, end-to-end encrypted messaging is as popular as it is accessible, and there are a number of services you can use to keep in touch with others.
Popular end-to-end encrypted messaging services include:
Among these, the following are generally considered the best for the most private and secure messaging:
- Signal – Open-source, strong pro-privacy stance, data collection minimal, zero-access encryption. Most popular
- Wire – Open-source with similarly strong pro-privacy stance, phone number not required
- Dust – Automatic 24 hour message deletion, phone number kept private after creating username, based off Signal protocol
Note that each of these platforms have their pros and cons. For example, Signal requires your phone number, which may put sex workers at risk for being identified.
In terms of email services, end-to-end encryption and zero-access encryption is preferred. The latter is a form of encryption that prevents service providers from reading your emails in plaintext while “at rest,” or sitting in your inbox.
Two popular end-to-end encrypted email services include ProtonMail and Tutanota. Both offer end-to-end encrypted communication with fellow service users, such as a ProtonMail user emailing another ProtonMail user.
Be warned that ProtonMail does not encrypt subject lines, while Tutanota does. Additionally, no email service can provide end-to-end encrypted communication if one of the recipients does not use end-to-end encryption. A ProtonMail message sent to an @aol.com account, for example, will not be encrypted in the AOL user’s inbox. Your correspondence will be encrypted at rest within your own inbox, however. For more information, read this author’s overview and review of ProtonMail.
(One workaround for this issue is PGP. Short for “Pretty Good Privacy,” this involves a sender encrypting an email with a key, and a recipient decrypting it with their own key. Mozilla Thunderbird users can easily navigate this with the Enigmail add-on.)
Hiding your internet footprint with a VPN
A virtual private network is a service that lets users connect to an off-site server to route traffic over the internet. This connection uses an encrypted tunnel to protect your privacy. This ensures your outbound and inbound web traffic alike are secure.
“When you browse the web while connected to a VPN, your computer contacts the website through the encrypted VPN connection. The VPN forwards the request for you and forwards the response from the website back through the secure connection,” Chris Hoffman writes for How-to Geek. “If you’re using a USA-based VPN to access Netflix, Netflix will see your connection as coming from within the USA.”
VPNs come with their trade-offs. Your ISP can see when you’re using a VPN, as can other websites. VPNs are much more common than in previous years, although simply using one may be enough to gain a company, police department, or state entity’s attention. Your information is in the hands of your VPN provider, and some companies are more trustworthy than others. Do your research before choosing a VPN, especially if you’re planning to engage in high risk activism work or full-service sex work.
Several popular, vetted VPN services include:
Privacy-friendly software alternatives
When corporations control the programs you use, they control access to the data you create with their platforms. There are plenty of privacy-friendly software alternatives to some of the most basic proprietary software out there, many of which open-source. Microsoft Office, for instance, has a free, open-source alternative called LibreOffice. Here is a list of alternatives to some of the most popular websites and services out there:
- Microsoft Office → LibreOffice
- Google Docs → CryptPad
- Gmail → ProtonMail or Tutanota
- Outlook → Thunderbird
- Google Chrome → Mozilla Firefox (you can add on extensions like privacy badger and HTTPS Everywhere too!)
- Google → Duck Duck Go
- Dropbox → pCloud
- Photoshop → Gimp
- Zoom → Jitsi
- GitHub → GitLab
- LastPass → KeePassXC
Additional alternatives can be found on PRISM Break.
Switch to Linux and minimize data tracking
If you’re on a Windows or MacOS computer, your data is being tracked. Microsoft and Apple are notorious for collecting an immense amount of information on its users and storing it. One of the few viable alternatives to these corporate tech giants is using Linux.
Linux is not one operating system, but a family of free open-source OSes built off of the Linux kernel. In 2020 there are many distributions (or “distros”) available built for user accessibility, and these are as easy as placing a boot disc on a flash drive and installing the OS on your computer of choice. You can erase your current OS with Linux, create a “dual boot” option that keeps your current OS, or even install Linux on an external hard drive and use your distro between devices. Many distros support drive encryption, letting users protect their entire OS and all of its contents prior to boot-up.
Look into the following Linux distros for an accessible, privacy-friendly experience:
- Debian – One of the most accessible secure distros available, relies entirely on free, open-source drivers and applications
- PureOS – Security and privacy-based Linux distro
- Linux Mint – Easy to use, similar in nature to Windows. Installation is easy, OS is highly stable, and overall a solid distro for newcomers
- Manjaro – Like Linux Mint, user-friendly design and lightweight distro perfect for switching from Windows
For more information on Linux, visit FOSS Post’s beginner’s guide to the operating system family.
This guide goes over technical solutions sex workers and activists can take to protect their data. However, the role human error plays in OPSEC cannot be understated. A trusted VPN, secure Linux distro, and end-to-end encrypted email account will not protect you if you set all of your account passwords to “password,” or if you happen to share your address on social media.
Your OPSEC’s weakest link usually comes from an outside party: a client, a fellow organizer, a family member, or a friend. Ideally, you should send this guide to your trusted comrades and suggest they begin improving their digital security too. But you must meet your social network where it’s at. If your client does not understand why they need to use ProtonMail to communicate with you, it may be easier to simply purchase a burner phone for sex work and exchange numbers on Signal.
Always do your research before using any operating system, device, phone app, or communications platform. Services such as Telegram are not quite as secure as people assume, and products like ProtonMail are not fully upfront about their encryption features. You are as safe as the products you trust, so make them earn it.
At times, you may need to sacrifice convenience for privacy by taking certain conversations offline. Not all conversations can be had safely digitally.
There is no such thing as the perfect security system. The advice activists and tech freedom advocates provide is based on what we currently know and consider best practices. New laws, leaks, and technological innovations may introduce changes to your threat model. Stay connected to your local tech activist community to know more about contemporary OPSEC guidelines.
A closing note on privilege
Tech resources are a privilege. They are gatekept by white cishet men who assume their relationship with the world is the default. This not just drives women, trans people, sex workers, and Black activists from tech spaces, it cultivates exclusion. Poor OPSEC goes all the way back to the white men who get to decide who can access tech spaces, who cannot, and what issues the community cares about.
Your ability to successfully build a new computer, buy a new laptop, or even purchase a flash drive is dictated by your race, class, gender, and sex working status, among many other factors. It is the responsibility of the privileged to lend a hand and help the marginalized protect themselves. This can be done in numerous ways – running workshops, donating devices, volunteering one-on-one tech support, funding mutual aid projects, or directly giving your money to the most marginalized among us. No matter how you do it, it’s our responsibility to make sure digital safety is accessible to everyone.
To read more from Ana Valens, click here!
EFF’s Surveillance Self-Defense Project – An in-depth overview of digital security and safety designed for new and experienced tech users alike
Attending a Protest: Surveillence Self-Defense – Digital safety guide by the EFF specifically for protesters, highly recommended
Protesting for Black Lives Matter? Follow these data privacy tips – For protesters attending Black Lives Matter marches or other events. Written by this guide’s author
How to Protest Safely in the Age of Surveillance – Additional overview for Black Lives Matter protesters
ProtonMail Review – Overview of ProtonMail, its features, and its weaknesses. Written by this guide’s author
GOP introduces bill that would give police easy access to encrypted data – Overview of a Senate bill targeting encryption. Would federally mandate “device manufacturers and service providers” to work with law enforcement in “accessing encrypted data if assistance would aid in the execution of [a] warrant”
How To Stop Instagram From Tracking Everything You Do – Overview of ways you can prevent Instagram from collecting personal data. The best option is, unfortunately, to delete Instagram from your phone