Operations Security (OPSEC): An Introductory Overview

Opsex operational security meme

We live in an age of increased surveillance and censorship. Social media is a bastion for fascism. Abusers target sex workers, queer users, and people of color and prey on them without fear. Whorephobes and bigots alike use our vulnerability to their advantage through social manipulation, doxxings, and swattings. It has never been a more dangerous time to be a marginalized person online. And our first line of defense is operations security.

“Operations security (OPSEC) is a process by which organizations assess and protect public data about themselves that could, if properly analyzed and grouped with other data by a clever adversary, reveal a bigger picture that ought to stay hidden,” CSO writes.

OPSEC is to online safety what sex education is to sex: a necessary part of modern life that is underfunded, underappreciated, and rarely discussed in an approachable way. This guide is our attempt to introduce OPSEC in an accessible way to sex workers, activists, marginalized users, and allies who may not necessarily have the tech literacy to know about these harm reduction practices.

(Please note that this is an introductory overview to digital and technical safety, and it may not provide the full protection you need in your specific circumstance. For more information, see the links at the end of this article.)

Why does operations security (OPSEC) matter?

Imagine you’re a sex worker from New York at a Black Lives Matter march. While you were spraypainting a statue, an NYPD officer successfully grabbed you, stole your phone, and forced you to use your FaceID login to unlock your messages. He was able to browse through your photos and text messages in detail. Luckily, your fellow protesters came in, dearrested you, and brought you and your phone back to safety. You’re shaken from the ordeal, but the worst is over, right?

Well, no. The NYPD officer saw signs that you were engaging in full-service work in your messages. You accessed a hacked public WiFi near the march, and officers were able to grab your Twitter and Instagram account names. The NYPD was able to identify your phone and track you on the walk home. The police now have your address and enough evidence of some kind to draft up a warrant, and they’re eager to enact revenge.

But instead of immediately arresting you, they break into your WiFi connection and keep tabs on your Facebook posts, Twitter DMs, and Instagram chats. It’s a gold mine for the cops: they know that you’re not just going to multiple protests, but you played a key role in pulling down multiple racist monuments. Not just that, they also have corroborating evidence to arrest a few of your fellow full-service workers joining you for the “vandalism.”

You didn’t know the cops were spying on you. How could you? The game was rigged against you from the start.

Or, imagine you were never arrested in the first place. You advertise on an escorting website where you had to upload your ID. The escorting website has been raided by the feds, and facial recognition technologies, such as Thorn’s SPOTLIGHT, build databases off of escort ads. When the cops are going through footage, they are able to link an image of your face from the protest to your escorting ad and have access to your ID and social media accounts.

This is not a dystopian future; this is now. This is not to instill fear; this is to encourage you to protect yourself, protect your data, and to protect each other.

So, what is operations security (OPSEC)?

It’s no secret that the government can track your online activity. But surveillance is actually much more prevalent than most people think. When you visit a website, your connection leaks a ton of information about where you are located, down to your country, state, city, and even a guesstimate of your latitude and longitude. Meanwhile at work, you’re forced to use surveillance software like Cocospy, which sends your boss information on your social media posts, text messages, call logs, and more. And if that isn’t enough, predators, police officers, and right-wing fascists can easily break into your WiFi network and snoop on your web traffic with a few apps and some tech knowledge. It doesn’t take much to steal your login information.

Good OPSEC grants you protection against hacking, data theft, doxing, and surveillance. OPSEC is preventative in nature: it requires you to understand your biggest threats and the potential ways they can harm you. Identifying and conceptualizing this is called threat modeling.

There are various design philosophies for threat modeling. The Electronic Frontier Foundation’s Surveillance Self-Defense project offers a great starting model based on five key questions:

  • What do I want to protect?
  • Who do I want to protect it from?
  • How bad are the consequences if I fail?
  • How likely is it that I will need to protect it?
  • How much trouble am I willing to go through to try to prevent potential consequences?

Ars Technica also offers a valuable guide to threat modeling based off these four questions:

  • Who am I, and what am I doing here?
  • Who or what might try to mess with me, and how?
  • How much can I stand to do about it?
  • Rinse and repeat.

Threat models require careful consideration about the trade-offs to different protections. If you’re an online sex worker with a popular Twitter presence, it may be incredibly difficult or outright impossible to stop using social media. However, communicating with your full-service clients over a burner phone connected to Signal may be a good option to evade police surveillance.

An example of the minimal data handed over to the U.S. government by Signal during a subpoena.
Data handed over to the U.S. government by Signal during a subpoena is minimal. For more information, read here.

What is encryption?

“Encryption is a process that encodes a message or file so that it can only be read by certain people,” Search Encrypt writes. “Encryption uses an algorithm to scramble, or encrypt, data and then uses a key for the receiving party to unscramble, or decrypt, the information.”

Let’s say you want to send an encrypted message to another user. The words you type in – or the “plaintext” – is algorithmically encoded into something called “ciphertext.” Ciphertext can only be decoded with its encryption key. When you send your message, the other user receives the decryption key and converts ciphertext back to plaintext.

End-to-end encrypted messaging

Some services offer encrypted messaging where the service holds the key to your messages. This means the site can choose to decrypt your messages and read them or send your messages to law enforcement upon request. This is why the best form of encrypted messaging is end-to-end encryption.

End-to-end encryption “means that messages are encrypted in a way that allows only the unique recipient of a message to decrypt it, and not anyone in between,” Wired reports. “In other words, only the endpoint computers hold the cryptographic keys, and the company’s server acts as an illiterate messenger, passing along messages that it can’t itself decipher.”

Sex workers, privacy advocates, organizers, and journalists commonly rely on end-to-end encryption to respond to their threat model. Thanks to social media and smartphones, end-to-end encrypted messaging is as popular as it is accessible, and there are a number of services you can use to keep in touch with others.

Popular end-to-end encrypted messaging services include:

  • Signal
  • WhatsApp
  • Telegram
  • Dust
  • Wire
  • Keybase
  • iMessage

Among these, the following are generally considered the best for the most private and secure messaging:

  • Signal – Open-source, strong pro-privacy stance, data collection minimal, zero-access encryption. Most popular
  • Wire – Open-source with similarly strong pro-privacy stance, phone number not required
  • Dust – Automatic 24 hour message deletion, phone number kept private after creating username, based off Signal protocol

Note that each of these platforms have their pros and cons. For example, Signal requires your phone number, which may put sex workers at risk for being identified.

Encrypted email

In terms of email services, end-to-end encryption and zero-access encryption is preferred. The latter is a form of encryption that prevents service providers from reading your emails in plaintext while “at rest,” or sitting in your inbox.

Two popular end-to-end encrypted email services include ProtonMail and Tutanota. Both offer end-to-end encrypted communication with fellow service users, such as a ProtonMail user emailing another ProtonMail user.

Be warned that ProtonMail does not encrypt subject lines, while Tutanota does. Additionally, no email service can provide end-to-end encrypted communication if one of the recipients does not use end-to-end encryption. A ProtonMail message sent to an @aol.com account, for example, will not be encrypted in the AOL user’s inbox. Your correspondence will be encrypted at rest within your own inbox, however. For more information, read this author’s overview and review of ProtonMail.

(One workaround for this issue is PGP. Short for “Pretty Good Privacy,” this involves a sender encrypting an email with a key, and a recipient decrypting it with their own key. Mozilla Thunderbird users can easily navigate this with the Enigmail add-on.)

Hiding your internet footprint with a VPN

A virtual private network is a service that lets users connect to an off-site server to route traffic over the internet. This connection uses an encrypted tunnel to protect your privacy. This ensures your outbound and inbound web traffic alike are secure.

A screenshot from a ProtonVPN user  who is taking advantage of an encrypted connection.
Screenshot from ProtonVPN.

“When you browse the web while connected to a VPN, your computer contacts the website through the encrypted VPN connection. The VPN forwards the request for you and forwards the response from the website back through the secure connection,” Chris Hoffman writes for How-to Geek. “If you’re using a USA-based VPN to access Netflix, Netflix will see your connection as coming from within the USA.”

VPNs come with their trade-offs. Your ISP can see when you’re using a VPN, as can other websites. VPNs are much more common than in previous years, although simply using one may be enough to gain a company, police department, or state entity’s attention. Your information is in the hands of your VPN provider, and some companies are more trustworthy than others. Do your research before choosing a VPN, especially if you’re planning to engage in high risk activism work or full-service sex work.

Several popular, vetted VPN services include:

Privacy-friendly software alternatives

When corporations control the programs you use, they control access to the data you create with their platforms. There are plenty of privacy-friendly software alternatives to some of the most basic proprietary software out there, many of which open-source. Microsoft Office, for instance, has a free, open-source alternative called LibreOffice. Here is a list of alternatives to some of the most popular websites and services out there:

Additional alternatives can be found on PRISM Break.

Switch to Linux and minimize data tracking

If you’re on a Windows or MacOS computer, your data is being tracked. Microsoft and Apple are notorious for collecting an immense amount of information on its users and storing it. One of the few viable alternatives to these corporate tech giants is using Linux.

A screenshot of the Linux Mint start menu.
Screenshot from Linux Mint.

Linux is not one operating system, but a family of free open-source OSes built off of the Linux kernel. In 2020 there are many distributions (or “distros”) available built for user accessibility, and these are as easy as placing a boot disc on a flash drive and installing the OS on your computer of choice. You can erase your current OS with Linux, create a “dual boot” option that keeps your current OS, or even install Linux on an external hard drive and use your distro between devices. Many distros support drive encryption, letting users protect their entire OS and all of its contents prior to boot-up.

Look into the following Linux distros for an accessible, privacy-friendly experience:

  • Debian – One of the most accessible secure distros available, relies entirely on free, open-source drivers and applications
  • PureOS – Security and privacy-based Linux distro
  • Linux Mint – Easy to use, similar in nature to Windows. Installation is easy, OS is highly stable, and overall a solid distro for newcomers
  • Manjaro – Like Linux Mint, user-friendly design and lightweight distro perfect for switching from Windows

For more information on Linux, visit FOSS Post’s beginner’s guide to the operating system family.

Conclusion

This guide goes over technical solutions sex workers and activists can take to protect their data. However, the role human error plays in OPSEC cannot be understated. A trusted VPN, secure Linux distro, and end-to-end encrypted email account will not protect you if you set all of your account passwords to “password,” or if you happen to share your address on social media.

Your OPSEC’s weakest link usually comes from an outside party: a client, a fellow organizer, a family member, or a friend. Ideally, you should send this guide to your trusted comrades and suggest they begin improving their digital security too. But you must meet your social network where it’s at. If your client does not understand why they need to use ProtonMail to communicate with you, it may be easier to simply purchase a burner phone for sex work and exchange numbers on Signal.

Always do your research before using any operating system, device, phone app, or communications platform. Services such as Telegram are not quite as secure as people assume, and products like ProtonMail are not fully upfront about their encryption features. You are as safe as the products you trust, so make them earn it.

At times, you may need to sacrifice convenience for privacy by taking certain conversations offline. Not all conversations can be had safely digitally.

There is no such thing as the perfect security system. The advice activists and tech freedom advocates provide is based on what we currently know and consider best practices. New laws, leaks, and technological innovations may introduce changes to your threat model. Stay connected to your local tech activist community to know more about contemporary OPSEC guidelines.

A closing note on privilege

Tech resources are a privilege. They are gatekept by white cishet men who assume their relationship with the world is the default. This not just drives women, trans people, sex workers, and Black activists from tech spaces, it cultivates exclusion. Poor OPSEC goes all the way back to the white men who get to decide who can access tech spaces, who cannot, and what issues the community cares about.

Your ability to successfully build a new computer, buy a new laptop, or even purchase a flash drive is dictated by your race, class, gender, and sex working status, among many other factors. It is the responsibility of the privileged to lend a hand and help the marginalized protect themselves. This can be done in numerous ways – running workshops, donating devices, volunteering one-on-one tech support, funding mutual aid projects, or directly giving your money to the most marginalized among us. No matter how you do it, it’s our responsibility to make sure digital safety is accessible to everyone.

Special thanks to Raksha Muthukumar and SX Noir for feedback on this post’s initial draft.

To read more from Ana Valens, click here!

Further Reading

EFF’s Surveillance Self-Defense Project – An in-depth overview of digital security and safety designed for new and experienced tech users alike

Attending a Protest: Surveillence Self-Defense – Digital safety guide by the EFF specifically for protesters, highly recommended

Protesting for Black Lives Matter? Follow these data privacy tips – For protesters attending Black Lives Matter marches or other events. Written by this guide’s author

How to Protest Safely in the Age of Surveillance – Additional overview for Black Lives Matter protesters

ProtonMail Review – Overview of ProtonMail, its features, and its weaknesses. Written by this guide’s author

GOP introduces bill that would give police easy access to encrypted data – Overview of a Senate bill targeting encryption. Would federally mandate “device manufacturers and service providers” to work with law enforcement in “accessing encrypted data if assistance would aid in the execution of [a] warrant”

How To Stop Instagram From Tracking Everything You Do – Overview of ways you can prevent Instagram from collecting personal data. The best option is, unfortunately, to delete Instagram from your phone

Threat Modeling

12346

What is Threat Modeling?

“A way of narrowly thinking about the sorts of protection you want for your data. It’s impossible to protect against every kind of trick or attacker, so you should concentrate on which people might want your data, what they might want from it, and how they might get it. Coming up with a set of possible attacks you plan to protect against is called threat modeling. Once you have a threat model, you can conduct a risk analysis.” – EFF

What are Threat Modeling Questions To Ask?

1.What do I want to protect?

2. Who do I want to protect it from?

3. How bad are the consequences if I fail?

4. How likely is it that I will need to protect it?

5. How much trouble am I willing to go through to try to prevent potential consequences?

What are other Threat Modeling Concerns?

What are my assets?

Who are my adversaries?

What are the threats of my adversaries?

What is the risk of ___ happening?

What does a sample Threat Model look like?

Example: Sex Work Provider in NYC

Assets: Photos, legal id, address, social media accts, email, communications, texts, bank acct, payment legers, contacts.

Adversaries: Cops, stalkers, family, exes, journalists, careless ppl, catfish, trolls, anti sex work ideologues, algorithms.

Threats: Location tracking spyware, doxxing, blackmail, report police, steal photos, intercept, falsified charge reason/arrest reason, reporting status as sex work provider to ‘vanilla’ job.

 

@babyfat.jpeg on Lesbians Who Tech

Last year, two organizers from Hacking//Hustling were rejected from speaking at last year’s Lesbians Who Tech convening in San Francisco, which took place shortly after SESTA-FOSTA was signed into law. Hacking//Hustling provided a partial scholarship to Baby Fat (@babyfat.jpeg) to attend and make sure that there would be sex worker representation at the conference. Baby Fat’s reflections on her experience at Lesbians Who Tech as a sex working Femme are below.

A few months ago, I was able to attend my first Lesbians Who Tech summit thanks largely to the support of my community. At the time of attending I was working as a digital media associate at a Queer healthcare nonprofit. Most of my 9-5 background has come from my work in Queer nonprofits, working mostly in direct outreach. For the last three years I have worked in tech specific positions within nonprofits, skills which I was able to acquire because of my hustling. I’m from a nontraditional background, but hustling has taught me everything I know about tech, marketing, and community management.

It’s worth mentioning I was able to attend the conference because I was awarded a partial scholarship for them. I attended the summit because I have always had a passion for social media and believe in its ability to connect community and provide accessible education, especially as it relates to Queer sexuality and wellness. From a hustling perspective, it’s the best way for me to engage and advertise to those who utilize the multitude of my services. Post FOSTA/SESTA I have had to rely even more heavily on social media and have since began operating more discreetly. 

While the conference was exciting and I was able to connect with some great folks I often felt that some overall nuance was missing. There was a lack of intentional conversations around gentrification, sex work, and the Queer complacency. Navigating the space as a fat femme sex worker was complex and exhausting at times, between being unable to fit in certain seating, being talked down to by masc attendees, or feeling uncomfortable disclosing the extent of my work. Because a bulk of my 9-5 career has been in nonprofits a majority of the conferences I have attended have been specifically dedicated to Queer theory, resistance, and community building. However, these spaces often lack on seeing the importance of tech within these movements and have been slow to adapt to the changes tech have created in communities. I think LWT is doing better work than most other tech specific conferences, but I do think they could benefit from adapting some of the approaches and topics Queer nonprofit conferences have.

Throughout the summit, I heard no mentions of gentrification from LWT leadership, which felt especially out of place considering that LWT seeks to empower the very people gentrification disproportionately effects. While gentrification has been a popular conversation in tech spaces, having been discussed in length, I can understand how it feels like it might not need as much attention. But I still feel it’s incredibly important to have some intentional dialogue and education around it. I’m from Chicago and the city’s recent tech expansion and attempt at being a global city has reinvigorated the conversation of gentrification and tech. If LWT truly aims to create a more intersectional and diverse tech workforce than they need to fully engage the communities that are being displaced by tech gentrification. LWT leadership needs to recognize they have a platform to educate and incite change. Choosing not to talk about gentrification is choosing to be complicit in it.

At the root of complicity are respectability politics, something LWT engages heavily in, in order to maintain funding, connections, and a respectable reputation. But with these politics comes the erasure of some folks who rely on tech for their safety and economic stability. Sex workers have always been at the forefront of using and building the popularity of tech platforms and services. Between navigating digital banking, advertising online, and censorship on social media sex workers utilize tech at significant rates. Sex workers made Cashapp and Venmo mainstream, and continue to be a driving force between both banking systems growth. But both systems, as well as most social media platforms, have made it increasingly difficult for sex workers to continue using them. 

I went to LWT knowing that there were no formal mentions of sex work in the programming, an oversight considering the historical connections between sex work and Queer folks. After all, pride was started by Marsha P. Johnson, a Black Trans woman, and a sex worker. Countless other Queer revolutionaries like Sylvia Rivera, Amber L. Hollibaugh, and Miss Major among numerous others have been on the front lines of Queer liberation. But as Queer folks have become more assimilated into mainstream culture, Queer sex workers have been pushed farther to the fringes by their own communities.

Whenever in casual conversation with other attendees, the mention of sex work would make them uncomfortable. When I disclosed my experiences in navigating social media as a sex worker, I could feel them try to calculate what type of work I did. It felt like I had to prove my credentials and cleanliness to them. I had a few people implore what type of sex work I did, and I generally got the feeling from them that some forms were more acceptable than others. Often times folks would withdraw from the conversation or worse, explain to me how they knew things were “difficult” because they read a Vice article once. When I pressed them for ways that they were working to make their companies and products better for sex workers since they read a Vice article, they often said there wasn’t much they could do because they weren’t a decision-maker or programmer. But I think that’s just coded language for “I don’t want to do anything.”

I don’t think it’s a matter of people not understanding the difficulties sex workers face while trying to navigate tech. I think it’s an issue of respectability politics; additionally, those that are willing to make change are unsure where to start. Sex work, despite what sex positivity would have you think, is still incredibly stigmatized, especially within educated Queer spaces, like LWT. Leadership at LWT has the power to educate attendees on the nuances of tech and sex work and can impact attendees to do more within their positions, but once again, they choose not to.

The highpoint of the conference for me was being able to see Angelica Ross speak, Ross has been incredibly vocal about the importance of sex workers in tech and has provided visibility to the larger movement. I want to see more more dialogue around sex work and sex workers speaking and facilitating conversations specifically at LWT in the future. Additionally, I would like to see LWT engaging more with sex-workers by partnering with sex worker specific organizations and speaking about sex work more vocally on their digital platforms. I think engaging more sex worker based organizations would encourage more sex workers to attend, and if anyone needs better tech, it’s sex workers. 

Publicly talking about sex work not only educates civilians on the nuances of tech and sex work but also actively destigmatizes sex work in tech spaces, making it easier for folks to openly (and comfortably) talk about their narratives as sex workers. I’m critical of LWT because I want it to succeed, I want people to feel comfortable and for tech to be reclaimed.