However, it’s important to understand that this article covers the basics, which, in my opinion, are essential for everyone today. We live in a world where data published on the internet can come at a high cost—whether financially or simply through the impact it can have on your daily life.

Get ready to step into a certain level of paranoia!

1. Introduction: Why is OPSEC Essential?

But first, what is OPSEC?

Definition:

OPSEC (Operational Security) is a set of practices designed to protect your personal and sensitive information in daily life, especially online. It involves being aware of what you share, what you post, and how you interact on the internet to prevent important data from being compromised.

OPSEC helps you keep your information private where it should remain: in the private domain.

Now that you understand the basic concept, you realize that this is a vast, highly personal topic, and most importantly, it depends on your needs. And you might be wondering why it's so crucial?

If you're reading this, it's because you live on planet Earth (still to be confirmed), and like me, you are exposed to digital media every day of your life. Like me, you know Instagram, WhatsApp, Facebook, Twitter (yes, I don't want to call it by its new name), and you probably have an account on at least one of these platforms.

Well, I don’t. I became aware of the importance of what I share online, and I decided to distance myself from all these platforms for personal conviction.

And why, you ask?

You’re not unaware that using these sites doesn’t cost you a penny. Well, if you want to avoid ads, some platforms offer a paid subscription (it’s the pot calling the kettle black). But how do these platforms manage to generate millions, even billions, of dollars each year?

1. The famous ads, directly...
2. Your personal data, indirectly...
3. Probably other ways, but we’re not interested in those anymore...

Today, the web’s functioning and its economic system rely simply on the collection of diverse data, because to serve ads that might interest you, they need to know who you are.

Starting to feel the tide turning against you? ...

Remember Pôle Emploi, now France Travail, which suffered a major leak of data from 43 million beneficiaries and started to wake up the still-sleeping consciousness of some people...

This happened between February and March 2024, just for the record.

2. The Fundamental Basics of OPSEC

Well, don’t worry and breathe into a paper bag, I can feel your anxiety attack. I’m about to give you the basics of OPSEC, the fundamentals to at least survive the next leak from your favorite websites.

2.1 Identify Critical Information

To begin, you need to define what you consider "critical" information, as this can vary from person to person. For example, do you consider your date of birth to be critical information?

Personally, I’ve reached a level of paranoia where I now see it as critical information, even though a few years ago, I didn’t care at all.

I think we can all agree that your address is critical information, especially if it can be directly tied to your administrative identity (such as your real name, date of birth, social security number, etc.). And did you know that the Strava app (a running app) can indirectly reveal your running routine, your starting point (potentially your home address), because it allows you to share GPS maps of your best runs? Turns out, showing off to your friends might not always work in your favor.

And speaking of Strava, here’s the kicker:

After the scandal in October 2024 involving the bodyguards of certain presidents, a new controversy broke out in France involving the Île Longue naval base. This naval base is home to 4 SSBNs (nuclear-powered ballistic missile submarines) of the French Navy.

Even though smartphones and connected devices are banned on the base, some military personnel thought that putting their sports watches on airplane mode would solve the problem. However, they underestimated Strava, which still collects offline routes and uploads them automatically once the watch reconnects to the internet.

Alright, your home might not be as critical as a naval base, but just imagine:

You’ve taken some time off and are heading to the mountains for a ski trip. Of course, you tell all your friends on Facebook so they know you’re living the high life (because skiing is basically a luxury these days—though maybe I’m just stingy). But by doing this, you’re basically inviting burglars into your home.

Why? Because you probably posted this information publicly, and they might already have your address. For example, in a previous post, you shared a photo of your car keys—those nice Audi keys. But in that photo, if someone zooms in a bit, they can see a letter in the background with your name, address, and more.

Too bad for that piggy bank sitting on the entryway’s wooden console next to the spare house keys, garage remote, your checkbook, and a pile of unopened mail from your favorite government agencies—like the French tax office!

2.2 Analyze Threats

As mentioned in the previous point, your information can become a target for anyone who might exploit it to harm you.

I’m being nice by just mentioning burglars, but it’s also true for scammers who might try to extort money from you by blackmailing you, or professional fraudsters skilled in social engineering who could impersonate your banker.

It could also be a government. In a country where censorship rules, the government could build a complete profile on you to monitor you and gather intelligence about you and your loved ones—simply because you oppose them or their censorship.

Now, I know this might sound like some conspiracy theory, but take a couple of minutes to think about it. Depending on what information about you leaks, many people could benefit from it. Trust me, identity theft is not fun at all.

There are plenty of examples of entities that could pose a threat if they had access to some of your critical information. Take the time to make a list of potential threats, but keep in mind that this list will evolve throughout your life.

2.3 Evaluate Vulnerabilities

How can someone gather so much information about you?

The simplest way is through exploiting a data leak. In this case, the person leveraging the information isn’t targeting you directly—they’re selecting the most interesting profiles. Imagine your crypto platform gets hacked, and your data is leaked. You can be sure you’ll end up on spam email lists, receiving phishing attempts claiming you need to secure your crypto after the breach by logging in through a specific link to make a claim.

Of course, that link is fraudulent and will capture your login credentials for the site. If you’re not well-versed in security and haven’t enabled 2FA (two-factor authentication), it’s game over for you—the attacker now has full access.

A weak password found in a password dictionary? Combine that with using the same password for all your online accounts, and you’ve just left the door wide open.

Remote access to your NAS server without proper security or data encryption, throwing away your old hard drive without taking precautions to make it unusable (I’ve found plenty with loads of personal information—it’s shockingly easy, you know, dumpsters are full of these...), using your birthdate to unlock your smartphone, writing your credit card PIN on a piece of paper, having your CV publicly accessible on LinkedIn, posting photos on your personal website containing full metadata...

The list is long. Trust me, this is one of the hardest steps because you need to think like the person trying to retrieve your data and understand the methods they might use to access the information they’re after.

2.4 Implementing Countermeasures

After identifying the vulnerabilities mentioned earlier, it’s time to implement countermeasures. Just like a fighter jet trying to evade a heat-seeking missile, you must deploy decoys, provide false trails, and mask your signature on the internet.

The most fundamental and essential practice is using a VPN. It's a baseline tool to protect your public IP address, which can otherwise reveal valuable information about you. A VPN helps bypass censorship, access geo-restricted content, and much more. If you've read this far, I assume you're curious enough to take control of your digital life, so start your research on VPNs.

On platforms like Facebook, why publicly share that you're in a relationship, attended a specific school, or work at a particular company? Why let the world know you're vacationing in the Canary Islands, leaving your guard dog behind because no one could look after it? Why post your daily activities on Snapchat stories? (By the way, have you disabled Snapchat's location tracking to prevent appearing on the app's map?)

These are basic countermeasures, but you can go further, such as shredding hard drives before disposal or using Tails OS, which leaves no trace of your activity. It’s also easier to destroy a USB stick than a hard drive. Consider creating fake social media accounts with false information to muddy the waters further.

In summary, once you've identified how your data is vulnerable, you need to implement solutions to address these weaknesses. The goal is to make it so difficult for adversaries that they abandon their attempts altogether.

For example, I always use Proton VPN with a kill switch to avoid data leaks in case of internet outages (though I’m not an expert, so I can't certify its absolute reliability). You'll never find a photo of me online, and since I have a common name, finding critical information about me is nearly impossible. I don't use social media, have very few online accounts, and delete those I no longer use when possible. If deletion isn't an option, I contact the site administrators to request account removal.

I destroy old hard drives, use a password manager to generate strong, unique passwords—minimum 20 characters with numbers, letters, and special symbols—and change them every six months or whenever I suspect a compromise. I never discuss my personal life online or post photos from my hiking trips.

In short, solutions exist. You just need to take the time to secure your online accounts and recognize that some information belongs in private. Doing so puts you among the 2% of people who significantly reduce their risks.

3. Tools for Effective OPSEC

Here’s a top 3 list of tools across various domains useful for OPSEC. Remember, you should evaluate these tools yourself and determine which ones suit your needs.

1. Secure Communication

• Signal: End-to-end encrypted messaging app that’s simple and open source.
• Matrix/Element: Decentralized, encrypted platform ideal for group communication and organization.
• Session: Ultra-secure alternative based on a decentralized network without metadata collection.

2. Password Management

• Bitwarden: Open-source password manager with cross-device sync.
• KeePassXC: Local, highly secure password manager without cloud storage.
• Dashlane: Premium option with advanced features for monitoring and securing your passwords.

3. Anonymous Browsing

• Tor Browser: Anonymizes your online activity by routing traffic through a network of relays.
• Brave: Privacy-focused browser with built-in tracker blocking.
• Tails OS: Portable operating system for completely anonymous browsing.

4. Metadata Removal

• ExifTool: Analyze and remove metadata from photos and files.
• MAT2 (Metadata Anonymization Toolkit): Open-source tool to anonymize file metadata.
• Scrambled Exif: Lightweight mobile app to remove metadata directly from your smartphone.

5. File and Data Encryption

• VeraCrypt: Reliable solution for creating encrypted volumes on your devices.
• Cryptomator: Great for encrypting files stored in the cloud.
• 7-Zip: Compression tool with AES-256 encryption for securing files.

6. Breach Monitoring and Detection

• Have I Been Pwned: Check if your email or passwords have been compromised in data breaches.
• SpyShelter: Anti-keylogger application to protect your keystrokes.
• Firefox Monitor: Built-in service in Firefox to monitor your accounts for potential leaks.

7. Virtual Private Networks (VPNs)

• ProtonVPN: Swiss-based VPN with an excellent privacy policy.
• Mullvad VPN: Renowned for complete anonymity (cash payment option available).
• IVPN: Focused on privacy with no logging or user tracking.

4. Conclusion: OPSEC is a Habit, Not a One-Time Solution

To conclude this article, I must emphasize the importance of understanding the value of your personal digital data. Protecting your information is not paranoia; on the contrary, it is a commendable and mature objective. We have lost sight of the concept of privacy, and this is a significant issue when considering how much personal information can be found online if one is not cautious.

I apologize if some readers were disappointed not to find a "one-size-fits-all" solution here, but OPSEC is not a plug-and-play solution. It requires motivation, patience, and research, as it is a lifestyle. Effective OPSEC only comes into play when habits are changed, and the importance of safeguarding your data is fully understood.

The journey can be long and sometimes discouraging, but if I managed to achieve it, so can you. Take the time to do things right, talk about this with those around you, raise awareness among your loved ones, and help me make the internet a little safer for everyone!

If you have any topics or tutorial ideas related to OPSEC—or even if you think a dedicated OPSEC FAQ would be helpful—I would be more than happy to create and share them.

Take care of yourself and your data. You're stepping into a fascinating world that demands discipline.