Field Notes from a Year of OPSEC Training

Late last year, as part of our annual “Year in Review” series, we summarized our efforts providing digital privacy and security advice to at-risk communities. OPSEC trainings (short for operational security, a catch-all term we use to describe any kind of workshop, advising session, assessment, or presentation about operational security for individuals and organization) are something we've long provided, but until recently, something we’ve never broadcasted.

This has become a critical aspect of our work over the years, keeping us grounded and in touch with the realities of tech-enabled violence as well as evolving resistance strategies used by movement workers. Hoping other security trainers and organizers copy our homework, here’s a more thorough breakdown.

To be clear, we're not a 'pentesting' company, which refers to the methodological process of testing a person or organization's security and privacy posture, nor an information security (infosec) firm that offers anything within scopes of traditional security assessments.  Infosec companies almost always adhere to a cycle of: discovery/reconnaissance; > vulnerability scanning and testing; > exploitation of vulnerabilities found; > and a reportback of recommended mitigation strategies. Such full-spectrum audits can run the gamut of testing network security, physical security, organization posture against phishing or ransomware attacks, web app security, and more. For many organizations, the value of such engagements is immeasurable.

Such companies—although equipped with the technical sophistication to do full-spectrum digital security auditing and testing—often lack the critical points of view of human rights defenders and activists. Many human rights defenders and liberation movement workers are critically under-resourced and unable to meet the high costs of engagement with such infosec companies.  But that’s not what we offer. Our trainings center the needs of people on the ground, and offer this work pro bono.

The cycle of engagement our work tends to take is similar to the lifecycle of pentesting outlined above, but with some key differences better suited to people-powered movements.

We begin with a period of discovery about the organization we’re engaging with, learning about their work, the issue space they’re working in, and the types of threats their peers have faced in the past. Relying on our knowledge of known threat actors (state-operated threats, non-state actors, surveillance mechanisms, and more), we conduct a thorough threat modeling and risk assessment exercise, surfacing critical pieces of information about what we ought to prioritize protecting and from what. Sometimes that’s enough for a group to get started on improving their security plans, and we send them on their way.

After receiving consent from the group to do so, we may perform some OSINT (open source intelligence) investigation and map out a sketch of their digital footprint. This often looks like some combination of discoverability through public records, data broker ecosystems, and breach databases, as well as risks they may incur through the services they rely on for their web presence. That latter part can be done with typical pentesting reconnaissance tools, as well as our own project Privacy Badger for mapping the trackers on their website, which pose them and their users some amount of risk. Working from this sketch of their digital footprint, opportunities to lessen the reach of their data exposure, or at least the more sensitive areas they ought to be aware of, become apparent.

For a more in-depth engagement, we take the information gathered from the guided threat modeling exercises, as well as the digital footprint we’ve developed for them, and we move on to training the participants on what they need to address their threats. Sometimes that looks like a deep dive on encryption and how it can be used to protect data backups and secure communications. Other times it looks like getting very knowledgeable and practiced on the various ways to stay safe from surveillance threats encountered at a protest. Often though, our engagement with those asking for advice on how to strengthen their OPSEC is as simple as presenting materials covered in our Surveillance Self-Defense (SSD) project, but with EFF staff to help apply those lessons to their context.

Requests for such training mostly arise organically, either via referral, from our participation in external media, or driven by an interest in SSD. Naturally, the demand for accessible OPSEC advice escalates along with the general sophistication and reach of surveillance technology. And as authoritarianism creeps and continues to threaten the movement workers fighting against it, there's a marked urgency for that demand.

The types of communities and liberation movement workers that reach out run a wide array of experiences, but some commonalities stick out. Since the fall of Roe v. Wade, we've seen a huge uptick in abortion access activists like clinic escorts and information distribution networks reaching out. So too are providers of criminalized healthcare services, both abortion services and gender affirming care alike. The list goes on: advocates for transgender rights such as art collectives and archivists, sex worker rights activists, survivors of intimate partner violence, climate justice activists, legal defense groups focusing on immigrant justice and Black liberation. And many, many others, often stemming from experiences of distinct marginalization and state-powered violence.

We’re dressing the wounds the violence of surveillance inflicts.

When there's a cast of common threat actors that so often emerge during risk assessment (ideologically motivated harassers, lawmakers, cops, negligent leadership at large tech platforms, etc) there is a level of predictability about their capabilities. We use that information to make knowledgeable risk assessments for those we’re working with, determining the means that threat actors have to cause them harm, as well as the likelihood.

For community organizers and grassroots activists we most often see concerns around doxxing (and harassment driven by OSINT), social media monitoring, content suppression on tech platforms, and insider threats such as infiltration within trusted communication channels. Often this comes with a tension between publicity and privacy—needing to spread their message and further their cause, while recognizing that digital privacy has a profound impact on their personal safety. Some activists may instead hope to organize other more covert forms of direct action. They're more likely to be concerned about the types of street level surveillance that they may encounter.

Small organizations nonprofit and otherwise may share the concerns around doxxing, as well as traditional digital security concerns around their web presence. Website defacement and data exfiltration are particular concerns for organizations that don't have the resources to commit to IT security staff. And for those that do have meager budgets for such things, organizational compliance and ease-of-use regarding privacy and security technologies are a whole other concern. The question then becomes how to manage a system of distributed devices that are uncontrolled by the organization, but operationally necessary for each member of their community.

Generally speaking, the threats most commonly encountered in these spaces have to do with the opacity and unchecked reach of surveillance systems. With every single individual or group that we encounter in this type of work, threat modeling comes number one in terms of priority. There is no way to protect against every theoretical threat. Instead, we walk others through the process of identifying and then prioritizing known and perceived threats, based on their specific context and the type of work that they do, before moving on to recommended mitigation and resistance strategies.

Developing a threat model without a course of action often does more to stoke privacy nihilism than remedy the risks communities face. The more we engage with at-risk communities and offer reasonable, accessible OPSEC advice, the greater our instinct develops for recognizing such strategies. At the core of these recommendations lie the backbones of privacy and security fundamentals, such as encryption, access controls, sophisticated backup plans, OSINT skills, and resistance to online tracking.

Over the years, we've found it easiest to begin with non-technical recommendations first. These strategies often mesh well with the community's extant organizing procedures, such as designating team roles and thought out contingency plans for specific risks. This may look like identifying those extant plans and tacking on responsibilities like data backups, code words for community vetting, and developing workarounds or contingency plans for if they lose access to specific technologies.

Eventually, though, the strategies must become more technical, like switching to more private and secure technology alternatives, developing a sophisticated and encrypted data backup plan, and having technical contingency plans in place for if/when they are deplatformed or their services interrupted. Developing patience and compassion when walking groups through unfamiliar technologies is an essential tool of this work. So too is the habit of checking ourselves, as privacy and security nerds, to know the difference between the most secure technologies and those which will actually be used by at-risk community members. Any step towards more thoughtful OPSEC is better than one too difficult to use. The last thing we want is a recommendation that results in people frustratedly giving up on doing anything at all. After all, the whole point of this is to empower movement workers, not inhibit them.

It is painfully obvious how many identified threats could be protected against if there were comprehensive data privacy legislation protecting all people. The lack of such is an existential threat to everyone. Bills that undermine peoples' right to privacy are never clear about what they're doing, and often come wrapped in some paternalistic guise of addressing some other harm elsewhere. They often use confusing, oblique language that preys on the public's interest to correct the course of other social harms. The reality is that when it’s clearly explained, every person online wants better privacy. And as we know, every individual's personal security and wellbeing are entwined with their access to privacy. The capacity with which a person can decide what to share online, rather than have sensitive information non-consensually taken from them by creepy surveillance technologies, is a matter of self-determination. And it's in all our best interests to fight for the right to self-determination.

An unexpected outcome of identifying so many common threat actors across such varied issue spaces is revealing potential avenues of collaboration and camaraderie. Some movements are already keen on this allyship, such as those focusing on various aspects of bodily autonomy and self-determination. Abortion access activists and trans liberation activists are often in concerted allyship. Other less obvious connections are legal defense groups that offer "know-your-rights" style educational materials and other issue-specific activists who have questions about the legal threats they're facing while fighting for their cause.

Recognizing the common threat actors across different issue spaces begins to highlight opportunities for collective action against those threats. As a digital rights organization, this is very much our wheelhouse, and precisely why our technologist team is self-described as one working toward the public interest. It’s also from this point of view that we continue to win. And why it’s critical for lawmakers to pay attention when we say particular pieces of bad legislation are harmful to public safety. And finally, why it is necessary for public interest technologists and digital rights activists to connect with other communities to learn about the specific technology risks they’re worried about. As Mariame Kaba says, “Nothing that we do that is worthwhile is done alone.” This very blog post is in an effort to provoke thought for digital security trainers, so that we as a community don’t work atomized and alone, reproducing the same work, exhausting ourselves and creating unnecessary redundancy.

We do what we can to keep up. And thankfully, we participate within an ecosystem of digital security providers that have a keen mind towards fighting for digital rights. We share resources, referrals, and expertise. Our Surveillance Self-Defense project is stress-tested by the experiences shared by the liberation movement workers we engage with and provide this work to. If you’re interested in becoming a digital security resource for your community, start with the SSD. If you’re a human rights defender with questions about how to stay safe, reach out. And if you’re not sure what else to do, you can always help us keep it going.