Core OPSEC Principles: A Guide for Activists

Operational Security (OPSEC) isn’t just about tools or software; it’s a way of thinking. It’s the practice of identifying and protecting sensitive information from falling into the wrong hands. These core principles are the foundation for making smart, secure decisions in your activism.

---

Core Principles

1. Need to Know

The Concept: Information should only be shared with individuals who absolutely need it to perform their specific task. Before sharing anything, ask yourself: “Does this person truly need this information to do their job?”

• Example 1: Meeting Details
  • When organizing an event, does the entire volunteer group need to know the exact rally point a week in advance, or only the team leaders? Limiting this information to a smaller group reduces the risk of leaks and disruption.
• Example 2: Contact Lists
  • Does the person designing a flyer need access to the full list of group members? No. They only need the event details. The full member list should only be accessible to a trusted coordinator on a need-to-know basis.

2. Compartmentalization

The Concept: This means keeping the different areas of your life (personal, work, activism) separate. If one area is compromised, the separation prevents the damage from spreading to the others.

• Example 1: Digital Accounts
  • Use a separate email address and browser profile (like a separate Firefox container or Chrome profile) exclusively for your activism work. Avoid using your personal or work accounts for any activist-related communication.
• Example 2: Devices & Aliases
  • If possible, avoid using your personal phone for sensitive activist communications. Consider using a secondary device or secure communication apps with a number not tied to your real identity. Using different aliases for different platforms can also prevent your activities from being easily linked.

3. Data Minimization

The Concept: Collect, use, and store the absolute minimum amount of information required to accomplish your goal. The golden rule is: If you don’t have the data, it can’t be stolen, leaked, or legally demanded.

• Example 1: Sign-Up Forms
  • When creating a sign-up form for new volunteers, only ask for what is essential. Do you really need their real name or home address? A contact email or a Signal number is likely sufficient and less risky.
• Example 2: Communication History
  • Regularly delete old communications. Use features like disappearing messages in apps like Signal. Don’t keep chat histories, files, or meeting notes for longer than they are actively needed. Once a task is done, purge the related data.