The OPSEC Wiki (A Guide to Personal Online Security)

Auteur : Jacob Mehnert

Operations security (OPSEC) is a process that identifies critical information to determine if enemy intelligence can observe friendly actions, determines if information obtained by adversaries could be interpreted to be helpful to them, and then executes selected measures that eliminate or reduce adversary exploitation of friendly critical information.

While the United States military originally coined the term during the Vietnam War, the phrase has since been adopted by cyber security experts to describe concepts that focus on protecting digital systems, networks, devices, and data from cyber threats and maintaining digital security.

Arguing that you don't care about the right to privacy because you have nothing to hide is no different than saying you don't care about free speech because you have nothing to say.

- Edward Snowden

One of the most common logical fallacies regarding online privacy is the belief that you shouldn't have to worry about online privacy if you have nothing to hide. While it is true that you might not have anything to hide, there are real-world consequences for allowing companies to collect your data.

On November 25, 2022, Randal Quran Reid was arrested for two counts of theft and credit card theft out of Baton Rouge and Jefferson Parish. However, one crucial fact had been ignored during Reid's arrest: he had never been to Louisiana.

What had happened was that a facial recognition software known as Clearview AI was used by the police and had falsely flagged Reid after comparing his face and detraining that it was a match to a suspect recorded by a surveillance camera. It was also found that the Clearview AI had an extensive database of faces collected from pictures uploaded to websites like Facebook and LinkedIn.

Despite never being in Louisiana, Reid was still held in police custody for a week and was forced to pay several thousand dollars in legal fees to be released. Reid's case was not the only isolated incident where the same software falsely flagged someone. At least four other incidences of mistaken identity have occurred, and these are only the cases that have been made widely known to the public. Many people don't have the money or adequate resources to fight these accusations, so their names and stories will never be widely known.

Until July 2017, every Amazon Ring employee could access every Ring user's video, even when it wasn't needed for their specific job. Not only were these videos freely accessible to Amazon employees, but a third-party contractor from Ukraine was also given access to these videos and the freedom to download and store these videos up until July 2017.

It should also go without saying that Amazon's employees abused this access. The FTC reported that one Ring employee had viewed thousands of videos from at least 81 female users. The employee allegedly went looking for camera feeds that suggested they may have been used in the most private of areas, such as "Main Bedroom," "Main Bathroom," and one camera named "Spy Cam," and it is believed that the employee would look through the videos for at least an hour a day. As a result of this incident, Amazon was reported to the FTC, forcing Amazon to pay a $5.8 million settlement.

Similarly, in April of 2023, it was found that Tesla could access the cameras in their customers' cars. Tesla employees were also found to be sharing videos and pictures that were gathered from these cameras with one another. An ex-Tesla employee even described that even if the car was off, the cameras would still record video, and the car would even report the location of where the car was.

The ex-employee described how the cars would capture customers doing laundry and other ongoings in the customer's home.

One of the most common ways companies have optimized their sales is through targeted advertising based on browsing data gathered from users. In 2020, it was found that Orbitz, a popular online travel agency and travel metasearch engine, was showing higher prices for hotel rooms to Mac users than those who used a Windows PC. Orbitz later admitted that they would use this user trait to push more premium rooms to Mac users and later removed this "feature."

In addition to what specific machine you could be using, advertisers could also collect more personal data from the website you are browsing. In 2021, the company Signal was banned from advertising on both Facebook and Instagram for running what has been deemed the most honest advertisement campaign. The core of the campaign was to expose Instagram and its parent company, Facebook, to the ability to collect data from users by targeting those users using Instagram's ad tech tools.

Some of the data used was basic information ranging from the user's age and location to more in-depth granular points like whether they were looking for a new home, were single, or were really into energy drinks.

Even if the company that collects your data has no alterer motive when using this data, this does not mean that the data won't be a target for others with alterer motives. In November of 2022, the Australian company Medibank had customer data related to claims for mental health treatment leaked to the Dark Web by Russian hackers.

Throughout the week of November 6, 2022, the hacker group would drip-feed files containing the personal information of various policyholders. Throughout the week, hundreds of patients had their data exposed to the general public, with the core intention of getting Medibank to pay a ransom to get the data leak to stop.

Even though Medibank had the best of intentions of holding onto the patient data, and even though Medibank did not intentionally use the data for ulterior motives, the data was still made a target for hackers and was still exposed to the broader public.

Thankfully, by changing a few habits and using the correct technology, you can protect your data and enhance your privacy and anonymity. It is important to note that some of these steps will add a mild challenge to your browsing habits, as the modern internet has been designed not to be private. While this Wiki will help you understand the resources you need to keep your anonymity online, you must sacrifice convenience.

Creating a threat model is the foundation of enhancing your online privacy. It's the first step in securing your data. Identify what you want to protect, understand potential threats and risks, set your security goals, and find vulnerabilities in your online activities. Tailored to your situation, a threat model empowers you to protect your digital assets proactively. Learn how to create a threat model with our guide.

Many individuals consolidate their accounts and services under a single, non-privacy-oriented email provider like Gmail. This often leads to reusing passwords across different accounts, linking a vast amount of personal information to that email. This practice becomes problematic if a data breach exposes passwords and emails, making all accounts associated with the email susceptible to hacking. Compromised email means compromised related services.

The solution is decentralizing accounts using multiple email addresses with a single password management system. Opt for a password manager that's not web-based and avoids online registration or cloud syncing to preserve anonymity. The top recommendations are KeePassXC or GNU Pass.

One of the biggest things you want to consider when protecting your data is the email service you want to use. These typically will be either permanent email addresses or temporary burner email addresses. Regardless of which one you will use, you will want to sign up through the TOR Network, as you can request a new identity for browsing.

Permanent email addresses are going to any email services you intend to use for the foreseeable future, such as correspondence or any alerts for accounts with that email. Three good services that are highly recommended are Tutanota, Mailfence, and Proton Mail for a permanent email address.

Temporary email addresses will be those you only plan to use for a short while. An example would be for redeeming a coupon or an online deal. For temporary email addresses, you will use Guerrilla Mail, TempmailO.com, or TempMail.org.

Web browsers serve as extensive data collection tools for companies. Optimal choices for privacy are GNU IceCat and Firefox due to their robust security configurations upon installation.

GNU IceCat boasts the most secure setup from the outset. Yet, there's a trade-off: it doesn't support JavaScript, rendering it unsuitable for JavaScript-reliant services like YouTube.
Firefox is more user-friendly and just as secure but requires some adjustments for enhanced privacy. Configure it to delete cookies upon browser closure and turn off auto-fill for credit card and address data.

In contrast, browsers like Google Chrome are best avoided. Chrome prioritizes data tracking for-profit and often lacks privacy by default.

When securing your online privacy, your choice of a search engine holds significant weight. Instead of conventional search engines that compromise privacy, we suggest exploring alternatives. DuckDuckGo, StartPage, and SearX are noteworthy options.

DuckDuckGo has stringent privacy policies that avoid tracking or storing personal data.
StartPage merges Google results with heightened privacy safeguards.
SearX, an open-source metasearch engine, permits running a personal instance, granting complete control over search queries and data.

These alternatives put your privacy first, preserving the confidentiality of your online search activities.

When selecting an instant messaging (IMing) service, prioritize those employing end-to-end encryption. Avoid platforms lacking encryption, such as SMS, which is susceptible to interception by cell providers or hackers. A robust choice with encryption is Signal. It offers encrypted instant messaging and secure phone and video calls. However, Signal's centralization poses potential risks like backdoors or privacy-indifferent ownership changes. Alternatives include federated services like Element or Peer-to-Peer options like Briar and Jami, providing diverse approaches to safeguarding your privacy.

In an era where safeguarding online privacy and security is paramount, integrating a Virtual Private Network (VPN) becomes a pivotal stride in shielding your digital presence. A VPN establishes a secure, encrypted conduit between your device and the internet, ensuring that your online engagements remain confidential, impervious to prying eyes, encompassing hackers, ISPs, and government surveillance. With a VPN, you can explore the web incognito, access content limited by geographical boundaries, and fortify your data usage on public Wi-Fi networks. Whether your concerns orbit around online privacy or you aspire to bolster your cybersecurity, a VPN emerges as an indispensable tool, endowing you with heightened command over your digital traces and a tranquil demeanor within our interconnected realm. Discover how to forge your own VPN via this comprehensive Wiki.

Anna Brading. "Amazon's Ring Cameras Were Used to Spy on Customers." Malwarebytes, June 1, 2023, www.malwarebytes.com/blog/news/2023/06/a....
Hill, Kashmir, and Ryan Mac. "'Thousands of Dollars for Something I Didn't Do.'" The New York Times, March 31, 2023, www.nytimes.com/2023/03/31/technology/fa....
Hill, Kashmir. "Another Arrest, and Jail Time, Due to a Bad Facial Recognition Match." The New York Times, December 29, 2020, www.nytimes.com/2020/12/29/technology/fa....
Hunter, Meghan. "Fact or Fiction: Do Airlines Raise Your Ticket Price Based on Your Browser History?" Million Mile Secrets, April 9. 2021, millionmilesecrets.com/guides/are-airlin....
"Medibank Mental Health Data Posted on Dark Web as Russian Hackers Vow to 'Keep Our Word.'" The Guardian, November 13, 2022, www.theguardian.com/australia-news/2022/....
Stecklow, Steve, et al. "Special Report: Tesla Workers Shared Sensitive Images Recorded by Customer Cars." Reuters, April 6, 2023, www.reuters.com/technology/tesla-workers....
Wodinsky, Shoshana. "Signal Tries to Run the Most Honest Facebook Ad Campaign Ever, Immediately Gets Banned." Gizmodo, May 4, 2021, gizmodo.com/signal-tried-to-run-the-most....