Expand your mind, man. OpSec is really about time travel – take small, protective steps now before you have a disaster on your hands later. If you’re not on auto-delete, an explosive, emotional text exchange with the person you’re currently dating — or, ahem, the photos you sent each other — will last forever. It’s normal for things to change and for all types of relationships to come and go. You may trust someone and be close to them now but drift apart in a year or two.
If you imagine an even more serious scenario where the police are investigating you, they can get a warrant to search your digital accounts or devices. If people are trying to hide activity from law enforcement they have to put in a lot of effort to maintain their OpSec. To be clear, this guide is definitely not encouraging you to commit crimes. Don’t commit crimes! The goal is simply to understand the value of keeping basic OpSec principles in mind, because if some of your digital information appears randomly or out of context, it could, in theory, seem objectionable.
You probably understand much of this intuitively. Don’t give your passwords to friends, duh.) So this guide will largely skip the obvious and emphasize the more subtle, unintended consequences of failing to practice good OpSec.
Memorable OpSec Fail
“Signalgate,” 2025: US officials discussed war plans in a group chat on the mainstream, secure messaging app Signal. Then he accidentally added a journalist to the chat. Subsequently, US Defense Secretary Pete Hegseth famously (embarrassingly) messaged on chat, “We are currently clear on OPSEC.” At least some members of the chat were likely using a modified, insecure version of Signal. Not everything is very clear on OpSec.
Gmail draft exposed, 2012: Then-CIA Director David Petraeus and his lover shared a Gmail account to hide their communications and left them as draft messages for each other to view. Kind of simple, considering this was before most texting or messaging apps offered time-disappearing/ephemeral messages, but the FBI figured out this tactic.
Identification
OpSec is all about segmentation, and that’s the hardest part. Failure to compartmentalize often results in criminals being caught or information that should be kept secret being exposed. Think of your online life like rooms in a house. Each room has a separate key. If someone breaks into a room, they can take over everything that’s in there, but you don’t want them to be able to run out of that room.
You can have multiple identities online and compartmentalize the activities of each, but maintaining separation requires foresight. The real you is the one who uses your main Gmail or Apple ID for personal and family content and social accounts, where you use your real name, as well as school and maybe work. Another compartment is your school email and school file storage. Then you have your more adaptable, online personas that can have semi-anonymous handles, like jnd03 for Jane Doe. Friends know these accounts are yours and classmates can probably guess them. Finally, there may be an alias: alternative accounts that have no obvious link to the real you – like Jane Doe using the handle “_aksdi0_0” or “Peter_Mayfield01”.
rules of separation
You have accounts under your real name, but you probably also need pseudonymous accounts. Strict segmentation will prevent people from scamming your pseudonymous accounts. But this is easier said than done.
Obviously, don’t recycle usernames across platforms. If JenD03 is your Instagram handle, don’t use it or a similar name for your anonymous Reddit account. Don’t reuse passwords, either—but especially don’t reuse passwords between real and pseudonymous accounts. To prevent a compromised pseudonymous account from revealing your name, don’t use your main email address; Instead, use a unique, pseudonymous name. The Gmail “dot tricks” (jane.doe@, j.ane.doe@) don’t count, as they all reveal your master account similarly.
<a href