Staying in the darkness

Defining Levels of OPSEC to Your Identities

If you are compartmentalizing accounts, making multiple identities, and keeping them separated, you run into a few problems. One of which is remembering the OPSEC measures you’ve decided to employ for each account.

  • Political Dissident
    • Goal: Leak information about a local dirty politician
    • OPSEC: Work laptop but using a VPN service to access Twitter
    • Risks: Politician will come after you and your familiy
  • Human Body Part Trafficer
    • Goal: Buy and sell kidneys, livers, and various body parts to the highest bidder on the black market
    • OPSEC: Dedicated laptop running an anonymized OS. Do not access any other services besides the black market forum. Never gets on the Clearnet.
    • Risks: Law enforcement may find you and throw you in jail for a long time

In each of these examples you have completely different activities and completely different risks. The political dissident has decided she only needs to minimally protect herself as the local politician she’s messing with doesn’t have the means to figure out who would be leaking the information. The body part trafficer though knows that he is a target and has chosen to protect himself.

What happens when you scale even further: One identity runs a black market forum, one identity likes to chat with people on twitter, one identity hangs out in the Anon IRC channels. It’s easy to lose track of which identities are used for what and what kind of OPSEC measures you’ve chosen to use.

One solution to this is to categorize your identities into levels where each level has its own decided upon OPSEC measure. For instance:

  • Level 0 – No protections. You don’t care about privacy and are not concerned with other people attributing your online activities to yourself.
  • Level 1 – Minimal: You are concerned about privacy, but choose simple, minimalist tactics to protect yourself. For example, you are using a VPN service for everyday browsing, but being caught is inconsequential.
  • Level 2 – Medium: You are concerned with your privacy and take action to ensure that you are safe. It is likely that if someone finds out what you are doing, you’ll have to pay a price, but it is not a life-and-death situation. For example, journalists working with a source use the TAILS LiveCD.
  • Level 3 – High: Those users that are likely to be targeted, and likely to have heavy consequences if caught. They have done everything in their power to maintain their pseudonymity, but still try to lead some semblance of a personal life.
  • Level 4 – Extreme: These are reserved for those people doing high risk activities where the result of an adversary outing you is a matter of life and death. You’re prepared to forgo personal relationships, worldly goods, and just about anything to maintain your anonymity.

Knowing your likely threats, and defining your level of pseudonymity will help keep management of your OPSEC measures consistent. Something that recent arrests seem to have failed at.