Operations Security

Operations Security (OPSEC) refers to an ongoing process of safeguarding information and preventing adversaries from identifying and/or exploiting vulnerabilities. OPSEC isn’t easily expressed as a simple set of rules. Instead, its practical implementation largely depends on developing a way of thinking about security (and privacy) and always being careful to protect sensitive information. In this lesson, we’re going to look at OPSEC from a consumer privacy perspective.

The Military Definition

The United States Defense Counterintelligence and Security Agency defines Operations Security as “[a]n analytic process used to deny an adversary information, generally unclassified, concerning intentions and capabilities by identifying planning processes or operations.”¹ In a military situation, the adversary can use so-called Open-Source Intelligence (OSINT) to glean information that can allow them to predict upcoming movements or infer other strategically useful information. For example, during the Russian invasion of Ukraine in 2022, a Russian soldier posted geotagged photos and videos of his unit at the Grand Prix country club in Ukraine. The Ukrainians found these posts on Russian social media and destroyed that particular target.²

In order to minimize the production of OSINT, the U.S. military has been requiring troops deploying into hostile areas to leave their personal electronic devices at home.³ However, there are other ways that OPSEC can be compromised even without the temptation to post to social media. A common technique observed in both the military and in the information technology industry is a social engineering attack, in which an adversary identifies and contacts a victim with the objective of obtaining information that seems innocuous on its own. Adversaries might pretend to be someone with a legitimate need to access that information, or they might bribe someone in the organization to provide it. Alternatively, they might engineer ways to deploy malware into the organization’s system.⁴ Each small piece of information the adversary can obtain is an indicator, or a clue that the adversary can use to deduce information about the “bigger picture.”¹

Case Study: Ross Ulbricht

Militaries are understandably guarded about providing details of either their own OPSEC failures or their sources of OSINT about their adversaries. However, there have been court cases involving criminal operators that can be instructive as to the consequences of poor OPSEC. Court cases typically have public records that make academic analysis of the failure sequence more accessible. One oft-cited canonical example of such a case is that of Ross Ulbricht, who was serving two life sentences for drug trafficking and money laundering until he was pardoned by Donald Trump in 2025.⁵

Ulbricht ran a dark web hidden marketplace called Silk Road, operating under the pseudonym Dread Pirate Roberts. Silk Road traded in numerous illegal goods, most notably narcotics, and was thus the subject of an FBI investigation.⁵ The Silk Road was not selective about the kinds of narcotics it carried nor did it know (or even want to know) much about its customers, leading to the deaths of several people who purchased and used the drugs. These deaths led to his lengthy prison sentence, which was intended to have a deterrent effect on other dark web marketplace operators.⁶

Bad OPSEC directly led to Ulbricht’s arrest and subsequent conviction. An Internal Revenue Service tax investigator working with the Drug Enforcement Administration located a forum post by a user with the screen name ‘altoid’ advertising the Silk Road marketplace. In a quoted reply by another user, the person with this same screen name asked a programming question and provided his email address, which itself contained his real first and last name. In an unrelated Department of Homeland Security investigation, agents showed up at Ulbricht’s house after he allegedly ordered fake IDs from Canada. Working together, the agents realized that the Silk Road had been accessed from a cafe close to Ulbricht’s home address. Based on a combination of OSINT and this field intelligence, the FBI placed Ulbricht under surveillance and was able to establish that ‘Dread Pirate Roberts’ logged into Silk Road shortly after Ulbricht went online from his apartment.⁷

Acting on their hunch, the FBI staged a lovers’ quarrel in a public library where Ulbricht was using his laptop. With Ulbricht distracted, agents physically seized the laptop and immediately performed a forensic triage. On the desktop of the Ubuntu Linux operating system Ulbricht was using, the agent was able to photograph evidence showing that Ulbricht was logged into both the Silk Road and a chat application that ‘Dread Pirate Roberts’ (operating with a second pseudonym ‘Frosty’) was using to communicate with another agent who had infiltrated the marketplace and was posing as an assistant system administrator to Ulbricht.⁸ Ulbricht was therefore caught and arrested in no small part due to one instance of poor OPSEC in an Internet forum. Ironically, two of the federal agents working on the case – Carl M. Force IV and Shaun W. Bridges – also used poor OPSEC (and judgment) when they stole Bitcoin recovered from the Silk Road case and tried to profit from it. They also received government-funded “vacations” and had not been pardoned by President Trump as of the time of this writing.⁹

OPSEC Applied to Privacy

While I’m certainly not advocating that anyone invade a foreign country or run an underground marketplace trading in illicit goods and services, the OPSEC failures of both the Russian soldier and Ross Ulbricht are instructive examples of how information that becomes readily available on the Internet can be used in unintended ways. Seemingly innocuous activities that most Americans likely do on a daily basis can build a trail of OSINT that can later be used or misused. We’ll go into more detail in the next lesson, but companies, governments, and even private individuals can find ways to obtain much of this information and use it in ways that may be harmful.

The same OPSEC principles that the military would like its servicemembers to follow are also good practices for improving personal privacy. For example, posting any kind of information on social media produces artifacts that can later be used as indicators to develop inferences about a person. Similarly, online (and even real life) behaviors can provide additional indicators. Inferences drawn from these indicators are the very bedrock of an entire segment of the economy since they form the basis of targeted marketing.¹⁰

Perhaps the best way to improve OPSEC in terms of privacy is to use anti-forensic techniques to minimize the amount of OSINT that you create in the first place. Carefully consider each product and service that you choose to use, avoid sharing anything on social media, and generally make it more difficult for someone to find out information about you through online searches. Theoretically, this type of approach should be a solid way to regain and maintain privacy. In practice, however, OPSEC in the privacy space has been made intentionally difficult by the companies that desire to collect and profit from personal data, as we’ll see in the rest of this course.

Notes and References