Expand your mind, man. Opsec is really all about time travel—taking small, protective steps now before you have a disaster on your hands later. If you’re not on auto-delete, then an explosive, emotional text exchange with the person you’re currently dating—or, ahem, photos you sent to each other—will hang around forever. It’s normal for things to change and for relationships of all types to come and go. You may trust someone and be close to them now but grow apart in a year or two.
If you imagine an even more extreme scenario where you’re being investigated by the police, they could obtain warrants to search your digital accounts or devices. People have to go to great lengths to maintain their opsec if they’re trying to hide activity from law enforcement. To be clear, this guide is definitely not encouraging you to do crimes. Don’t do crimes! The goal is just to understand the value of keeping basic opsec principles in mind, because if some of your digital information is revealed haphazardly or out of context, it could, theoretically, appear incriminating.
You probably intuitively understand a lot of this. Don’t give your password to friends, duh.) So this guide is going to largely skip the obvious and emphasize more subtle, unintended consequences of failing to practice good opsec.
Memorable Opsec Fails
“Signalgate,” 2025: US officials discussed war plans in a group chat on the mainstream, secure messaging app Signal. Then they accidentally added a journalist to the chat. Subsequently, US defense secretary Pete Hegseth famously (embarrassingly) messaged the chat, “we are currently clean on OPSEC.” At least some members of the chat were also potentially using a modified, insecure version of Signal. All extremely not clean on opsec.
Gmail Drafts Exposed, 2012: Then-CIA director David Petraeus and his paramour shared a Gmail account to hide their communications by leaving them for each other to see as draft messages. Kind of ingenious given that this was before most texting or messaging apps offered timed disappearing/ephemeral messages, but the FBI figured out the strategy.
Identities
Opsec is all about compartmentalizing, and that’s the hardest part. Failure to compartmentalize is often how criminals get caught or how information that was meant to stay secret gets exposed. Think of your online life like rooms in a house. Each room has a separate key. If someone breaks into one room, they can grab everything there, but you don’t want them to be able to run wild beyond that room.
You can have multiple identities online and compartmentalize the activities of each, but it takes forethought to maintain the separation. There’s the real you who uses your main Gmail or Apple ID for personal and family stuff and social accounts where you use your real name, plus school and maybe work. Another compartment is your school email and school file storage. Then there’s your more adaptable, online personas who may have semi-anonymous handles, like jnd03 for Jane Doe. Friends know that these accounts are yours and classmates can probably guess them. Finally, there may be a pseudonymous you: alt accounts with no obvious link to real you—like Jane Doe using the handles “_aksdi0_0” or “peter_mayfield01.”
Rules of Separation
You have accounts under your real name, but you probably also need pseudonymous accounts. Tight compartmentalization will prevent people from doxing your pseudonymous accounts. But that’s easier said than done.
Obviously, don’t recycle usernames across platforms. If JaneD03 is your Instagram handle, don’t use it or a similar name for your anonymous Reddit account. Don’t even reuse passwords—but especially don’t reuse passwords between real and pseudonymous accounts. To prevent a compromised pseudonymous account from revealing your name, don’t use your main email address; instead, use a unique, pseudonymous one. Gmail “dot tricks” (jane.doe@, j.ane.doe@) don’t count, because they all equally reveal your master account.
