惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

S
Schneier on Security
The Register - Security
The Register - Security
月光博客
月光博客
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
The GitHub Blog
The GitHub Blog
博客园 - 司徒正美
罗磊的独立博客
U
Unit 42
S
SegmentFault 最新的问题
Y
Y Combinator Blog
博客园_首页
Hugging Face - Blog
Hugging Face - Blog
J
Java Code Geeks
Schneier on Security
Schneier on Security
Know Your Adversary
Know Your Adversary
C
Check Point Blog
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
Simon Willison's Weblog
Simon Willison's Weblog
V
Vulnerabilities – Threatpost
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
阮一峰的网络日志
阮一峰的网络日志
The Hacker News
The Hacker News
博客园 - 叶小钗
C
Cybersecurity and Infrastructure Security Agency CISA
Spread Privacy
Spread Privacy
L
LINUX DO - 热门话题
T
The Exploit Database - CXSecurity.com
P
Palo Alto Networks Blog
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
Latest news
Latest news
L
Lohrmann on Cybersecurity
A
About on SuperTechFans
L
LangChain Blog
Stack Overflow Blog
Stack Overflow Blog
S
Securelist
A
Arctic Wolf
D
Darknet – Hacking Tools, Hacker News & Cyber Security
T
Threatpost
Scott Helme
Scott Helme
博客园 - 聂微东
博客园 - 【当耐特】
T
Tenable Blog
I
Intezer
D
DataBreaches.Net
B
Blog RSS Feed
Security Latest
Security Latest
C
Cisco Blogs
T
Tor Project blog
N
Netflix TechBlog - Medium

Electronic Frontier Foundation

EFFecting Change: LGBTQ+ Solidarity Against the Tide of Surveillance EFFecting Change Site Banner 6.17.26 Victory! 702 has Expired! Yes to California's Bill to Ban Surveillance Pricing ‘News’ Site Keeps Hallucinating EFF Staffers LGBT Q&A: We’re Back With Season 2! Congress Just Rushed Through a Disastrous Copyright Office Overhaul The 702 Ultimatum: Warrant Requirement or Bust Enshittification Merch That Actually Fights Enshittification 🔊 Mass Surveillance for… Loud Music? | EFFector 38.11 How and Why to Fight Back Against Social Media Bans Tell Congress: Just Say No to NO FAKES VICTORY: Meta Strips Facial Recognition Code From Smart Glasses App After Public Outcry Cheers to the Winners of EFF’s 18th Annual Cyberlaw Trivia Night! EFFecting Change: If You Own It, Why Can't You Fix It? Internet Age-Gates Are a Growing Global Threat LGBT Q&A Season 1 Recap: Staying Safer Online EFF at TechCrunch Disrupt California’s AB 412 Still Demands Developers Do The Impossible Pulte Appointment Underscores Need to Reform Section 702 Spying EFF Testifies to Congress on Protecting Americans’ Rights from Government AI Move Fast, Surveil Things EFF at DEF CON 34 We're Fighting Mass Surveillance Tech—and Winning Welcome New EFF Executive Director Nicole Ozer One Step Forward, Two Steps Back: CA's AB 1856 Exempts Open Source But Expands Age-Gating Barcelona Cybersecurity Congress Age Verification is a Privacy Nightmare More License Plate Reader Mission Creep: School Residency Verification, Background Checks, and Noise Complaints 🔒 A Win for Encrypted Messaging | EFFector 38.10 Microsoft Took a Step Toward Human Rights Accountability. Google and Amazon (and Others) Should Pay Attention! Your Privacy Shouldn't Be A Corporate Decision EFFecting Change: LGBTQ+ Solidarity Against the Tide of Surveillance We Updated Our Privacy Policy. Here's What Changed and Why. We Must Not Normalize Digital Surveillance Abuses. EFF’s New Guide Underlines Concrete Steps to Fight Back. EFF at Black Hat USA Help EFF Solve an Issue That's Bigger than Creepy Ads The Science is Not Settled: How Weak Evidence is Fueling a National Push to Ban Social Media for Youth Broken Promises: RIP Instagram’s End-to-End Encrypted DMs Victory! End-to-End Encrypted RCS Comes to Apple and Android Chats EFF Launches New Offline Campaign for Saudi Wikipedian Osama Khalid A Hackers Guide to Circumventing Internet Shutdowns Canada’s Bill C-22 Is a Repackaged Version of Last Year’s Surveillance Nightmare EFF to Fourth Circuit: Electronic Device Searches at the Border Require a Warrant EFFecting Change Site Banner 5.14.26 EFF Stands in Solidarity With RightsCon and the Global Digital Rights Community Congress Narrowed the GUARD Act, But Serious Problems Remain Free Signal Guide Milestone 1.0.0 Release of APK Downloader `apkeep` Powers Research on Android Apps 👎 California's Terrible, No Good, Very Bad Social Media Ban | EFFector 38.9 The SECURE Data Act is Not a Serious Piece of Privacy Legislation Offline: Osama Khalid EFF and 18 Organizations Urge UK Policymakers to Prioritize Addressing the Roots of Online Harm Shut Down Turnkey Totalitarianism EFF Submission to UK Consultation on Digital ID Getting Digital Fairness Right: EFF's Recommendations for the EU's Digital Fairness Act A Bridge to Somewhere: How to Link Your Mastodon, Bluesky, or Other Federated Accounts Utah’s New Law Targeting VPNs Goes Into Effect Next Week Open Records Laws Reveal ALPRs’ Sprawling Surveillance. Now States Want to Block What the Public Sees. Digital Hopes, Real Power: From Connection to Collective Action Aaron v. Bondi EFF Submission to UN Report on the Role of Media in the Context of Israel’s Policies Toward Palestinians Former EFF Activism Director's New Book, Transaction Denied, Explores What Happens When Financial Companies Act like Censors The Open Social Web Needs Section 230 to Survive The GUARD Act Isn’t Targeting Dangerous AI—It’s Blocking Everyday Internet Use Congress Must Reject New Insufficient 702 Reauthorization Bill The Internet Still Works: SmugMug Powers Online Photography Act Now to Stop California’s Paternalistic and Privacy-Destroying Social Media Ban EFF Challenges Secrecy In Eastern District of Texas Patent Case California Coastal Community Must Reject CBP's AI-Powered Surveillance Tower EFF to 9th Circuit (Again): App Stores Shouldn’t Be Liable for Processing Payments for User Content 📁 How ICE Got My Data | EFFector 38.8 EFF Sues DHS and ICE For Records on Subpoenas Seeking to Unmask Online Critics Bay Area Members' Speakeasy with WISP Copyright and DMCA Best Practices for Fediverse Operators Palantir Has a Human Rights Policy. Its ICE Work Tells a Different Story Keep Pushing: We Get 10 More Days to Reform Section 702 EFF at RightsCon Stop New York's Attack on 3D Printing How Push Notifications Can Betray Your Privacy (and What to Do About It) Google Broke Its Promise to Me. Now ICE Has My Data. EFF Calls on Kuwait to Release Journalist Ahmed Shihab-Eldin Digital Hopes, Real Power: The Rise of Network Shutdowns EFF to State AGs: Investigate Google's Broken Promise to Users Targeted by the Government The Dangers of California’s Legislation to Censor 3D Printing The Bay Agenda: Security for Journalists EFF 🤝 HOPE: Join Us This August! Hot Off the Press: EFF's Updated Guide to Tech at the US-Mexico Border War as a Pretext: Gulf States Are Tightening the Screws on Speech—Again Speaking Freely: Dr. Jean Linis-Dinco We Need You: Our Privacy Cannot Afford a Clean Extension of Section 702 Yikes, Encryption’s Y2K Moment is Coming Years Early Comparison Shopping Is Not a (Computer) Crime EFF is Leaving X Banning New Foreign Routers Mistargets Products to Fix Real Problem Another Court Rules Copyright Can’t Stop People From Reading and Speaking the Law 👁 Selling Mass Surveillance | EFFector 38.7 Digital Hopes, Real Power: How the Arab Spring Fueled a Global Surveillance Boom Privacy Index Workshop EU Parliament Blocks Mass-Scanning of Our Chats—What's Next?
Field Notes from a Year of OPSEC Training
Daly Barnett · 2026-06-19 · via Electronic Frontier Foundation

Late last year, as part of our annual “Year in Review” series, we summarized our efforts providing digital privacy and security advice to at-risk communities. OPSEC trainings (short for operational security, a catch-all term we use to describe any kind of workshop, advising session, assessment, or presentation about operational security for individuals and organization) are something we've long provided, but until recently, something we’ve never broadcasted.

This has become a critical aspect of our work over the years, keeping us grounded and in touch with the realities of tech-enabled violence as well as evolving resistance strategies used by movement workers. Hoping other security trainers and organizers copy our homework, here’s a more thorough breakdown.

NOT TRADITIONAL PENTESTING

To be clear, we're not a 'pentesting' company, which refers to the methodological process of testing a person or organization's security and privacy posture, nor an information security (infosec) firm that offers anything within scopes of traditional security assessments.  Infosec companies almost always adhere to a cycle of: discovery/reconnaissance; > vulnerability scanning and testing; > exploitation of vulnerabilities found; > and a reportback of recommended mitigation strategies. Such full-spectrum audits can run the gamut of testing network security, physical security, organization posture against phishing or ransomware attacks, web app security, and more. For many organizations, the value of such engagements is immeasurable.

Such companies—although equipped with the technical sophistication to do full-spectrum digital security auditing and testing—often lack the critical points of view of human rights defenders and activists. Many human rights defenders and liberation movement workers are critically under-resourced and unable to meet the high costs of engagement with such infosec companies.  But that’s not what we offer. Our trainings center the needs of people on the ground, and offer this work pro bono. 

The cycle of engagement our work tends to take is similar to the lifecycle of pentesting outlined above, but with some key differences better suited to people-powered movements. 

We begin with a period of discovery about the organization we’re engaging with, learning about their work, the issue space they’re working in, and the types of threats their peers have faced in the past. Relying on our knowledge of known threat actors (state-operated threats, non-state actors, surveillance mechanisms, and more), we conduct a thorough threat modeling and risk assessment exercise, surfacing critical pieces of information about what we ought to prioritize protecting and from what. Sometimes that’s enough for a group to get started on improving their security plans, and we send them on their way.

After receiving consent from the group to do so, we may perform some OSINT (open source intelligence) investigation and map out a sketch of their digital footprint. This often looks like some combination of discoverability through public records, data broker ecosystems, and breach databases, as well as risks they may incur through the services they rely on for their web presence. That latter part can be done with typical pentesting reconnaissance tools, as well as our own project Privacy Badger for mapping the trackers on their website, which pose them and their users some amount of risk. Working from this sketch of their digital footprint, opportunities to lessen the reach of their data exposure, or at least the more sensitive areas they ought to be aware of, become apparent.

For a more in-depth engagement, we take the information gathered from the guided threat modeling exercises, as well as the digital footprint we’ve developed for them, and we move on to training the participants on what they need to address their threats. Sometimes that looks like a deep dive on encryption and how it can be used to protect data backups and secure communications. Other times it looks like getting very knowledgeable and practiced on the various ways to stay safe from surveillance threats encountered at a protest. Often though, our engagement with those asking for advice on how to strengthen their OPSEC is as simple as presenting materials covered in our Surveillance Self-Defense (SSD) project, but with EFF staff to help apply those lessons to their context.

MOVEMENTS AND COMMUNITIES ADVISED

Requests for such training mostly arise organically, either via referral, from our participation in external media, or driven by an interest in SSD. Naturally, the demand for accessible OPSEC advice escalates along with the general sophistication and reach of surveillance technology. And as authoritarianism creeps and continues to threaten the movement workers fighting against it, there's a marked urgency for that demand.

The types of communities and liberation movement workers that reach out run a wide array of experiences, but some commonalities stick out. Since the fall of Roe v. Wade, we've seen a huge uptick in abortion access activists like clinic escorts and information distribution networks reaching out. So too are providers of criminalized healthcare services, both abortion services and gender affirming care alike. The list goes on: advocates for transgender rights such as art collectives and archivists, sex worker rights activists, survivors of intimate partner violence, climate justice activists, legal defense groups focusing on immigrant justice and Black liberation. And many, many others, often stemming from experiences of distinct marginalization and state-powered violence.

We’re dressing the wounds the violence of surveillance inflicts.

TAXONOMY OF THREATS

When there's a cast of common threat actors that so often emerge during risk assessment (ideologically motivated harassers, lawmakers, cops, negligent leadership at large tech platforms, etc) there is a level of predictability about their capabilities. We use that information to make knowledgeable risk assessments for those we’re working with, determining the means that threat actors have to cause them harm, as well as the likelihood.

For community organizers and grassroots activists we most often see concerns around doxxing (and harassment driven by OSINT), social media monitoring, content suppression on tech platforms, and insider threats such as infiltration within trusted communication channels. Often this comes with a tension between publicity and privacy—needing to spread their message and further their cause, while recognizing that digital privacy has a profound impact on their personal safety. Some activists may instead hope to organize other more covert forms of direct action. They're more likely to be concerned about the types of street level surveillance that they may encounter.

Small organizations nonprofit and otherwise may share the concerns around doxxing, as well as traditional digital security concerns around their web presence. Website defacement and data exfiltration are particular concerns for organizations that don't have the resources to commit to IT security staff. And for those that do have meager budgets for such things, organizational compliance and ease-of-use regarding privacy and security technologies are a whole other concern. The question then becomes how to manage a system of distributed devices that are uncontrolled by the organization, but operationally necessary for each member of their community. 

Generally speaking, the threats most commonly encountered in these spaces have to do with the opacity and unchecked reach of surveillance systems. With every single individual or group that we encounter in this type of work, threat modeling comes number one in terms of priority. There is no way to protect against every theoretical threat. Instead, we walk others through the process of identifying and then prioritizing known and perceived threats, based on their specific context and the type of work that they do, before moving on to recommended mitigation and resistance strategies. 

STRATEGIES OF RESISTANCE

Developing a threat model without a course of action often does more to stoke privacy nihilism than remedy the risks communities face. The more we engage with at-risk communities and offer reasonable, accessible OPSEC advice, the greater our instinct develops for recognizing such strategies. At the core of these recommendations lie the backbones of privacy and security fundamentals, such as encryption, access controls, sophisticated backup plans, OSINT skills, and resistance to online tracking.

Over the years, we've found it easiest to begin with non-technical recommendations first. These strategies often mesh well with the community's extant organizing procedures, such as designating team roles and thought out contingency plans for specific risks. This may look like identifying those extant plans and tacking on responsibilities like data backups, code words for community vetting, and developing workarounds or contingency plans for if they lose access to specific technologies. 

Eventually, though, the strategies must become more technical, like switching to more private and secure technology alternatives, developing a sophisticated and encrypted data backup plan, and having technical contingency plans in place for if/when they are deplatformed or their services interrupted. Developing patience and compassion when walking groups through unfamiliar technologies is an essential tool of this work. So too is the habit of checking ourselves, as privacy and security nerds, to know the difference between the most secure technologies and those which will actually be used by at-risk community members. Any step towards more thoughtful OPSEC is better than one too difficult to use. The last thing we want is a recommendation that results in people frustratedly giving up on doing anything at all. After all, the whole point of this is to empower movement workers, not inhibit them.

HOLISTIC MITIGATIONS

It is painfully obvious how many identified threats could be protected against if there were comprehensive data privacy legislation protecting all people. The lack of such is an existential threat to everyone. Bills that undermine peoples' right to privacy are never clear about what they're doing, and often come wrapped in some paternalistic guise of addressing some other harm elsewhere. They often use confusing, oblique language that preys on the public's interest to correct the course of other social harms. The reality is that when it’s clearly explained, every person online wants better privacy. And as we know, every individual's personal security and wellbeing are entwined with their access to privacy. The capacity with which a person can decide what to share online, rather than have sensitive information non-consensually taken from them by creepy surveillance technologies, is a matter of self-determination. And it's in all our best interests to fight for the right to self-determination.

WHAT WE GET BACK

An unexpected outcome of identifying so many common threat actors across such varied issue spaces is revealing potential avenues of collaboration and camaraderie. Some movements are already keen on this allyship, such as those focusing on various aspects of bodily autonomy and self-determination. Abortion access activists and trans liberation activists are often in concerted allyship. Other less obvious connections are legal defense groups that offer "know-your-rights" style educational materials and other issue-specific activists who have questions about the legal threats they're facing while fighting for their cause. 

Recognizing the common threat actors across different issue spaces begins to highlight opportunities for collective action against those threats. As a digital rights organization, this is very much our wheelhouse, and precisely why our technologist team is self-described as one working toward the public interest. It’s also from this point of view that we continue to win. And why it’s critical for lawmakers to pay attention when we say particular pieces of bad legislation are harmful to public safety. And finally, why it is necessary for public interest technologists and digital rights activists to connect with other communities to learn about the specific technology risks they’re worried about. As Mariame Kaba says, “Nothing that we do that is worthwhile is done alone.” This very blog post is in an effort to provoke thought for digital security trainers, so that we as a community don’t work atomized and alone, reproducing the same work, exhausting ourselves and creating unnecessary redundancy.

We do what we can to keep up. And thankfully, we participate within an ecosystem of digital security providers that have a keen mind towards fighting for digital rights. We share resources, referrals, and expertise. Our Surveillance Self-Defense project is stress-tested by the experiences shared by the liberation movement workers we engage with and provide this work to. If you’re interested in becoming a digital security resource for your community, start with the SSD. If you’re a human rights defender with questions about how to stay safe, reach out. And if you’re not sure what else to do, you can always help us keep it going.