OpSec Checklist — High-Risk Users

For journalists, activists, researchers, and whistleblowers. Three tiers: start at Baseline and work up.

0 / 18 completed
Baseline Everyone should do this
Intermediate Elevated exposure
Advanced Active threat actors
Baseline protections for anyone with public exposure or sensitive sources. These take under an hour to set up and protect against the most common attacks.
Use Signal for all sensitive communications
Protects against: message interception, operator data requests, device seizure (disappearing messages)
Tool: Signal (signal.org) — free, open-source. Enable disappearing messages for all sensitive conversations.
Enable full-device encryption on phone and laptop
Protects against: physical device seizure, border searches, theft
iOS: Enabled by default with a strong passcode. Android: Settings > Security > Encryption. Mac: System Settings > Privacy & Security > FileVault. Windows: Settings > Privacy > Device Encryption.
Use a password manager with unique passwords on every account
Protects against: credential stuffing, account takeover via reused passwords
Tools: Bitwarden (open-source, free) or 1Password. Generate a unique 20+ character password for every account.
Enable hardware-key or app-based 2FA on all critical accounts
Protects against: SIM swap attacks, phishing, account takeover
Avoid SMS 2FA — SIM swaps bypass it. Use an authenticator app (Aegis on Android, Raivo on iOS) or a hardware key (YubiKey).
Audit and remove unused app permissions
Protects against: passive location tracking, ambient microphone access
iOS: Settings > Privacy & Security — review each permission category. Android: Settings > Privacy > Permission Manager. Remove location, microphone, and camera from apps that don't need them.
Strip metadata from files and photos before sharing
Protects against: location disclosure, device fingerprinting, source identification via metadata
Tools: ExifTool (command line), MAT2 (Linux/Mac), Metapho (iOS), Scrambled EXIF (Android). Run all documents through a metadata stripper before sending to sources or editors.
For users who face targeted surveillance, active monitoring by institutions, or who handle sensitive sources regularly.
Use a reputable no-log VPN for all internet activity
Protects against: ISP-level traffic monitoring, network-level surveillance, IP exposure
Selection criteria: No-logs policy (independently audited), jurisdiction outside 14-Eyes, open-source client. Mullvad VPN meets all three criteria. Avoid free VPNs — they typically sell traffic data.
Use SecureDrop or OnionShare for receiving documents
Protects against: source identification, document interception, email metadata exposure
SecureDrop: Used by major newsrooms. Sources submit documents anonymously via Tor. OnionShare: Simpler setup for one-time transfers. Never receive sensitive documents via email.
Use ProtonMail or Tutanota for email — not Gmail or Outlook
Protects against: email provider data requests, content scanning, metadata exposure
Proton Mail (Switzerland jurisdiction) and Tutanota (Germany) offer end-to-end encryption. Note: encryption only applies between users of the same service — standard email is not encrypted.
Prepare a clean travel device for high-risk border crossings
Protects against: device search at borders, forensic extraction of contacts and communications
Practice: A separate device with no source communications, no sensitive documents, and no stored credentials. Real accounts accessible only via web after crossing. Wipe travel device before return journey.
Check devices for stalkerware and spyware periodically
Protects against: Pegasus-type commercial spyware, intimate partner surveillance, institutional monitoring
iVerify (iOS) for Pegasus indicators. MVT (Mobile Verification Toolkit) for forensic analysis. Amnesty International's Security Lab offers threat assessment for high-risk individuals. Consider a device refresh annually.
Document and report coordinated harassment campaigns immediately
Protects against: escalating harassment, legal risk from false claims, platform account suspension
Tools: Hunchly or Bellingcat's online investigation tools for documentation. Report to the Coalition Against Online Violence, Committee to Protect Journalists (CPJ), or Access Now's Digital Security Helpline.
For users facing active state-sponsored or organised threat actors. These measures require technical effort and lifestyle adjustment.
Use Tails OS for the most sensitive work
Protects against: persistent malware, forensic recovery of deleted files, local device compromise
Tails is a live operating system that runs from a USB drive, leaves no trace, and routes all traffic through Tor. Appropriate for document handling and communications when the device may be compromised. tails.boum.org
Use Tor Browser for sensitive research and source contact
Protects against: traffic analysis, IP-based location tracking, ISP monitoring
Tor Browser routes traffic through 3 relays. Limitations: slow, blocks some sites. Do not log into personal accounts inside Tor — this defeats the anonymity. Use for research, SecureDrop access, and source initial contact only.
Use an air-gapped device for the most sensitive materials
Protects against: network-based exfiltration, remote access attacks, cloud sync exposure
Air-gapped device: A computer that has never connected to any network and never will. Data transfer only via encrypted USB. Used for the most sensitive documents, source lists, and key material. No Bluetooth, no Wi-Fi, no cameras covered with tape are all necessary.
Apply physical security at border crossings
Protects against: coerced device unlocking, forensic extraction, physical seizure
Protocol: Travel with clean device. Know your rights before crossing (they vary by country). Legal contact number memorised or on paper, not phone. Refuse biometric unlock — use strong PIN. Contact CPJ, RSF, or EFF if devices are seized.
Compartmentalise identities across different devices and accounts
Protects against: cross-identity correlation, single-point account compromise exposing all activity
Practice: Separate devices for personal, professional, and sensitive work. No cross-login between identities. Separate email addresses, SIM cards, and browsers per identity. Never use personal accounts for activist or source-facing work.
Establish a digital will and emergency communication plan
Protects against: loss of access to critical materials if detained, injury, or death; source protection failure after capture
Steps: A trusted contact knows how to reach your legal team. Sensitive materials are encrypted and held by a trusted third party (not stored locally). Account recovery options held by editor or trusted colleague. Review annually.