This guide previously recommended Signal and ProtonMail. These recommendations have been removed due to known security concerns:
Signal: Requires phone number registration, metadata retention concerns, has complied with legal requests
ProtonMail: Logs IP addresses, complies with legal requests, has handed over user data to authorities
These tools may not be appropriate for high-risk threat models. Users facing serious adversarial threats should research additional options and understand the limitations of any communication tool.
Original publication: 2026-03-27 Correction added: 2026-03-27 Reason: Accuracy and user safety
OPSEC Tutorial #2: Encrypted Communication Tools
Encryption is essential for operational security. However, not all encrypted tools provide the same level of privacy protection. Below are communication tools that offer stronger privacy guarantees for various threat models.
Truly Private Messaging Options
1. Session
Why it’s more secure:
No phone number required — Uses randomly generated Session IDs
Onion-routed messages — Traffic routed through Oxen Service Node network (similar to Tor)
Decentralized — No central server to compromise or subpoena
Metadata-free — No access to contact lists, group memberships, or message timestamps
Limitations:
Slower message delivery due to onion routing
Smaller user base than mainstream apps
Requires trust in Oxen Service Node operators (mitigated by routing through multiple nodes)
Threat model: Protects against network surveillance, metadata collection, and service provider compromise. Suitable for journalists, activists, and users facing state-level adversaries.
Install and create a new Session ID (no personal info required)
Share your Session ID with contacts (it’s a long string — use QR codes for convenience)
Enable disappearing messages for sensitive conversations
Consider using over Tor for additional protection
2. SimpleX Chat
Why it’s more secure:
No user IDs whatsoever — Not even random IDs; uses one-time connection addresses
Metadata-free by design — No way to link users or conversations
Decentralized — Uses relay servers that cannot see message content or metadata
Bidirectional queues — Sender and receiver use different addresses
Limitations:
Very small user base
Less polished UI than mainstream apps
Requires both parties to be online for initial connection (though messages can be queued)
Threat model: Strongest protection against metadata analysis. Suitable for high-risk users who need to hide not just content but the fact that communication is happening.
Setup:
Download from simplex.chat (F-Droid or GitHub releases)
Create a profile (no username required)
Generate connection invitations via QR code or link
Share invitations through a trusted channel
Enable end-to-end encryption (default)
3. Briar
Why it’s more secure:
P2P over Tor — Direct connections between devices, no central servers
Works offline — Syncs via Bluetooth or WiFi when internet is unavailable
No phone number or email — Anonymous by default
Open source and audited — Code is publicly reviewable
Limitations:
Both parties must be online simultaneously for most features
Higher battery usage due to Tor and P2P networking
Android only (no iOS version)
Slower message delivery
Threat model: Excellent for local adversaries, internet blackouts, and scenarios where central infrastructure cannot be trusted. Ideal for field operations and protest coordination.
Add contacts via QR code, Bluetooth, or Tor onion address
Enable “Briar over Tor” for remote contacts
Use forums and private messaging as needed
4. Matrix (with Element)
Why it’s more secure:
Self-hostable — Run your own homeserver for full control
End-to-end encryption — Olm/Megolm protocol for private conversations
Federated — Not dependent on a single provider
Open standard — Multiple client implementations available
Limitations:
Metadata is NOT hidden — Server admins can see who talks to whom and when
Requires proper server configuration for maximum security
Default public servers (matrix.org) are not suitable for high-risk users
More complex setup than consumer apps
Threat model: Good for users who can self-host or trust their server operator. Protects message content but not metadata. Suitable for organizational use with controlled infrastructure.
Setup (self-hosted for maximum security):
Set up a Synapse or Dendrite homeserver on your own infrastructure
I need to address something important about this guide.
What Happened:
When I published this tutorial, I recommended Signal and ProtonMail as secure communication tools. This was an error in judgment, and I want to be transparent about why that was wrong.
Why It Matters:
OPSEC guidance is only valuable if it’s accurate. Recommending tools that have known security issues or that comply with data requests gives people false security — and false security can get people hurt. That’s on me, and I take full responsibility.
What We Did:
Added a prominent correction notice at the top of this guide (dated today)
Removed Signal and ProtonMail recommendations
Replaced with truly private alternatives (Session, SimpleX, Briar, Matrix/Element)
Updated the offline library bundle with corrected information
Our Commitment Going Forward:
Verify before recommending — All security tools will be cross-referenced with current security research, audits, and incident reports
Document limitations — No tool is perfect; we’ll be honest about what each one does and doesn’t protect against
Match threat models — What works for casual privacy ≠ what works for high-risk situations
Update immediately — When we learn something is compromised, we correct it publicly and promptly
Thank You:
This correction happened because someone caught the error and spoke up. That’s exactly how community safety should work — we look out for each other. If you ever see something questionable in our content, please call it out. We’d rather be corrected than cause harm.
OPSEC Tutorial #3: Encrypted Communication Tools - Signal & ProtonMail
Difficulty: Beginner-Intermediate Time to Complete: 30-40 minutes
Overview
Secure communication is essential for protecting your privacy. This tutorial covers Signal (messaging) and ProtonMail (email) setup and best practices.
SIGNAL MESSENGER
Why Signal:
End-to-end encrypted by default
Open source (code is auditable)
No metadata retention
Non-profit organization
Requires phone number (privacy tradeoff)
Setup Steps:
Download from official signal.org (not app store links)
Time to Complete: 30-40 minutes—### OverviewOPSEC is not just tools and techniques - it’s a mindset. This tutorial covers developing situational awareness, building secure habits, and maintaining operational security in daily life.—### THE OPSEC MINDSETCore Principles:1. Trust But Verify - Verify information, sources, and contacts2. Need to Know - Share information only with those who need it3. Least Privilege - Give minimum access necessary4. Defense in Depth - Multiple layers of security5. Assume Compromise - Plan for when (not if) security failsThinking Like an Adversary:- What information would be valuable?- Where are the weak points?- How would I attack this system?- What patterns would I exploit?—### SITUATIONAL AWARENESSCooper Color Code:| State | Awareness | Response ||-------|-----------|----------|| White | Unaware, distracted | Vulnerable || Yellow | Relaxed alertness | Optimal || Orange | Specific concern | Ready to act || Red | Active threat | Fighting/fleeing || Black | Overwhelmed, frozen | Dangerous |Stay in Yellow:- Scan your environment regularly- Notice exits, people, vehicles- Don’t fixate on phone while walking- Trust your instincts (gut feelings)Daily Practice:- When entering a room, note exits- When parking, note surrounding cars- When walking, observe who’s around- When online, question what you see—### INFORMATION DISCIPLINEWhat NOT to Share:- Travel plans before/during trip (post after)- Daily routines and schedules- Home address and neighborhood details- Workplace specifics and schedules- Children’s school names and schedules- Financial information and purchases- Security systems and preparationsSocial Media Guidelines:- Review privacy settings quarterly- Assume everything is public forever- Don’t post in real-time from events- Remove metadata from photos before posting- Consider separate accounts for different purposes- Regularly audit friend/follower listsConversation Security:- Be aware of who can overhear- Don’t discuss sensitive topics in public- Phone calls travel further than you think- Elevators, restaurants, planes = public spaces—### PATTERN DISRUPTIONWhy Patterns Matter:- Predictability enables surveillance- Routines make you an easy target- Patterns reveal valuable informationVary These Regularly:- Routes to work/store- Times you leave home- Restaurants and shops visited- Exercise routines- Social media posting times- Online browsing habitsPractical Implementation:- Have 3+ routes to common destinations- Leave at different times when possible- Try different stores/restaurants- Avoid posting at same time daily- Take different paths while walking dog—### DIGITAL HYGIENE HABITSDaily:- Lock devices when stepping away- Check for software updates- Review app permissions monthly- Clear browser data regularlyWeekly:- Review bank/credit statements- Check login activity on key accounts- Update password manager entries- Scan for malwareMonthly:- Audit social media privacy- Review security camera footage- Check credit reports- Update emergency contactsQuarterly:- Practice emergency procedures- Review and update emergency kits- Conduct personal security assessment- Training/skill development—### PHYSICAL SECURITY HABITSHome:- Lock doors and windows (always)- Use curtains/blinds at night- Don’t advertise when away- Know your neighbors- Secure trash (contains personal info)When Leaving:- Lock all entry points- Use timers on lights- Don’t post about being away- Have someone collect mail/packages- Consider security system monitoringWhen Returning:- Check for signs of entry before entering- Have keys ready before reaching door- Be aware of who’s around- Trust instincts about unsafe situations—### COMMUNICATION SECURITYSecure Communication Hierarchy:1. In person (most secure, no digital trail)2. Signal/Session (encrypted messaging)3. ProtonMail (encrypted email)4. Standard email (not secure)5. SMS/Phone calls (least secure)Communication Guidelines:- Sensitive topics = encrypted channels only- Don’t discuss security over insecure channels- Use code words for sensitive topics if needed- Assume all digital communication is monitored- Verify identity before sharing sensitive info—### EMERGENCY PREPAREDNESS MINDSETBefore Emergency:- Have plans for different scenarios- Practice procedures regularly- Maintain supplies and equipment- Train family members- Establish communication protocolsDuring Emergency:- Stick to established plans- Communicate through pre-arranged channels- Maintain security even in chaos- Document important events- Help trusted network membersAfter Emergency:- Debrief what worked/didn’t- Update plans based on lessons- Replenish used supplies- Check on network members- Return to normal security posture—### RED FLAGS & WARNING SIGNSDigital:- Unusual account activity- Password reset emails you didn’t request- Friends receiving spam from your accounts- Unknown devices logged into your accounts- Increased targeted advertisingPhysical:- Same people/vehicles seen repeatedly- Signs of entry when returning home- Items moved from where you left them- Unusual interest in your activities- Phone/computer behaving strangelyResponse Protocol:1. Document everything2. Change passwords from clean device3. Enable/strengthen 2FA4. Inform trusted contacts5. Consider professional help if persistent—### BUILDING THE HABITStart Small:- Pick one habit to focus on each week- Master it before adding another- Use reminders/alarms initially- Track your progressMake It Automatic:- Attach new habits to existing routines- Create checklists for important tasks- Use password manager for all passwords- Automate what you canStay Consistent:- Security is a practice, not a destination- Regular review and adjustment- Learn from mistakes and near-misses- Share knowledge with trusted network—### QUICK REFERENCE: Daily OPSEC ChecklistMorning:- Lock devices when leaving bed- Check for unusual account activity- Vary your route if leaving homeThroughout Day:- Maintain situational awareness (yellow)- Lock devices when stepping away- Be mindful of conversations in public- Don’t post real-time locationEvening:- Secure home (locks, alarms)- Review day for security concerns- Charge devices in secure location- Prepare for tomorrow (vary routine)Weekly:- Review financial statements- Check account login activity- Assess supply levels- Practice one security skill—*OPSEC Series - Tutorial #5 (Mindset & Habits)*Sources: Former Intelligence Community Professionals, Security Industry Best Practices, Situational Awareness Training Programs
CORRECTION NOTICE — 2026-03-27