Late last year, we highlighted our commitment to offering digital privacy and security advice to at-risk communities. These **OPSEC** trainings – encompassing workshops, advising sessions, assessments, and presentations – have long been a core, albeit unpublicized, aspect of our work. This crucial work keeps us connected to the realities of tech-enabled violence and the evolving resistance strategies employed by movement workers. We're sharing a detailed breakdown, hoping to inspire other security trainers and organizers to adopt similar approaches. ## Not Traditional Pentesting To be clear, our services do not constitute traditional 'pentesting' or the offerings of an information security (infosec) firm. Infosec companies typically follow a cycle of discovery, vulnerability scanning, exploitation, and reporting of mitigation strategies. These comprehensive audits can cover network, physical, and web application security, as well as defenses against phishing or ransomware. While invaluable for many organizations, such engagements are often out of reach for under-resourced human rights defenders and activists due to high costs. Our approach differs significantly. We center the needs of people on the ground, offering our expertise pro bono. While our engagement cycle shares similarities with pentesting, it's uniquely tailored for people-powered movements. We begin with a discovery phase, learning about an organization's work, their issue space, and the threats their peers have encountered. Leveraging our knowledge of known threat actors – including state-operated threats, non-state actors, and surveillance mechanisms – we conduct thorough threat modeling and risk assessments. This process identifies critical assets to protect and the specific threats they face. For some groups, this initial assessment is sufficient to begin enhancing their security plans. With consent, we may conduct **OSINT** (open-source intelligence) investigations to map out their digital footprint. This often involves examining public records, data broker ecosystems, and breach databases, as well as assessing risks from services used for their web presence. Tools like our own **Privacy Badger** help identify trackers on their websites that pose risks to both the organization and its users. This digital footprint analysis reveals opportunities to reduce data exposure, particularly in sensitive areas. For more in-depth engagements, we use the information from threat modeling and digital footprint analysis to train participants on how to address their specific threats. This might involve deep dives into encryption for data backups and secure communications, or practical guidance on how to [stay safe from surveillance threats encountered at a protest](https://ssd.eff.org/module/attending-protest). Frequently, our advice draws from materials in our **Surveillance Self-Defense** (**SSD**) project, with **EFF** staff providing tailored application to their specific contexts. ## Movements and Communities Advised Requests for these trainings arise organically, often through referrals, our media participation, or interest in **SSD**. The demand for accessible **OPSEC** advice naturally escalates with the increasing sophistication and reach of surveillance technology. As authoritarianism grows, threatening movement workers, this demand takes on a marked urgency. The communities and liberation movement workers we advise represent a wide array of experiences, yet some commonalities emerge. Since the overturning of *Roe v. Wade*, we've seen a significant increase in requests from abortion access activists, including clinic escorts and information distribution networks. Providers of criminalized healthcare services, both abortion and gender-affirming care, are also reaching out. The list extends to advocates for transgender rights (e.g., art collectives, archivists), sex worker rights activists, survivors of intimate partner violence, climate justice activists, and legal defense groups focused on immigrant justice and Black liberation. Many others come from experiences of distinct marginalization and state-powered violence. We are actively working to mitigate the harm inflicted by surveillance violence. ## Taxonomy of Threats During risk assessments, common threat actors frequently emerge, such as ideologically motivated harassers, lawmakers, law enforcement, negligent leadership at large tech platforms, and more. This provides a degree of predictability regarding their capabilities, allowing us to make informed risk assessments, determining the means and likelihood of harm. For community organizers and grassroots activists, concerns most often revolve around doxxing (and harassment fueled by **OSINT**), social media monitoring, content suppression on tech platforms, and insider threats like infiltration within trusted communication channels. This often creates a tension between the need for publicity to further their cause and the recognition that digital privacy profoundly impacts personal safety. Some activists engaged in more covert direct action may be more concerned about [street-level surveillance](https://sls.eff.org/) threats. Small non-profit and other organizations may share doxxing concerns, alongside traditional digital security issues related to their web presence. Website defacement and data exfiltration are particular worries for organizations lacking dedicated **IT** security staff. For those with limited budgets, organizational compliance and ease-of-use for privacy and security technologies become additional challenges. The question then becomes how to manage a system of distributed devices, often uncontrolled by the organization, yet operationally necessary for each community member. Generally, the most common threats in these spaces stem from the opacity and unchecked reach of surveillance systems. For every individual or group we engage with, threat modeling is the top priority. It's impossible to protect against every theoretical threat. Instead, we guide them through [identifying and prioritizing known and perceived threats](https://ssd.eff.org/module/your-security-plan) based on their specific context and work, before moving on to recommended mitigation and resistance strategies. ## Strategies of Resistance Developing a threat model without a clear course of action can inadvertently foster [privacy nihilism](https://www.eff.org/deeplinks/2024/02/privacy-isnt-dead-far-it) rather than address community risks. As we engage more with at-risk communities and offer reasonable, accessible **OPSEC** advice, our ability to recognize effective strategies grows. At the core of these recommendations are fundamental privacy and security principles: encryption, access controls, sophisticated backup plans, **OSINT** skills, and resistance to online tracking. Over the years, we've found it most effective to start with non-technical recommendations. These strategies often integrate well with a community's existing organizing procedures, such as designating team roles for security responsibilities.