Operational Security for Normal People: A Practical Guide
Operational security isn’t just for spies. It’s for anyone who’d rather not broadcast their location, habits, relationships, and financial behavior to every database that asks. Here’s a practical framework for reducing your information footprint — without becoming a hermit or throwing your phone in a river.
What OPSEC Actually Is
Operational security — OPSEC — is the practice of identifying what information you’re exposing, to whom, and whether that exposure creates risk. It originated in military intelligence: during the Vietnam War, the U.S. military discovered that the North Vietnamese were anticipating operations by analyzing seemingly innocuous information — troop movement patterns, communication schedules, logistical changes. The enemy wasn’t breaking codes. They were reading context.
The civilian version is the same principle applied to daily life. You generate an enormous amount of information through normal activities: your phone broadcasts your location continuously, your credit card records every purchase, your browsing history maps your interests and concerns, your social media posts reveal your relationships and routines, and BLE beacons track your movement through physical spaces. Each piece of information is individually mundane. In aggregate, they form a detailed profile of who you are, where you go, what you buy, who you know, and what you care about.
OPSEC is the practice of deciding which of those information streams you’re comfortable with — and reducing the ones you’re not.
Step 1: Threat Modeling
Before you change anything about your behavior, you need to answer one question: who are you worried about?
This is called threat modeling, and it’s the step most people skip — which is why most people either do nothing (because the problem seems overwhelming) or do too much (because they’re protecting against threats that don’t apply to them). Your threat model determines which OPSEC measures are worth your time.
Most people’s realistic threat model is Level 1 (data brokers) with occasional elements of Level 2 (personal safety). The good news: Level 1 protection is achievable with behavioral changes and doesn’t require expensive tools. The measures below are organized by impact — highest-value changes first.
Step 2: The High-Impact Changes
These are the changes that reduce the most information exposure for the least effort. They’re ordered by impact, not difficulty.
1. Audit App Permissions
Go to your phone’s settings and review which apps have access to location, camera, microphone, contacts, and Bluetooth. Revoke any permission that isn’t essential to the app’s core function. A weather app needs location. A flashlight app doesn’t. A shopping app doesn’t need microphone access. This takes ten minutes and eliminates the largest category of unnecessary data collection.
2. Reduce Location Broadcasting
Your phone broadcasts location information through multiple channels simultaneously: GPS, cellular tower triangulation, WiFi access point mapping, and Bluetooth beacon detection. Reduce what you can:
Set location permissions to “While Using” rather than “Always” for all apps. Disable WiFi and Bluetooth scanning when you’re not actively using them (in Settings, not just Control Center). Turn off location metadata in your camera settings. Consider a Faraday pouch for times when you want complete location silence — the only method that’s guaranteed to work regardless of software settings.
3. Use Encrypted Messaging
Standard SMS text messages are not encrypted and are accessible to your carrier (and, with a warrant, to law enforcement). Use Signal, WhatsApp, or iMessage for sensitive conversations. Signal is the strongest option — end-to-end encrypted, open source, and operated by a nonprofit. The switch costs nothing and provides immediate, substantial protection for your communications.
4. Use a Password Manager
Password reuse is the single largest security vulnerability for most people. One breached service exposes your credentials for every other service that shares the same password. A password manager (1Password, Bitwarden, or similar) generates unique passwords for every account and requires you to remember only one. This is the highest-return security investment you can make for the lowest effort.
5. Manage Your Browser
Your browsing history is one of the most detailed records of your interests, concerns, and behavior. Use a privacy-respecting browser (Brave, Firefox with privacy extensions, or Safari with tracking prevention enabled). Use a search engine that doesn’t profile you (DuckDuckGo, Startpage, or Brave Search). Clear cookies regularly or use a browser that does it automatically.
6. Separate Your Identities
Use different email addresses for different purposes — one for financial accounts, one for social media, one for shopping, one for personal communication. This prevents a breach of one category from exposing the others. Many email providers allow aliases for this purpose. The goal is compartmentalization: limit the blast radius of any single data exposure.
Step 3: Signal Management
This is where physical products enter the picture — and where we need to be honest about what they can and can’t do.
A Faraday pouch blocks all RF signals from your phone. When sealed, your phone cannot transmit or receive — no cellular, no WiFi, no Bluetooth, no GPS, no location tracking of any kind. This is the most effective signal management tool available to a consumer. It provides complete isolation for as long as the phone is inside the pouch.
A Faraday pouch does not:
Protect data already collected. If you walked through a store with your phone broadcasting for 20 minutes before putting it in the pouch, those 20 minutes of location data already exist. The pouch prevents future collection, not past collection.
Protect against non-RF surveillance. Cameras, physical observation, document analysis, and social engineering are not electromagnetic. A Faraday pouch has no effect on them.
Make you anonymous online. When you take your phone out of the pouch and reconnect, your digital footprint resumes. The pouch creates gaps in the timeline, not a new identity.
Replace comprehensive OPSEC. Signal management is one layer. It’s an important layer — your phone is the largest RF source closest to your body and the most prolific data collection device you own. But it’s one layer in a practice that includes digital hygiene, behavioral discipline, and threat-appropriate tools.
We sell Faraday pouches and cognitive defense products. We think they’re valuable. We’re also telling you — in writing, in our own dispatch, on our own website — that they’re one component of a broader practice. Anyone who tells you a single product solves the privacy problem is selling you confidence, not security.
The Honest Position
TINFOIL makes products that manage the electromagnetic signals closest to your body. We believe those products provide real value: measurable signal isolation, location privacy, RF exposure reduction, and key fob relay attack prevention. These are documented, testable, verifiable functions.
We do not believe our products make you invisible, secure, or invulnerable. Security is a practice, not a purchase. The practice starts with understanding your threat model, continues with behavioral changes that cost nothing, and optionally includes physical tools that address specific vulnerabilities.
If you’ve read all twenty dispatches to get here, you now have a comprehensive understanding of the electromagnetic environment you live in, the research gaps that exist, the regulatory framework that governs your exposure, and the practical tools available for managing it. That understanding is the real product. The hat is just the hat.
Or maybe the hat is the product and the understanding is just the hat. We’re still working on the metaphor. The ambiguity is intentional.
Start the Practice
Twenty dispatches. One electromagnetic environment. The awareness is the foundation. The products are the tools. What you build on that foundation is your call.