You Are Being Watched: 10 Critical Steps to Online Anonymity for LE, Intelligence, and NATSEC Professionals

Written By John Connor Tampoya

The world is watching. Right now, across the U.S., law enforcement personnel at the federal and state levels are being closely observed due to ongoing civil unrest related to the current administration’s directives countering illegal immigration. Although critically essential and concerning for ECHO writers and our audience, this blog is about neither the unrest, anti-immigration policies, nor federal and state responses to escalating tensions across the homeland. Instead, this blog is about a public error in personal operational security (OPSEC) and providing law enforcement, intelligence, and NATSEC professionals with a stark reminder that you ARE being watched—and how to prevent you and your loved ones from being targeted.


You Are Being Watched


On May 9, 2025, as part of ongoing coverage of the civil unrest and violence in Los Angeles, CA, in response to Immigration and Customs Enforcement actions, former Mexican law enforcement, security consultant, and personal security expert Ed Calderon published a video to his Instagram account (@manifestoradiopodcast). The video depicts a protestor confronting a Federal Bureau of Investigation (FBI) agent. Holding two phones, the protestor appears to be conducting real-time OSINT investigations into the agent—saying, “You need to watch your online footprint. If you’re going to do that, you should cover up your face. Now I’ll find out all your shit. All of it.” Within the video, the agent appears visibly disturbed to be confronted about his social media presence, which has revealed apparent information about his dining habits and even his spouse. After berating the officer’s poor OPSEC, the protestor turns toward other law enforcement and says, “Who’s next?” Hopefully, not ECHO readers.


10 Critical Steps to Online Anonymity for LE, Intelligence, and NATSEC Professionals

The following steps to online countersurveillance and protecting online anonymity are provided with law enforcement intelligence and NATSEC professionals in mind. However, ECHO encourages all readers to engage in clean online hygiene, and these recommendations can and should be leveraged by anyone.


STEP 1 - Compartmentalize Your Online Identifies and Operations

If threat actors can connect your personal life to your professional life, your cover is blown. Preventing threat actors and adversaries from linking your digital identities across platforms or between your personal and professional lives is essential. At the bare minimum, leverage the maximum privacy settings possible on social media platforms.

  • Separate and silo for personal, professional identities online, as well as operational activity. You have two identities, so treat your online activity accordingly.

  • Use separate names, aliases, usernames, and emails for personal and professional online accounts. If necessary or able, use separate devices and networks between professional and personal life.

  • Never reuse usernames and profile pictures or include overt contact information on profiles to prevent cross-platform tracking.

  • Never log in to two identity compartments on the same device or browser session if possible.


STEP 2 - Isolate your Device and Online Infrastructure

The tools you use will inevitably betray you; separate them to lower risk exposure. This step is more intensive and requires separate devices and networks. To prevent cross-contamination across your online identities through shared infrastructure, take the following steps:

  • Use a dedicated device for sensitive or anonymous activities.

  • For computer use, leverage privacy-focused software/operating systems (E.g., Tor, Tails, Qubes, Whonix, Linux) and browsers (e.g., DuckDuckGo).

  • It doesn’t matter if it’s free or paid; use a VPN.

  • Avoid using personally registered devices for anonymous or pseudonymous online activities.


STEP 3 - Don’t Leak Your Metadata

Every file you share and any media you publish tell a hidden story. Ensure that the story is fictitious or only the one you want to share. Preventing the leakage of your geolocation, identity, and operational contexts from digital artifacts is invaluable for online and social media hygiene. You shouldn't post if you don’t know what metadata is shared when you post that Instagram picture of your dinner or your routine coffee shop stop.

  • Before sharing a media file or uploading social media content, strip all media of EXIF data, geotags, and hidden metadata. Tools like MAT2 and ExifTool can help with this.

  • If you need to share files, sanitize their file names, PDF properties, and document revision histories before sharing.

  • Obscure or censor background details in images that reveal routines, devices, or identities. Reconsider sharing locations on posts that threat actors can map and leverage.


STEP 4 - Obscure Your Online Behavior

Remember that anonymity isn’t just who you are online but how you behave. For those who really want to keep their personal online activity away from prying eyes, evade browser fingerprinting, behavioral analysis, and passive online tracking by:

  • Using privacy browsers (i.e., Brave, Tor Browser, Firefox with hardening).

  • For sensitive online activities, Block JavaScript and disable WebGL, WebRTC, and fingerprinting vectors.

  • Avoid those cross-session cookies and shared logins like the plague.

  • Change your browsing habits across identities: vary timing, language settings, and resolution.


STEP 5 - Clean Up Your Digital Exhaust and Minimize Social Media

Remember that your feeds are a footprint. The harmless posts you make today can expose you or your loved ones tomorrow. Take active steps to reduce passive open-source exposure that can be aggregated or exploited.

  • Maintain minimal or nonexistent public social media presence. What’s the added benefit of that personal Instagram, Facebook, X, or BlueSky account?

  • If you feel the need to maintain a LinkedIn account, Obfuscate your last name and employer and minimize what can be viewed publicly on your account. Oversharing information regarding access and employment is a goldmine for threat actors looking for a target. Never post about agency affiliation, personal or family routines, family, or travel.

  • Request removal of personal data from online directories and data brokers. You can manually make these requests or leverage professional services to do so.

  • Communicate the need for privacy with your family and loved ones: Review all media posts for identifying clues—yours and your family’s (see Step 9).


STEP 6 - Use Secure Comms

Remember, if it’s not encrypted, it should be considered public. Even when it is encrypted—* cough* SignalGate *cough*—make sure you’re aware of who’s in the chat. Assume everyone is listening and watching—because they are.

Prevent interception, de-anonymization, or social engineering via communications by:

  • Using end-to-end encrypted platforms (Signal, Session, Element).

  • Avoiding platforms linked to work phone numbers or government emails.

  • Employing burner phone numbers and temporary emails for outreach, anonymous, or undercover work. Don’t use your personal phone for OSINT.

  • Always assuming that all non-encrypted channels are monitored or compromised and act accordingly. Don’t share sensitive or operational information on non-encrypted work channels.


STEP 7 - Remain Situationally Aware

Watch out for who might be watching you. If you don’t track your exposure, someone else will. Detect and neutralize efforts to surveil your online presence or establish digital patterns.

  • Monitor your information and accounts regularly for compromise or impersonation using tools like Google Alerts, HaveIBeenPwned, and dark web crawlers.

  • Leverage canary tokens or honeypot accounts to detect unauthorized access or tracking.

  • Rotate your pseudonymous identities, browser configurations, and device setups.

If the idea above seems too tedious or intensive, Consider creating personal sock puppet social media accounts under your name with strict privacy settings. Monitor those follower requests closely to see who’s interested in your life that you don’t recognize.


STEP 8 - Secure Credentials and Monitor for Leaks

Reuse means ruin—compromised credentials and personal information happen fast. Prevent identity correlation or compromise through reused credentials or breaches.

  • Use unique, complex passwords. Ditch the Post-it notes and notebook of passwords for password managers. I can personally vouch for services like KEEPER.

  • Enable 2FA/MFA using hardware keys or authentication apps—avoid SMS-based authentication when possible.

  • Again, routinely monitor breach repositories for exposed credentials. If feasible, use professional services to monitor breaches of your personal information.


STEP 9 - Lock Down Your Family OPSEC

Be mindful that your weakest point may not be you. Whether it’s HUMINT or OSINT investigations, LE and intelligence professionals know that identifying who has access to the desired information is essential.

Threat actors and adversaries will target you through your family and loved ones. Discuss family security and privacy. Prevent attribution and targeting through your family and household members’ digital activities by:

  • Educating and discussing with your family and loved ones on what not to post, how to restrict visibility, and how to recognize phishing.

  • If you have children: Cooperate with your children and spouses to sanitize their online content— do not tag or post family names, schools, routines, or travel.

  • Use privacy aliases or unrelated surnames for children online and continuously monitor for side-channel exposure via social networks.


STEP 10 - Red Team Yourself Regularly

Test yourself before they do. Based on your profession, home life, and existing online presence, remain cognizant of your unique threat environment and test for vulnerabilities and baseline exposure.

  • Develop a personal threat model that outlines who might target you, how, and why.

  • Routinely simulate attacks against your digital presence (e.g., doxing exercises).

  • Use red team tactics to test OPSEC—from metadata tracking to device tracing. At a baseline, Google yourself and your family semi-regularly to maintain awareness of what information is publicly available.

  • Know thy enemy. Stay current on adversary TTPs (tactics, techniques, procedures) from threat actors.


Don’t Get Caught

You are a target whether you’re a criminal intelligence analyst working at a fusion center, a law enforcement officer of a local precinct, an FBI Agent, or a NATSEC and intelligence professional from a three-letter agency. Act accordingly. Protect yourself. Protect your family.

The steps provided aren’t perfect, but they’re essential to prevent you from ending up like that unfortunate FBI agent watching a protestor pull up images of his wife and favorite steak dinner spot.

John Connor Tampoya
Next

ECHO Reverb: 86 the Threat—When Shells and Numbers Spook the State