Personal Opsec Tradecraft: What Staying Ghost Actually Looks Like in 2026

# Personal opsec tradecraft: what staying ghost actually looks like in 2026

Most "how to protect your privacy" content is software. VPN, password manager, two-factor. The advice isn't wrong but it's incomplete. Tradecraft, the word intelligence services use for operational security in the field, is a layered discipline that starts with how you think and ends with what's written on your mail. Software tools are the easy part. The mental model is harder.

This post is a practical application of the tradecraft principles used by protection detail officers, intelligence field officers, and high-risk subject matter experts (journalists, activists, specific targets), adapted for the civilian reader who has credible reasons to be harder to find than the average person. It doesn't cover classified methodology. Everything here is published openly in the professional security literature, spy autobiographies, counter-surveillance academic papers, and open-source intelligence training materials. But it's rarely assembled into one place for non-professionals.

Read this as preparation, not paranoia. You don't implement the whole thing on day one. You decide what your threat model actually is and implement the pieces that move the needle.

#The mental model: why most personal opsec fails

The biggest error civilians make about opsec isn't the tools they pick. It's the assumption that they can fix privacy retroactively. You cannot. Data that's already out there is already out there. The goal of a tradecraft posture is to:

1. Accept existing exposure as sunk cost and stop generating new exposure
2. Compartmentalize so any single exposure doesn't compromise the rest
3. Maintain operational discipline so new mistakes don't create new exposure

Professional intelligence officers think about themselves as a set of personas. Each persona has its own phone number, email, physical address where possible, social media, even apparent political views. Compromise of one persona doesn't compromise the others because the identifiers don't overlap.

Civilians don't need five personas. They often need two or three:

• Private self — your actual name, home, family, banking, medical
• Professional self — your business identity, professional email, public-facing profiles
• Errand self — loyalty cards, subscriptions, marketing signups, delivery addresses

These should not cross-contaminate.

#Physical opsec

#Home

The home address is the single most valuable PII item. Most downstream harassment, doxxing, stalking, physical attack requires knowing where you sleep.

Defensive actions:

• Title property in a trust, not your personal name. Property records are public. Search your county assessor's site. If your home is titled to "Phillip Bucchi" anyone can find the address in 30 seconds.
• Use a PO Box or UPS mailbox for all non-sensitive mail, deliveries, loyalty programs, and anything resembling marketing. Cost: $10-30/month. Worth it.
• Register vehicles through a trust or LLC where state law permits. Public DMV records are a common doxxing vector.
• Request a non-public voter registration. Some states allow this for specific categories (law enforcement, judges, domestic violence survivors). If you qualify, use it. Check the state-specific program on your Secretary of State site.
• Trim social media photos of anything that geolocates the home. House numbers, visible street signs, distinctive landscaping, the interior of rooms with views out windows.

#Travel

Addressed in detail in our Travel Opsec post. Summary: separate travel device, VPN always, no biometric unlock crossing borders, no public social posting in real time.

#Counter-surveillance baseline

You're not a spy, so you don't need a tradecraft detail operating against you to still apply the principles.

• Vary your routes. If you drive the same path to work every day, you are predictable and pre-positioning is trivial. Rotate among 2-3 routes.
• Vary your times. Same reasoning. Don't start work at the same minute every day if you can avoid it.
• Learn your surveillance signature. Walk your regular route and deliberately notice what cars, what people, what patterns recur. When something new shows up multiple times, you'll notice.
• Dead-drop or public-meetup for sensitive handoffs. Don't receive sensitive documents or hardware at home. Use a coffee shop, a park, a location disconnected from your residence.

None of this is paranoid if the threat profile justifies it. Protective details for state legislators, corporate executives, and federal judges routinely implement all of it.

#Identity fragmentation

#Phone numbers

Covered in the Phone Number Opsec post. Summary: real carrier number locked down with PIN + port freeze + no SMS MFA for privileged accounts. Google Voice or MySudo or a second carrier line for everything public.

#Email

Three-tier structure:

1. Private email (your real name, high-trust accounts only: bank, doctor, lawyer, family). No signup lists. No newsletters.
2. Professional email (pb@valtikstudios.com or equivalent). Business contacts, vendors, professional correspondence.
3. Burn email (disposable alias service). Everything else. Use Apple Hide My Email, SimpleLogin, Firefox Relay, or a dedicated burn provider. Every new subscription, every "try me" vendor, every receipt-only interaction gets an alias you can kill without collateral damage.

Provider recommendations: for private, Proton Mail or Fastmail (not Gmail). For professional, Google Workspace on your own domain. For burn, alias services listed above.

#Payment

Credit card numbers leak constantly. Breaches, skimmers, compromised merchant databases. Use virtual cards for anything non-recurring:

• Privacy.com issues single-use or merchant-locked virtual card numbers
• Capital One Eno, Citi virtual account numbers
• Apple Pay + virtual Apple Card numbers

Burn a card after a breach. Keep your real card number off everywhere possible.

#Digital hygiene

#Compartmentalize browsers

One profile = one persona. Profile switching in Chrome, Firefox Multi-Account Containers, separate user accounts at the OS level for higher-stakes separation.

Never cross-contaminate:

• Private banking browser profile vs work browser profile vs social media browser profile
• Clear cookies between sessions where feasible
• Use VPN on one profile, not on another, to further fragment tracking signatures

#Password management with backup codes

• Password manager as single source of truth. Bitwarden, 1Password, Proton Pass. Every password unique. Every MFA factor documented.
• Printed backup codes in a fireproof safe. When the phone is lost, stolen, or bricked, you're not locked out.
• Break-glass credentials for the password manager itself — printed, escrowed with a trusted party or split (Shamir-style) across multiple trusted people.

#Digital tradecraft for phone use

The phone is the single most compromising device you own. Camera, microphone, location, contacts, everything.

• App permissions minimized. If the flashlight app asks for contacts, delete it.
• Airplane mode during sensitive meetings. Not just silent. Airplane.
• Faraday pouch for the phone when you need the device truly offline. $20. Works.
• Regular phone-off periods. Leave phone home for at least some outings. The absence of data is the data.
• Do not post in real time. Even "check-in at restaurant" and "just landed" are operational intelligence for anyone watching.
• Disable iCloud / Google photo location metadata or strip EXIF before sharing. Most photo apps have a setting for this.

#Social engineering defense

Professional operators don't defeat you with technical sophistication. They defeat you with a phone call to your grandmother.

Family briefing protocol:

• Sit down with spouse, kids (age-appropriate), parents, siblings
• Explain that you are a specific target for a specific reason
• Agree on a code word that must be spoken during any "emergency" call claiming to be you or about you. No code word → hang up.
• Agree that nobody shares your whereabouts, schedule, or relationships with anyone over the phone, no matter how convincing
• Rehearse the scenario: "Someone called claiming to be from the police saying there was an accident. What do you do?"

Caller ID is worthless. Spoofing is trivial. Assume every call could be anyone.

Text message verification is worthless. Deepfaked audio, AI-generated video. Your mother calling you crying sounds exactly like your mother. Use the code word.

#Information hygiene

Stop generating new exposure.

• Before signing up for anything, ask if you need to. Most loyalty programs are worth approximately zero in exchange for permanent data exposure.
• Use fake birthdays. Many sites that ask for birthday don't need the real one. Pick a fake date, keep it consistent.
• Fake middle names on non-legal forms. If the form is for delivery, you are "Phillip T. Bucchi" at a PO box. Only legal / banking / government uses the real middle initial.
• Employer hygiene. LinkedIn is a doxxing resource. If your threat profile is elevated, consider what's on your public LinkedIn and trim ruthlessly.
• Old social media. Go back to MySpace, Tumblr, Flickr, old personal blogs from 2005 and 2010 and kill the accounts. Archive first if you want the history.

#The counter-intuitive moves

Some things professional operators do that feel paranoid but measurably reduce exposure:

1. Do your Google searches in a browser tab you're not logged into. Use a private window or a separate browser profile. Google personalizes results by history, which means Google also stores your interests by history. That store is subpoenable and monetizable.
2. Keep DNS on a privacy-focused resolver. NextDNS, Control D, or Cloudflare 1.1.1.1 with the privacy profile. Your ISP logs every query by default. DNS is your browsing history in list form.
3. Route home traffic through a VPN on your router, not per-device. Prevents smart TV and IoT device leak.
4. Never use the real email on your domain registrar. WHOIS privacy is standard now, but verify. Registrars leak.
5. Review everywhere you've ever had an account. Use the "forgot password" flow to remember. Delete anything you don't actively use.
6. Limit contact photo sync. If your contacts list has photos of family members synced to Google, every contact's photo is in Google's data lake with their phone number.

#Threat modeling yourself

Tradecraft is applied against a specific threat model. Generic "everyone" opsec is wasted effort. Decide:

• Who specifically wants information about me? Stalker, ex, business adversary, criminal, nation-state, media.
• What do they want? Schedule, address, finances, relationships, reputation damage, physical harm.
• What do they already have? Breach check via HaveIBeenPwned + data broker searches.
• What's my time + budget? Opsec is expensive in calendar time. Pick the wins that matter most.

Then work down the list. You don't need every control in this post. You need the three or four that close the specific attack path for your specific threat profile.

#What Valtik can help with

For clients with elevated threat profiles (public figures, executives, specific targeted individuals), we run personal opsec assessments as part of Principal Threat Protection engagements. Scope includes data broker audits, home / vehicle / travel opsec review, family briefing templates, and ongoing threat intelligence monitoring.

This is not a public consumer service. If you know you need it, contact security@valtikstudios.com with a referral. If you're not sure whether you need it, you probably don't yet.

#Sources and further reading

1. Personal Information Protection Handbook — US Marshals Service WITSEC materials (publicly summarized)
2. Michael Bazzell's Personal Privacy / IntelTechniques material (authoritative civilian opsec reference)
3. EFF Surveillance Self-Defense
4. NSA / CISA home-network security guidance (unclassified recommendations)
5. Protective Service Detail training literature (publicly available via State Department DSS publications)