Teenagers have always been formidable hackers. In fact, in recent years, some of the most high-profile and brazen digital attacks around the world have been carried out by teens. But even if you’re not a hacker, you’re probably still a prolific user of digital tools and social platforms. And whether you’ve never given much thought to your digital privacy and security or you’ve started to rein in your data, you can use this guide to implement basic precautions and keep operations security in mind. In other words, this guide contains advice and ideas to help you conceptualize how people can find out information about you from your digital activities—and start to minimize what’s out there in ways you didn’t intend.
Protecting your digital privacy isn’t a blanket prescription. Some people are more private by nature, and others prioritize putting themselves out there. But even if you’re a 24/7 streamer, you can still think about your operations security, commonly known as opsec. What can viewers see in your room while you’re streaming? Which people from your life have appeared onscreen? Could viewers figure out where you live from what they can see out your window?
These same types of questions can be adapted for any type of onlooker—from the tech companies that operate the platforms you use to people browsing your social media or dating profiles or a friend (FORMER FRIEND) looking over your shoulder at your phone.
What Opsec Is and Why It Matters
In digital operations security, “operations” are the things that make up online activity like messages, searches, AI chats, websites, photos, accounts, passwords, and so on. The “security” piece has two goals. One is secrecy: No one sees stuff they shouldn’t. The other is availability: You don’t lose access to your data and accounts.
Opsec is hard, because secrecy and availability conflict. The more secret you make things, the easier it is to accidentally lock yourself out and vice versa. Good security is a balance.
It’s worth saying, though, that opsec is not paranoia. Just because you’re (probably) not a cartel boss, that doesn’t mean your privacy isn’t important. For you, it’s about not being an easy target and building habits that prevent disasters. For example, your social media accounts getting hacked, losing all your photos from the last few years, or your school reading your AI chats.
At the same time, if your school account is compromised, it shouldn’t expose your private Instagram username. If your anonymous Reddit is discovered, it shouldn’t lead back to your real identity. If your fake email is leaked, it shouldn’t give someone access to your main inbox.
Expand your mind, man. Opsec is really all about time travel—taking small, protective steps now before you have a disaster on your hands later. If you’re not on auto-delete, then an explosive, emotional text exchange with the person you’re currently dating—or, ahem, photos you sent to each other—will hang around forever. It’s normal for things to change and for relationships of all types to come and go. You may trust someone and be close to them now but grow apart in a year or two.
If you imagine an even more extreme scenario where you’re being investigated by the police, they could obtain warrants to search your digital accounts or devices. People have to go to great lengths to maintain their opsec if they’re trying to hide activity from law enforcement. To be clear, this guide is definitely not encouraging you to do crimes. Don’t do crimes! The goal is just to understand the value of keeping basic opsec principles in mind, because if some of your digital information is revealed haphazardly or out of context, it could, theoretically, appear incriminating.
You probably intuitively understand a lot of this. Don’t give your password to friends, duh.) So this guide is going to largely skip the obvious and emphasize more subtle, unintended consequences of failing to practice good opsec.
Memorable Opsec Fails
“Signalgate,” 2025: US officials discussed war plans in a group chat on the mainstream, secure messaging app Signal. Then they accidentally added a journalist to the chat. Subsequently, US defense secretary Pete Hegseth famously (embarrassingly) messaged the chat, “we are currently clean on OPSEC.” At least some members of the chat were also potentially using a modified, insecure version of Signal. All extremely not clean on opsec.
Gmail Drafts Exposed, 2012: Then-CIA director David Petraeus and his paramour shared a Gmail account to hide their communications by leaving them for each other to see as draft messages. Kind of ingenious given that this was before most texting or messaging apps offered timed disappearing/ephemeral messages, but the FBI figured out the strategy.
Identities
Opsec is all about compartmentalizing, and that’s the hardest part. Failure to compartmentalize is often how criminals get caught or how information that was meant to stay secret gets exposed. Think of your online life like rooms in a house. Each room has a separate key. If someone breaks into one room, they can grab everything there, but you don’t want them to be able to run wild beyond that room.
You can have multiple identities online and compartmentalize the activities of each, but it takes forethought to maintain the separation. There’s the real you who uses your main Gmail or Apple ID for personal and family stuff and social accounts where you use your real name, plus school and maybe work. Another compartment is your school email and school file storage. Then there’s your more adaptable, online personas who may have semi-anonymous handles, like jnd03 for Jane Doe. Friends know that these accounts are yours and classmates can probably guess them. Finally, there may be a pseudonymous you: alt accounts with no obvious link to real you—like Jane Doe using the handles “_aksdi0_0” or “peter_mayfield01.”
Rules of Separation
You have accounts under your real name, but you probably also need pseudonymous accounts. Tight compartmentalization will prevent people from doxing your pseudonymous accounts. But that’s easier said than done.
Obviously, don’t recycle usernames across platforms. If JaneD03 is your Instagram handle, don’t use it or a similar name for your anonymous Reddit account. Don’t even reuse passwords—but especially don’t reuse passwords between real and pseudonymous accounts. To prevent a compromised pseudonymous account from revealing your name, don’t use your main email address; instead, use a unique, pseudonymous one. Gmail “dot tricks” (jane.doe@, j.ane.doe@) don’t count, because they all equally reveal your master account.
Avoid contamination: Don’t send emails between your real and pseudonymous accounts. Don’t DM your alt account from your main. In your web browser, connect to your pseudonymous account from Incognito tabs or from a different browser. This makes it less likely that cookies and web sessions will betray you.
Basic Hygiene
Only download apps from official stores like Apple’s App Store and Google Play. They run malware checks that many other stores don’t. Don’t keep things you don’t need. Old files, photos, or chats are liabilities waiting to leak. Regularly erase your histories (browser, YouTube, AI, etc.) or turn history off when available and convenient. Think conceptually about the distinction between data that you store locally, meaning in the hard drive/storage of a computer or phone, versus data that you store on a web platform or in the cloud. (The “cloud,” after all, is just someone else’s computer.) Both scenarios have good and bad tradeoffs from a security, secrecy, and availability perspective; it’s just important to know what’s what so you can make informed choices about where you keep things.
Your Phone Will Be Lost or Stolen
It’s just probability. Could be a stranger, could be a pissed-off friend, could be bad luck. Eventually, your phone will go missing, somehow, some way. To balance secrecy with availability in this situation and generally minimize damage, be proactive about locking down your phone and backing it up.
Use a strong PIN or pattern to lock your phone—not 1234 or your birthday—and change it occasionally. Use Apple’s Find My or Google’s Find Hub to locate the phone.
Meanwhile, you shouldn’t lose your life when your phone is gone. Sync contacts and photos with Apple’s iCloud, your Google account, etc. Enable backups for WhatsApp. You can even sync multifactor authentication codes now using numerous authentication apps, including Google Authenticator. Even Signal is working on secure backups. (Just as a general point, Telegram is marketed as a secure messaging app, but isn’t end-to-end encrypted by default. In other words, don’t use Telegram for anything you want to keep secret.)
If you want to be extra cautious, a great option is to consider turning on end-to-end encrypted backups, like those offered by iCloud and WhatsApp. These allow you to use the cloud without the service provider being able to access your data. Be mindful of the trade-off between secrecy and availability, though. If you lose the backup’s password, then there’s no way to recover your data because no one else has the key.
Passwords and Account Access
One of the major reasons people’s accounts get hacked is that they’ve reused the same password across multiple important accounts. To prevent catastrophic digital takeover, imagine three tiers. There’s your principal accounts, often Gmail and/or an Apple ID. If this is compromised, you’re toast, because an attacker now has access to your emails, photos, and resets for basically every other account. Because of the extreme value and sensitivity of these accounts, you must use a unique, strong password.
The best way to do this consistently is to use a reputable password manager that will auto-generate and store strong, unique passwords for you. Just make sure that the password to your password manager is extremely robust. If you memorize only one password in your life, let it be this one. You can also write it on a piece of paper, and keep that piece of paper in a safe, private place.
Enable two-factor authentication. Print recovery codes and store them offline. If supervised by parents, logins already need approval, but add two-factor anyway as an extra defense. Another, newer option for strong defense against password theft and attacks like phishing is to replace your passwords with Passkeys on sites or apps that offer them.
The next tier is important accounts like those for social networks, school, music streaming, and forums. If any of these accounts were hacked, it would hurt, but it wouldn’t cascade to everything else. If you use strong, unique passwords and two-factor authentication when available, it’s unlikely that you’ll have a problem.
Then there’s everything else. You can be lazier here—provided you’ve properly compartmentalized these accounts away from the accounts that really matter. Ideally you’ll use strong, unique passwords anyway because you’re generating them with a password manager or on your device, but you could also use a simple pattern that you tweak, like OPsec823??xx where xx is the service initials.
What’s Encrypted and What’s Not
Most apps and websites now encrypt your traffic using a cryptographic protocol called Transport Layer Security (TLS). It prevents Wi-Fi networks, your Internet service provider (ISP), and any other snoops from seeing the data you send and receive—photos, emails, DMs, and so on.
But domain names are rarely protected. In other words, when you access wired.com, your device sends a message that essentially asks, “what’s the IP address of wired.com?” and gets an address back. This step is called DNS resolution and is usually not encrypted. So if you connect to your school’s Wi-Fi, their admin can probably see the general list of apps and websites you use.
If you want to feel like a hacker, you can check whether your system uses technologies like DNSSEC or DoH to protect DNS requests. You may even disable cleartext requests altogether.
Incognito or private tabs ignore cookies and don’t keep a browser history. These won’t help hide domain names. They make you slightly harder to track and discard all active sessions when the tab is closed. But they won’t fully protect your privacy and security online.
Messaging and Other Communication
When it comes to texts and calls, apps like Signal and WhatsApp guarantee the protection called end-to-end encryption. Only the devices of the sender and recipient (or multiple recipients in a group chat) can view messages or hear calls. No one else, including the app maker, can access your communications. WhatsApp will use your social graph to send contact suggestions on Instagram and Facebook. Unlike WhatsApp, Signal doesn’t have access to metadata (all the data around a message or call, like recipient info, timestamps, call duration, and other revealing data), and it doesn’t show your online status. WIRED always recommends Signal first.
Whichever app you use, enable disappearing messages whenever you can, so you don’t have to worry about what might be lurking in your chat histories. Keep in mind that even with disappearing messages on, chat participants can take screenshots or externally record a call.
Consider adding FaceID unlock for your chat apps. It adds only little friction but saves you if someone snatches your unlocked phone. Also, learn about other privacy features, like one-time view images.
And just to clear the air: When you see reports that police obtained WhatsApp or Signal messages, they haven’t “cracked” the encryption or used a “backdoor.” They got the messages from a device: the suspect’s or that of another person they were talking to. It’s still safe to use these apps, and there will be a flurry of news reports if that ever changes.
VPNs and Tor
If you’re trying to mask your web browsing, keep in mind that the incognito windows offered by browsers don’t provide adequate protection.
Virtual private networks (VPNs) route your web traffic through an additional server, adding a layer of encryption that shields your activity from prying eyes. This means that your IP address is hidden from the websites you access, because they just see the address of the VPN server. Similarly, the admin of the Wi-Fi network you’re on or your ISP won’t see which websites you access. Crucially, though, your VPN provider can see which sites you go to, because all of your requests are flowing through their platform.
VPNs can help you fake your location, which is why people use them when possible to access blocked or region-locked content. But be very careful with free VPN apps. Many spy on you worse than any local ISP would. They often retain your data even when they claim they don’t. Some VPNs even route your traffic to China. For trustworthy options, WIRED has a regularly updated guide to the best VPNs.
The Tor Browser offers higher anonymity than a VPN. No one will know both your IP address and the site you’re accessing. Tor is great when it’s usable, but it’s typically too slow for daily browsing or video streaming.
Use Tor when you want searches or sites to be (almost) impossible to trace back to you. It runs in its own browser for Android, iOS, and desktop, isolated from your other sessions, and doesn’t save history or cookies. But Tor isn’t a magic opsec solution, and the same foundational concepts still apply. If you’re trying to separate specific activity from yourself, don’t enter identifying details like your real name or main usernames while using Tor. If you log in to a service via Tor, never log in directly from your home address. That’s how people get caught.
Searching, Browsing, Ad-blocking
Google tracks what you search and builds a profile on you. Privacy-focused search engines like Brave Search, DuckDuckGo, Kagi, or Startpage don’t save your history or track you. In exchange, you won’t get personalized results. Set them as your default search engine and just accept the minor inconvenience of not having an algorithm curate search results for you.
To reduce ad tracking, use a privacy-focused browser like Brave that has ad-blocking and privacy features built in. Chrome, Edge, and Firefox are workable, too, for general browsing. Just install uBlock Origin (Lite) to kill trackers and ads. (Naturally, you’ll put WIRED on the allow list, so you can see our ads and support our work!)
The AI of It All
The question of what is stored locally versus in the cloud is particularly relevant to generative AI. For the most reliable local option, you could run large language models on your PC and then you control what training data the model does and doesn’t have access to and who can see your prompts. Some services, like Apple Intelligence, are designed to run locally whenever possible and only call out to the cloud for processing that is too complicated to do on-device.
If you’re using AI web platforms, your prompts and other activities are visible to the company running the service. Even though companies say that this information is kept private, there have been situations where people’s prompts and answers leaked and even started showing up in Google search results. Don’t mix school prompts with personal stuff in the same AI chat. Be careful when using the same account for different purposes, as it retains memories across chats. Use the temporary chat features as much as possible. And as with any other service, don’t forget to enable two-factor authentication on your AI accounts.
Miscellaneous Fun Stuff
Check data leaks on Have I Been Pwned to see whether your accounts have been included in any breaches. If your email is listed, change the account password immediately.
For your photos and videos, strip the metadata, known as EXIF data. Otherwise your pics could include GPS tags that reveal your location. Signal and WhatsApp do this automatically when you send photos.
Consider cloud sync traps. Deleting photos locally on a device doesn’t necessarily delete them from the cloud. Review what you’re storing and where regularly.
Self search. Google your name once in a while to see what’s out there about you. And don’t forget about reverse image search. Experiment with how it works to check what’s out there about yourself and others.
Similarly, review public defaults. Some services automatically display information publicly unless you proactively change the settings to lock things down. Check settings for your playlists on Spotify, payment history and friends lists on Venmo and anything else with a social component that could be set to public.
On social media, don’t always post in real time. If you do, you could reveal your current location to the world. Prune friends and connections every few months. Take screenshots if you think you could need receipts from an interaction or post.
Contingency
Shit happens. We’ve all been hacked or lost a password, an account, and data. When it happens, learn from it. Understand what went wrong and how it could have been avoided, and adapt your opsec accordingly.
To reduce the risk of data loss, make offline backups. Services like Google Takeout and others will let you export your data out of the cloud. Make local backups of your most critical or special digital treasures on a USB stick, external hard drive, or network-attached storage. Then encrypt it with a strong, unique password!
Oh, and don’t save all the paper copies of your most critical passwords and recovery keys in your underwear drawer. Get a little more creative.
This opsec guide began as a note for coauthor JP Aumasson’s 15-year-old daughter.
The post The WIRED Guide to Digital Opsec for Teens appeared first on Wired.
