Hacker OPSEC

STFU is the best policy.

New York's Finest OPSEC

NYPD Social Media Investigation OPSEC

The NYPD created an operations formula for conducting undercover investigations on social media. The procedural document reveals the operational security for these investigations. The security is founded on the use of an “online alias” (the officer’s undercover account) and strict compartmentation. Given the capabilities of the adversaries that the NYPD faces this is probably sufficient security.

It is a fascinating glimpse into the operational process of an investigation. Definitely worth reading to get a sense of what the police face when conducting an online investigation (hint: paperwork).

Core NYPD OPSEC

Fundamentally this is basic operational security grounded on compartmentation. The use of dedicated hardware, and pseudononymous internet access, allows the officer to create and operate an online undercover account without any links to the NYPD. The basic security precautions are designed to protect the officer’s laptop from being compromised. A compromised laptop could enable the adversary to conduct a counterintelligence investigation.

  • Compartmentation:
    • Use dedicated hardward and pseudononymous internet connection (laptop + “aircard”)
    • Avoid accounts, usernames, passwords associated with NYPD
    • Avoid personal accounts and internet access
  • Basic Computer Security:
    • Delete “spam”
    • Don’t open attachments
    • Exercise caution when clicking on links

This is very basic stuff, but should be more than sufficient against the adversaries that the NYPD pursues. These adversaries should not have access to any of the records of the phone company supplying the internet access.

Primary Document

Here is the information that is required to create the undercover account:

  1. Username (online alias)
  2. Identifiers and pedigree to be utilized for the online alias, such as email address, username and date of birth.
  3. Do not include password(s) for online alias and ensure password(s) are secured at all times.
  4. Indicate whether there is a need to requisition a Department laptop with aircard.
  5. Review photograph to be used in conjunction with online alias, if applicable.
  6. Consider the purpose for which the photograph is being used and the source of the photograph.

Here is the full section dealing with operational security:

Operational Considerations

When a member of the service accesses any social media site using a Department network connection, there is a risk that the Department can be identified as the user of the social media. Given this possibility of identification during an investigation, members of the service should be aware that Department issued laptops with aircards have been configured to avoid detection and are available from the Management Information Systems Division (MISD). A confidential Internet connection (e.g., Department laptop with aircard) will aid in maintaining confidentiality during an investigation. Members who require a laptop with aircard to complete the investigation shall contact MISD Help Desk, upon APPROVAL of investigation, and provide required information.

In addition to using a Department laptop with aircard, members of the service are urged to take the following precautionary measures:

  1. Avoid the use of a username or password that can be traced back to the member of the service or the Department;
  2. Exercise caution when clicking on links in tweets, posts, and online advertisements;
  3. Delete “spam” email without opening the email; and
  4. Never open attachments to email unless the sender is known to the member of the service.

Furthermore, recognizing the ease with which information can be gathered from minimal effort from an Internet search, the Department advises members against the use of personal, family, or other non-Department Internet accounts or ISP access for Department business. Such access creates the possibility that the member’s identity may be exposed to others through simple search and counter-surveillance techniques.

Conclusions

Undercover operations online rely on very basic operational security. Primarily compartmentation and reviews to ensure that the account isn’t going to be associated with the NYPD.