icyphox's avatar

Instagram OPSEC

Operational security for the average zoomer

Which I am not, of course. But seeing as most of my peers are, I am compelled to write this post. Using a social platform like Instagram automatically implies that the user understands (to some level) that their personally identifiable information is exposed publicly, and they sign up for the service understanding this risk — or I think they do, anyway. But that’s about it, they go ham after that. Sharing every nitty gritty detail of their private lives without understanding the potential risks of doing so.

The fundamentals of OPSEC dictacte that you develop a threat model, and Instgrammers are obviously incapable of doing that — so I’ll do it for them.

Your average Instagrammer’s threat model

I stress on the word “average”, as in this doesn’t apply to those with more than a couple thousand followers. Those type of accounts inherently face different kinds of threats — those that come with having a celebrity status, and are not in scope of this analysis.

a search warrant issued under the procedures described in the Federal Rules of Criminal Procedure or equivalent state warrant procedures upon a showing of probable cause is required to compel the disclosure of the stored contents of any account, which may include messages, photos, comments, and location information.

That out of the way, here’s a list of DOs and DON’Ts to keep in mind while posting on Instagram.



More DON’Ts than DOs, that’s very telling. Here are a few more points that are good OPSEC practices in general:


Instagram is — much to my dismay — far too popular for it to die any time soon. There are plenty of good reasons to stop using the platform altogether (hint: Facebook), but that’s a discussion for another day.

Or be like me:

0 posts lul

And that pretty much wraps it up, with a neat little bow.

  1. https://darknetdiaries.com/episode/51/ — Jack talks about Indian hackers who operate on Instagram.

Questions or comments? Send an email.