Personal Security for High-Visibility Targets: Journalists, Activists, and Executives

An investigative journalist found out in 2024 that her home address was circulating across three different data brokers for under two dollars per lookup. A fintech executive received photos of his kids' school via Telegram after publishing a fraud expose. These are not dystopian scenarios, they are the daily reality of anyone with a public profile. Personal security for high-visibility targets does not start with body armor or a paid VPN, it starts with an honest threat model. Who wants to harm you, how much budget they have, and what is the shortest path between your routine and the impact they want to cause.

The first exercise is to list real adversaries by capability and motivation. An individual stalker has a budget of up to a few hundred dollars and uses public OSINT. An organized crime group operates with tens of thousands, bribes telco employees, and contracts SS7 lookups. A state or para-state actor has unlimited capacity, including commercial spyware like Pegasus, Predator, and QuaDream. The playbook changes for each tier. Anyone following the logic in OPSEC for Security Researchers: Building a Personal Threat Model prioritizes spending 400 dollars on hardening before buying 4000-dollar gadgets that protect against the wrong threats.

On the digital layer, start with the password-MFA-recovery trio. Use Bitwarden or 1Password, generate 20+ character secrets, and migrate critical logins to passkeys as Passwords and MFA: Moving to Passkeys Without Breaking Your Recovery explains. Kill SMS as a second factor: SIM swap attacks cost less than 600 dollars in regional underground markets and take an average of 4 hours to detect. For source communication, Signal with one-week disappearing messages and a dedicated VoIP number. SimpleX or Session when your adversary has access to carrier metadata. Compare the technical guarantees in Comms OPSEC: Signal, SimpleX and Session Technically Compared before committing to a single stack.

Before publishing any document, run metadata hygiene. Reports have burned sources because the PDF carried the original author in the XMP field, and protester photos were geolocated via EXIF GPS. ExifTool in batch mode, qpdf to linearize PDFs, and LibreOffice exporting as PDF/A solve 90% of the cases described in Metadata Hygiene: Stripping EXIF, PDF and Office Before You Publish. For everyday devices, enable Lockdown Mode on iPhone (reduces attack surface by roughly 70% according to Citizen Lab tests) and follow the checklist in macOS Hardening: Lockdown Mode, MDM and Attack Surface Reduction for corporate laptops. On high-risk personal Windows, BitLocker with TPM+PIN and Attack Surface Reduction rules as covered in Windows 11 Hardening for High-Risk Offensive Security Workstations.

On the physical layer, the key concept is predictable patterns. Anyone watching you for two weeks maps your gym route, kid pickup time, and Friday restaurant. Vary routes across at least three alternatives and schedules in 30-minute windows. For surveillance detection, apps like AirGuard on Android catch AirTags and BLE trackers in the background. Cameras with local SD card storage at the gate, perimeter motion sensors, and a Class III safe for passports and HSMs. Basic defensive driving training costs about 300 dollars and teaches extraction maneuvers worth more than a poorly used armored car.

Anti-doxxing is the most thankless and most urgent task. Pentest your own footprint with Maltego CE and Spiderfoot as shown in Ethical OSINT: Investigating Your Own Digital Footprint with Maltego and Spiderfoot, then pay removal services for data brokers (Spokeo, BeenVerified, WhitePages have opt-out flows, and GDPR plus regional laws give you legal leverage). The Anti-Doxxing Personal Security: Removing Data from Brazilian Data Brokers guide lists the main brokers with legal response deadlines. For the family circle, train spouse and kids in basic compartmentalization: no real-time check-ins, private profiles, school names off Instagram. Apply the logic in Digital Compartmentalization: Separate Identities Without Leaking Metadata to keep public and private identities clean across emails, numbers, and cards.

Backup and recovery is the part nobody does until they lose everything. 3-2-1 strategy with Veracrypt on an external drive, a second encrypted cloud backup (Tresorit or Proton Drive), and a cold backup in a physical safe or at a trusted relative's house. Practical details in Disk Crypto and Backups: VeraCrypt, LUKS and a Resilient 3-2-1 Strategy. For personal crypto, a hardware wallet with a separate BIP39 passphrase as in Personal Crypto: Hardware Wallets, Passphrase and Coercion-Resistant Backup protects against physical coercion through plausible deniability. Document a continuity plan in a sealed envelope: who calls the lawyer, who notifies the company, how to access accounts in case of detention or hospitalization.

Practical takeaway: block 4 hours this Saturday, open a spreadsheet, and fill three columns: adversary, estimated capacity in dollars, most likely vector. For the top three vectors, set one concrete action for next week: switch email provider, buy a YubiKey, hire a data broker removal service. Personal security is not a product, it is an iterative 90-day process. People who treat it as a project with sprints, metrics, and quarterly review end up safer than those who buy expensive solutions and forget the basics.