(Nearly) Useless OPSEC Measure: Route Variation

Route Variation

The practice of varying your routes between home and work is sometimes touted as an OPSEC measure.  This is sometimes advocated by law enforcement or military organizations as a measure their members should take, and in some instances it may actually be a good idea. I began to think seriously about this, however, when I read a few articles that explicity or implicitly seemed to recommended the practice to average citizens in the prepping or “tactical lifestyle” communities. Except in limited circumstances (explained near the end of this piece) I am not sure what the perceived purpose of this is. It may be to defeat surveillance, make yourself unpredictable, or satisfy some other, less immediately perceptible rationale, but I can accurately tell you the practical value of such route variation: zero, or very near it.  This article will make some assumptions about this advice to whom this information is usually targeted.  They are as follows:

  1. The reader is a law-abiding resident of a first-world nation,
  2. has a relatively predictable pattern of life, going to work a nominal five days per week, and
  3. travels by automobile.

This is written with the understanding that not every individual will fit within these parameters. But it should also be pointed out that advice concerning route variation is usually intended for individuals who do.  Individuals who do not live a “conventional” lifestyle – those who work from home, and/or travel exclusively for work – will have naturally varied routes and need not be advised to expend additional effort to do so.

THREAT MODEL

Let us consider the attacker that would conduct surveillance of a target for long enough that route variations would become a meaningful security measure.

Actor(s):  Presumably the threat actors in this perceived scenario are criminal or terroristic in nature. These techniques would be all but useless to evade detection or capture by law enforcement or other government organizations who can simply track the movements of the user’s mobile device, the vehicle’s integral GPS, or other through other methodology if they care about his or her route(s).  Alternatively they may intercept and arrest him or her at home or work if they don’t.

Focus:  High.  An attacker who will conduct surveillance on his or her victim for more than a 24 hour period can be considered focused.  If the attacker only observes routes over a single 24-hour period (or less) route variations are nearly* irrelevant.

Sophistication: Moderate to high. An attacker with the patience, time, and resources to conduct route surveillance on a potential target exhibits the capability to form a complex plan and is fairly sophisticated.

Goal(s):  Murder, rape, robbery, kidnapping, other (?), all targeted against a specific individual.  Again, if an attacker is expending this level of time and resources to conduct surveillance, you and you alone are the target of the attack and there is a compelling goal in the attacker’s mind.  Specifically targeted murder may be motivated by some perceived wrong, a romantic entanglement that has gone badly, or failed association with a criminal organization.  It should also be noted that murder, though not the ultimate goal, may occur incidentally in the pursuit of rape, robbery, or kidnapping.

Rape is perhaps the most realistically plausible of these potential goals; the attacker in this case has focused on his intended victim for a very specific set of reasons as is common with sexual criminals.  Robbery makes much less sense in this context.  Most valuables are likely stored in the home, not the car, and in any case such a targeted effort seems unlikely unless the individual in question is storing something like art, or extremely large quantities of precious metals, cash, or other easily liquidated valuables.  If an individual is targeted for robbery because of the valuables that he or she owns then other, more meaningful OPSEC and PERSEC measures (like keeping this ownership secret) have failed.  Kidnapping seems similarly implausible, unless the individual is a public figure, exceedingly wealthy, or is on poor terms with powerful criminal organizations.

Likelihood:  Vanishingly small.

Caveats:  *I use the qualifier “nearly” because an attacker could potentially monitor only your route to work and intend to initiate the attack on your way home along the same route.  In this instance he or she would have to wait a maximum of 24 hours to reacquire and plan an alternate attack, or wait until you travel the planned primary route again, which you almost certainly will, probably within a few days.  In any city there are a finite number of routes from Point A to Point B.  What exactly is route variation intended to protect you against?  Honestly, in this context it is unclear as this is another area of this security measure on which authors and “experts” are notoriously vague (note: I am NOT an expert).  Reading between the lines there are two major categories of “things” that route variation may be designed to protect you from: surveillance and some form of “attack”.  I don’t believe that varying your normal routes provides any real protection from either of these things.

GENERAL OPSEC MEASURE

This technique is occasionally advocated as a general OPSEC measure in the interest of being “the grey man”, i.e. an individual that is non-alerting and would not attract undue attention.  Varying your route to and from work offers at best a dubious contribution to this goal.

ANTI-SURVEILLANCE

Route variation is occasionally touted as a way to foil a surveillance effort against you.  In the context of the domestic citizen who is neither extraordinarily wealthy nor famous this surveillance, should it occur, would most likely be in preparation for an attack of some sort.  It is unlikely that anyone has the time, patience, and financial resources to conduct surveillance on you for any period of time, just for the sake of conducting surveillance.  (There are some instances in which you may be the subject of surveillance: if you have filed a disability or worker’s compensation claim, if you are going through a contentious divorce, if you are wealthy or famous and a target of media/tabloid scrutiny, or if you are under a law enforcement investigation.  In none of these instances will varying your route make a significant difference.).  Route variation is also inadequate in these and other instances for three reasons:

Mobility of Surveillance Teams:  If you are under physical surveillance they will probably move with you, regardless of the specifics of the route you take.  Taking an unexpected route may cause them to act erratically and reveal their presence if you are alert to such action. This line of thinking may have some minor merit, but it is unlikely that even a moderately good surveillance team would be noticed by a layman using such amateurish tactics.  And the very presence of surveillance again begs the question, “what is its underlying purpose?”

Route Limitations:  Without adding significant time to your commute there are a finite number of routes that you can take to and from work.  Regardless of how random you attempt to be humans are notoriously poor at generating true randomness and predictable patterns will emerge (i.e. Monday route, Tuesday route, etc.).   Even if there are a huge variation in the number of routes you can take you will almost inevitably encounter the “last mile” problem: traveling the last street in and out of your home or office, of which it is pretty likely there is only one.

Time/location predictability:  Even if we assume that a.) it is possible to take a completely different, randomly-generated route to work every single day, b.) you have the discipline to do it without fail, and that c.) you lose surveillance immediately after leaving home in the morning and work in the afternoon, you will still be predictable in (at least) two time windows at two locations: your home and your work.  If you are active in a church, a bowling league, a softball team, a community organization, or participate in other extra-curricular activities you will set a weekly and monthly pattern or other locations and times at which you are predictable, depending on the length of time the surveillance team is willing to spend developing your pattern of life.  This assumes, of course, that our attacker is not so sophisticated that he or she can track the location of your mobile device, place a GPS tracking device on your car (a variety of which are for sale on Amazon.com for under $100), or find geotagged social media content that you, your spouse, or your children have posted that would reveal information about your route(s).

Again, the question arises: why bother?  If you are under surveillance there is little point in hiding the routes you take between work and home.  The only time you would truly need to know that you are “clean” is if you are going to conduct an act that would be compromising in some way.

PHYSICAL ATTACK

This is probably the most frequently given reason for route variation: the risk of a nebulously defined physical attack.  Unfortunately, regardless of how varied the routes are the individual will always be predictable in two locations: at home and at work.  With this knowledge it is reasonable to assume that if you are being specifically targeted, for whatever reason, it is unlikely that an attacker will attempt to attack you while you are on the road.  There are some good reasons that an attack against you while on the road would not be advantageous to the attacker.

Ease of Execution: Though most of us are perpetually distracted by our phones, radios, coffee, and everything else going on inside the passenger compartment of the vehicle, we are all possessed of some level of situational awareness while driving, otherwise none of us would ever make it home.  It is much more likely that the victim will have some early warning (how much is debatable) of an attack in progress, even if it is as minimal as visual contact with an individual approaching the vehicle on foot.  Even if the vehicle’s occupant didn’t notice the attacker until the vehicle’s window is being broken he or she would still be given milliseconds to seconds to time to mount a defensive reaction.

Perhaps the strongest reason that an attack “on the road” is so incredibly unlikely is that you are a much softer target at home or at work.  The most advantageous time from the attacker’s viewpoint is probably just after you have removed the keys from the ignition, opened the door to step out, and are distracted by juggling your iPhone, coffee, keys, briefcase, etc.  With the keys out of the ignition and the vehicle safely parked it poses no threat to the attacker and the victim’s ability to flee the scene is greatly diminished.  Since the door is has been opened voluntarily there is no damage to the car should the attackers wish to minimize evidence of a struggle or forensic leavings.  The victim also has far less time to mentally prepare for a physical altercation, whether mentally or by producing a weapon, etc.

Danger to the Attacker: Next, the driver of every car on the road is in possession of a weapon weighing several thousand pounds – the car itself.  This makes an attack on a vehicle incredibly dangerous.  Even if the occupant has no intent to strike an attacker with the vehicle it may happen accidentally.  Many will object that a large number of Americans are heavily armed making an attack at home more dangerous attack from the attacker’s standpoint, and hold this up as the reason an attacker would choose to attack when you are on the road.  I disagree with this on a couple of points:  if the victim is heavily armed there is also some likelihood that he or she carries a concealed handgun on a daily basis.  Regardless of where the attack occurs (home, work, or in between) this threat to the attacker remains constant.

Additionally, should the attack occur at your house well after you have gotten out of your car, the concealed handgun is still the defensive arm that is most likely to be produced to repel the attack.  Even though many own AR- or AK-pattern rifles, combat shotguns, and numerous other, larger handguns (in the US, at least), it is unlikely that most of them will be within easy reach when a well-planned and executed attack occurs since the attacker would know this and plan accordingly.  An example of good planning (and the kind exhibited by an attacker who would surveil you long enough to be inconvenienced by route variation) would be waiting until the target is distracted by mowing his or her lawn or the whole family is in the yard away from better suited firearms that are stored indoors.

WHERE ROUTE VARIATION DOES WORK

The route variation technique does have some legitimate applicability in the real world but only in very specific circumstances.  One scenario in which this technique may be useful is in the true high-threat/non-permissive environment where improvised explosive devices are prevalent such as Iraq.  In this scenario soldiers leave the forward operating base through a predictable point in the perimeter and must travel a certain distance of a highly predictable route.  Fortunately this route is protected, visually from the confines of the base, and through security patrols in the immediate vicinity.  Beyond these “safe” areas any route is suspect, and one that is frequently traveled naturally makes a potentially better target for the attacker.

The permissive environment application for route variation is in situations where the home is relatively secure, the workplace is relatively secure, but the route between the two is relatively insecure.  An excellent example of this is would be an embassy.  The embassy staff may be housed at fairly secure locations (depending on threats in the host country) with cameras, very good locks, and perhaps armed guards.  Even if an attack succeeded at the victim’s residence it would be discovered and reported very quickly.  The embassy itself would doubtlessly be more secure still and reduce the chances of a successful attack occurring there to effectively zero.  This arrangement forces the attacker to conduct actions outside of these two areas: while the employee is in transit between work and home becomes a very prudent opportunity around which to plan an attack.  This is an entirely different scenario and the motivations of such an attack would likely be entirely different.

CONCLUSION

This post is not to suggest that there is zero chance of an attack occurring while you are driving.  Car-jacking can and does occur, but these are frequently crimes of opportunity.  A number of things advocated by the prepping and tactical communities will do some meaningful good in these situations: situational awareness, keeping your doors locked, avoiding high-risk areas, etc., but route variation is not one of them.

Route variation may even be counter-productive.  Traveling a fixed route allows you to choose the safest route; varying your route may require that you travel through areas that are less safe and increase your risk of an opportunistic attack.  Route variation may also elevate your profile to a potential attacker.  This may be construed as general hypervigilance or specific surveillance awareness.  This will likely deter an opportunistic attacker, but remember our threat mode: an attacker who would physically surveil you for a meaningful period of time is incredibly focused on you specifically.  Armed with the knowledge that you are surveillance-aware may cause the attacker to strike with much more violence in an attempt to achieve superior, overwhelming force.

Varying your route to and from work (or school, or whatever) may give you some benefit, i.e. a “placebo effect” feeling of security well-being (humans are also very poor at estimating risk and the effectiveness of risk mitigations), or increase your social status as a serious member of your “tactical” community.  It is extremely doubtful that the benefit conferred from this behavior is an increase in security, and certainly not an increase in security that is equal to or greater than the effort expended.  Each of us only has a finite amount of energy, attention, and resources to dedicate to security and all of these are probably much better spent elsewhere.

6 thoughts on “(Nearly) Useless OPSEC Measure: Route Variation”

  1. Good article. I have to confess that I never gave this subject much thought. On its face, route variation seems to make a lot of sense, but you offer some compelling arguments why it’s not necessarily all that beneficial.

    There is one reason that I think route variation is very valid, apart from avoiding surveillance or an attack, and that is that taking varying routes allows you to become more familiar with your surroundings. A form of situational awareness, if you will.

    What if a tree blows down and blocks your primary route? Do you know an efficient alternate? What if there is a traffic accident or a gas main leak or a sinkhole or a hostage situation or..or..or.., and you can’t get to your destination the way you usually go. Can you easily, and with minimal stress, (and with no GPS), re-route yourself?

    Taking alternate routes also allows you to become familiar with other neighborhoods, and become aware of patterns or other relevant happenings. Everything from road work to slowly-encroaching gang graffiti to opening/closing businesses to houses for sale. It just adds to your mental database, which you can refer to as needed, in an emergency or just during routine day-to-day activities.

    Found your blog a few weeks ago, and have enjoyed the variety and depth of content. Thanks!

    1. John,

      Great point! Especially the part about situational awareness of your larger AO; that is something I definitely overlooked. I also like your idea of learning alternate routes. This seems like it would be extra important if you’ve just moved to an area and are trying to learn your way around. Since you brought it up: At my last job (before all my work became travel) I would sometimes take different routes. Not for “tactical” reasons – I just got bored going the same way every day and wanted a little variety.
      Thanks for commenting – much appreciated!

      Justin

  2. I believe this is a hold-over from Robert Rogers 28 Rules of Ranging (written in 1759). In a scenario where travel was conducted on foot or horse-back through rural environments, surveillance was different than today and route variation had more merit. As you pointed out, it is also still valid in situations like Iraq where route variation can complicate enemy plans for ambush or IED placement. I think we are seeing this kind of advice based on the, “it was valid in Iraq, and it was valid in the 7-Years War/French and Indian War, so it must have universal validity,” line of reasoning.

    1. Greyson:

      GREAT comment! This does have some applicability, but it is definitely not the universal tool most people think it is. If you aren’t familiar with the Rules of Ranging or the “Standing Orders” (my personal favorite is #1) you should check them out.

      Justin

  3. Justin–

    The concept was explained to me in the following terms.

    If you are in a non-permissive environment where surveillance is likely, and perhaps guaranteed (my field being international journalism, this isn’t unlikely), you are best off having, as far as can be possibly true, an unpredictable schedule, mode of transportation, etc. The way it was explained to me is that the best way to do this is to add on various chores and tasks and meeting mid route that are plausible and necessary but not consistent. You don’t set a pattern. Main reason for this being that you are not establishing any “baselines” that set off alarm bells when you do have to actually go out of your way to say, pick up a package from one of your sources. Going off the program thus doesn’t look like going off the program. Goal isn’t to defeat surveillance, but to not set off alarm bells when under surveillance. Clandestine Reporters Working Group is a model of the type:

    For similar reasons they actually recommend not using PGP:

    https://www.crworkinggroup.com/blog/files/alertingPGPuse.html

    ttps://www.crworkinggroup.com/blog/files/typing.html

    Would be curious to hear your take on all this.

    1. I agree with your take on route variation – it does work in non- or semi-permissive environments and under certain conditions. However, I stand by my conclusion that it’s not really relevant to the average individual as “general purpose” OPSEC measure.

      As far as not using PGP, I don’t really agree with their take, which can be summarized with a quote from the article:

      The government or private company investigating, alerted to PGP use, will circumvent much wasted time and resources with monitoring email traffic, and go straight to obtaining private keys, logging keystrokes in real time, videotaping keyboard use, among many other surreptitious entries not into the emails themselves

      “Obtaining private keys, logging keystrokes in real time, videotaping keyboard use,” etc. are all hard in real life. If they were as easy as the article makes it sound, why wouldn’t the government just do those things in the first place? It takes time and personnel. It puts operations at much greater risk of discovery. Monitoring all email in near-real time is already happening. Encrypting it forces the adversary to make a choice about whether they want to dedicate resources to you, put people on the street, and risk the operation being blown. Every government agency (yes, even the NSA) has a finite amount of resources, human and technical. If the choice is don’t encrypt and let them get everything by default, or encrypt and have some level of security, I will encrypt.

Leave a Reply

Your email address will not be published.