WAG

Provider Guide

Digital OPSEC for Providers

Your digital footprint can be your biggest vulnerability. A single metadata slip, a cross-linked account, or a synced photo can connect your work identity to your personal life. This guide covers every aspect of digital security that matters to your work.

Digital mistakes are permanent. Once your real identity is connected to your work identity online, it's extremely difficult to undo. Set up your digital boundaries correctly from the start. If you're already working and haven't done this properly, pause and fix it now — the temporary inconvenience is worth the long-term protection.

Phone Setup

Work Phone vs. Personal Phone

The golden rule: never use your personal phone for work. Your personal phone is connected to your real identity through your carrier account, payment method, Apple/Google ID, app logins, contacts, photos, and location history. Using it for work creates dozens of connection points that could expose your identity.

Your options for a work phone:

  • Dedicated second phone (best option): Buy a separate smartphone — it doesn't need to be expensive. Set it up with a new Apple ID or Google account that uses your work email and working name. Pay with cash or a prepaid card. This phone never touches your personal accounts, personal Wi-Fi (unless you use a VPN), or personal charging cables that sync data.
  • Prepaid/burner phone: A basic prepaid phone from any carrier. Pay cash, no ID required for prepaid in most jurisdictions. Use this for calls and texts. The downside is limited functionality — no apps, poor camera, no encrypted messaging.
  • VoIP number as primary: Services like Google Voice, Hushed, Burner, or MySudo provide phone numbers that aren't linked to a carrier account. These work well for texting and calls, but have limitations — some screening services flag VoIP numbers, and you still need a device to run them on.
  • Dual-SIM phone (acceptable compromise): Some phones support two SIM cards or an eSIM plus physical SIM. You can use one number for personal and one for work. This is better than nothing but not ideal — the phone itself still contains both identities, and a single accidental cross-contamination (calling a client from the wrong number, texting a friend from the work number) can create a link.

SIM registration laws: Some countries require ID to purchase a SIM card. Research your local laws. In jurisdictions where anonymous prepaid SIMs are available, use them. Where registration is required, consider using a VoIP number instead, or registering the SIM under your business entity if you have one.

Photo OPSEC

EXIF Data Stripping

Every digital photo contains metadata (EXIF data) that can include your GPS coordinates, the device that took the photo, the date and time, and sometimes even the serial number of your camera. If you post a photo with EXIF data intact, anyone who downloads it can potentially determine where the photo was taken — which could reveal your home address or incall location.

Before posting any photo anywhere:

  • Strip all EXIF data using a metadata removal tool (many free apps and online tools exist)
  • Verify the stripping worked by checking the metadata of the processed file
  • Make this a habit — strip metadata from every photo before it leaves your work phone
  • Some social media platforms strip EXIF on upload, but don't rely on this. Strip it yourself first

Watermarking

Watermark your photos with your working name and website. This serves two purposes: it makes stolen photos less useful to impersonators (your name is literally on the image), and it provides proof of ownership if you need to file DMCA takedowns. Place watermarks where they can't be easily cropped out — across the body of the image, not just in a corner.

Reverse Image Protection

Anyone can run your work photos through a reverse image search and potentially find your personal social media. To protect against this:

  • Never use the same photos for work and personal social media — not even similar poses in the same location
  • If possible, use a different camera or phone for work photos than for personal photos (different devices produce different image signatures)
  • Set personal social media accounts to private so your photos aren't indexed by search engines
  • Periodically run your own work photos through Google Images and TinEye to see where they appear
  • Avoid identifiable backgrounds in work photos — unique furniture, distinctive wall art, recognizable views from windows can all be used to identify your location

AI-Generated Concerns

Be aware that your photos can be used to train AI models or create deepfakes. While you can't prevent this entirely, watermarking, lower-resolution web images, and regular monitoring of where your images appear can help. If you find AI-generated content using your likeness without consent, document it and pursue takedown requests through the platform and legal channels if available.

Social Media Separation

The Two-Identity Rule

Your personal life and your work life must be completely separate online. This isn't just about having different accounts — it's about ensuring there are zero connection points between the two identities. One slip can unravel everything.

Rules for maintaining separation:

  • Different email addresses: Your work email should have no connection to your personal email. Don't use your real name, real birthday, or real location in the work email. Don't use the same email provider if you can avoid it (a personal Gmail and a work Protonmail add a layer of separation).
  • Different devices: Access work accounts only on your work phone/computer. Never log into work social media on a personal device, and vice versa.
  • Different networks: If you must use the same Wi-Fi network for both devices, use a VPN on your work device. Better yet, use mobile data on your work phone instead of your home Wi-Fi.
  • No cross-following: Your work social media accounts should never follow, like, comment on, or interact with your personal accounts in any way. Don't follow the same niche accounts from both identities.
  • Different writing styles: If you're active on social media with both identities, be aware that writing style analysis can link accounts. Vary your tone, vocabulary, and posting patterns.
  • Location discipline: Never post real-time location information from your work accounts. Don't geotag. Don't mention recognizable local businesses or landmarks that could narrow down your real location.

Common mistakes that blow separation: Logging into your work Twitter on your personal phone's browser (the browser remembers). Using the same password manager for both identities. Having your work and personal phones connected to the same Apple/Google account. Responding to a work DM from your personal Instagram because you forgot which account you were on. Following a client on your personal account because you recognized them. Any one of these can create a permanent link.

Email and Communication

Email Setup

Create a dedicated work email with a privacy-focused provider. Protonmail, Tutanota, or similar encrypted email services are ideal. Use your working name, not your real name. Don't use this email for anything outside of work — no personal subscriptions, no shopping, no social media.

Encrypted Messaging

For client communication, use apps that offer end-to-end encryption:

  • Signal: The gold standard for encrypted messaging. Disappearing messages feature is useful for automatic conversation cleanup. Requires a phone number, so use your work number.
  • Telegram: Popular in some markets. Use "Secret Chats" for encryption — regular Telegram chats are NOT end-to-end encrypted. Enable auto-delete timers.
  • WhatsApp: End-to-end encrypted by default, widely used internationally. Note that WhatsApp shares metadata with Meta, even if message content is encrypted.
  • Wire: Doesn't require a phone number to sign up (email works). Good option if you want to avoid linking your work number.

VoIP Numbers

For advertising and initial client contact, a VoIP number adds a layer between you and the client. Options include Google Voice (free, requires a Google account), Hushed (paid, more private), MySudo (paid, multiple numbers for different purposes), and Burner (paid, disposable numbers). The key advantage is that VoIP numbers can be changed easily if a number gets compromised or you want to start fresh.

Website Privacy

WHOIS Protection

If you have a personal website, the domain registration (WHOIS) record can expose your real name, address, and contact information. Every domain registrar offers WHOIS privacy protection — some include it free, others charge a small fee. Enable it when you register your domain. If you already have a domain without WHOIS privacy, enable it immediately and check if your information has already been cached by WHOIS lookup sites.

Hosting Considerations

Not all web hosting companies are friendly to adult content. Some will take your site down without warning. Choose a host that explicitly permits adult content in their terms of service. Consider hosting in a jurisdiction with strong privacy protections and limited content-based takedown compliance. Pay for hosting with a method that doesn't link to your real identity — cryptocurrency or prepaid cards.

Website Analytics

If you use analytics on your site (Google Analytics, etc.), be aware that the tracking code can sometimes be linked to your other Google properties. Use a separate Google account for website analytics, or use a privacy-focused alternative like Plausible or Fathom that doesn't require a Google account.

DMCA Takedowns

When Your Content Is Stolen

Content theft is rampant in the adult industry. Your photos will be stolen by impersonators, uploaded to tube sites, used in fake ads, and reposted without credit. You have legal tools to fight this.

How to File a DMCA Takedown

  1. Document the infringement: Screenshot the stolen content with the URL visible, noting the date you found it
  2. Find the hosting provider: Use a WHOIS lookup on the domain to find who hosts the site
  3. Submit the takedown notice: Most hosting providers and platforms have a DMCA submission form or designated email. Your notice must include: identification of the copyrighted work, the URL where the infringing content appears, your contact information, and a statement of good faith
  4. Privacy concern: DMCA notices typically require your real name and contact information. If this is a concern, you can hire a DMCA takedown service that files on your behalf, keeping your identity private. Several services specialize in the adult industry
  5. Follow up: If the host doesn't respond within 10-14 business days, escalate. For persistent infringement, consult an attorney specializing in copyright and adult content

Proactive monitoring: Set up regular reverse image searches of your most-used photos. Some paid services will automatically monitor the web for your images and alert you when they appear on new sites. The faster you find stolen content, the faster you can get it removed.

Review Site Management

Responding to Reviews

Review sites are a double-edged sword — they bring clients, but they also create a public record that requires management.

  • Positive reviews: A brief, gracious acknowledgment is sufficient. Don't reveal details about the session that the client didn't mention.
  • Negative reviews: Respond professionally and briefly, if at all. Don't get into public arguments. A measured response like "I'm sorry this didn't meet your expectations. My screening and service standards remain consistent for all clients" says more than a heated rebuttal.
  • Fake reviews: If you receive reviews from people you never saw, report them to the platform with evidence (your booking records showing no appointment on that date, for example). Most platforms have processes for disputing fraudulent reviews.
  • Retaliatory reviews: Clients who threaten to leave bad reviews unless you provide discounts or specific services are engaging in extortion. Document the threats, report to the platform, and block the client.

Review Privacy

Be mindful of what review responses reveal about you. Don't mention your exact schedule, confirm or deny specific services in public, reference other clients, or share personal details. Keep responses professional and vague on specifics.

Cloud Storage Dangers

Auto-Backup Risks

This is one of the most common and most dangerous digital security failures for providers. Modern phones automatically back up photos to the cloud — iCloud, Google Photos, OneDrive. If your work phone and personal phone share the same cloud account, your work photos are syncing to the same place as your family vacation pictures.

Critical cloud storage rules:

  • Separate cloud accounts: Your work phone must use a completely separate Apple ID or Google account from your personal devices. This is non-negotiable.
  • Disable auto-backup on work devices: Or ensure it backs up to your work cloud account only. Verify this setting regularly — software updates can reset your preferences.
  • Family sharing: If you use Apple Family Sharing or Google Family accounts, any photos on a shared account are visible to all family members. Work photos must never be on a shared account.
  • Shared Albums: Both iCloud and Google Photos can create shared albums that sync across devices. Review your sharing settings regularly.
  • Recently Deleted: Deleted photos stay in the "Recently Deleted" folder for 30 days. If your cloud account is shared, "deleted" photos are still accessible for a month.

Secure Storage Alternatives

For work-related files, photos, and documents, use an encrypted storage solution:

  • Encrypted folders: Both iOS and Android support encrypted/locked folders that require a separate password or biometric
  • Dedicated encrypted apps: Apps designed for secure photo storage with their own encryption
  • External encrypted storage: An encrypted USB drive or external SSD for backups that you control physically
  • End-to-end encrypted cloud: Services like Tresorit or SpiderOak offer cloud storage where even the provider can't access your files

Check right now: Open your phone's photo backup settings. Is your work phone backing up to the same account as your personal phone? Are any photo sharing features enabled? Is Family Sharing active? If you find a problem, fix it immediately. Then check your cloud storage to see if work photos have already been uploaded where they shouldn't be.

Additional Digital Hygiene

Browser and App Hygiene

  • Use separate browsers for work and personal browsing (e.g., Firefox for work, Chrome for personal)
  • Use a VPN when doing anything work-related online
  • Clear browser history, cookies, and cached data regularly on your work device
  • Don't save passwords for work accounts in a personal password manager (and vice versa)
  • Use incognito/private browsing mode for sensitive searches

Payment Digital Trails

Digital payments create records. Cash leaves no trail, which is why it remains the preferred payment method for in-person sessions. For digital deposits, use payment methods that don't display your real name to the sender. Set up your payment apps under your working name where possible, and use a separate bank account for work income if your financial situation allows it.

Regular Security Audits

Set a monthly reminder to audit your digital security:

  • Search your working name and your real name online — what comes up?
  • Run reverse image searches on your most recent work photos
  • Review app permissions on your work phone
  • Check cloud storage settings and sharing permissions
  • Verify your VPN is working properly
  • Review your password security (unique passwords for every work account)
  • Check for data breaches affecting your work email at haveibeenpwned.com

Your digital security is only as strong as its weakest point. One photo with metadata, one cross-linked account, one cloud sync slip — and your carefully built separation can collapse. The protocols in this guide aren't optional extras. They're the digital equivalent of the locks on your door and the safe call on your phone. For physical safety protocols, see our Personal Safety Protocols guide. For screening, see the Client Screening Guide.

Quick Reference: Monthly Security Audit

Set a calendar reminder to run through this checklist on the first of every month:

  1. Search your working name and real name online — review what appears
  2. Run reverse image searches on your 3-5 most-used work photos
  3. Verify cloud backup settings on all devices (no cross-account syncing)
  4. Check app permissions on your work phone — revoke anything unnecessary
  5. Confirm your VPN is active and functioning on your work device
  6. Review and update passwords for all work accounts
  7. Check haveibeenpwned.com for breaches affecting your work email
  8. Verify WHOIS privacy is still active on your domain
  9. Review your work and personal social media for any accidental cross-contamination
  10. Delete any screening data older than your retention period

Related guides: Safety Essentials · Safety Technology · Client Screening Guide · Dealing With Stalkers · Platform Setup Guide