Digital Privacy, July 2022

Threat Modeling, Deciding What You Actually Protect

Most privacy advice is worthless because it skips the only step that gives any of it meaning, deciding what you are protecting and from whom. Without that, every recommendation is either overkill or useless, and people end up either exhausting themselves against threats that do not apply to them or ignoring the ones that do. Threat modeling is the discipline of answering those questions first, and it is borrowed directly from how security professionals reason, because the same logic that protects a system protects a person.

A threat model is built from a small set of questions, answered honestly for your own situation.

QUESTIONWHY IT MATTERS
What are you protectingMessages, location, identity, finances, each needs different measures.
Who fromAn advertiser, a stalker, an employer, a government, the adversary sets the difficulty.
How likely is itEffort should match real risk, not imagined worst cases.
What if you failThe consequence decides how much inconvenience is worth accepting.
What will you sustainA measure you abandon in a week protects nothing.

The identity of the adversary changes the entire calculation, and this is where generic advice fails. Protecting your browsing from an advertising network is a matter of a good browser and a content blocker, a modest effort against an adversary that wants aggregate data and moves on when denied. Protecting the same browsing from a determined government with legal powers and access to your internet provider is a vastly harder problem requiring different tools, and the measures that stop an advertiser are nearly irrelevant against it. Someone who adopts nation state countermeasures against an advertiser wastes enormous effort, and someone who relies on a content blocker against a capable state is dangerously mistaken. The threat model is what tells the two apart.

The purpose of a threat model is not to reach perfect security, which does not exist, it is to spend your limited attention where it actually reduces risk. It also guards against the quiet demoralization that drives people to abandon privacy entirely, the sense that since you cannot defend against everything you may as well defend against nothing. You do not have to. You have to defend against what is plausible for you, and a clear threat model turns an impossible problem into a manageable one by telling you, precisely, which battles are yours to fight. Everything else in privacy is downstream of that decision, which is why it is the one to make first, and to revisit as your life changes.