Threat Modeling: A Practical Framework
Before installing any privacy tool, you need to answer one question: what are you actually protecting, and from whom? This page walks through a structured threat modeling framework used by security professionals and adapted for civilian use.
Why Threat Modeling Comes First
Most people either do too little — installing one VPN app and assuming they're safe — or too much — trying to implement enterprise-grade security for everyday tasks, burning out from the friction, and abandoning everything. Both outcomes leave you less protected than a calibrated, sustainable approach.
The EFF's Surveillance Self-Defense guide defines threat modeling as identifying your assets, your adversaries, the probability of attack, the consequences of failure, and the countermeasures worth implementing. The goal is proportional protection — not paranoia, not negligence.
"Security is not a product, but a process." — Bruce Schneier, security technologist, "Secrets and Lies" (2000)
The Five Questions
- 1. What do I want to protect? List your assets: financial data, browsing history, location, communications, professional contacts, source identity. Be specific — "my privacy" is too broad to act on.
- 2. Who am I protecting it from? Name your adversaries: advertisers and data brokers (low capability, broad reach), hackers (variable capability, opportunistic), employers, law enforcement with legal process, intelligence agencies (high capability, targeted). Each requires different countermeasures.
- 3. How likely is a threat to materialize? A journalist in a repressive regime faces imminent, targeted threats. A software developer in Germany is unlikely to be targeted by state actors. Overestimating threat probability leads to unsustainable friction.
- 4. How bad are the consequences of failure? Embarrassing personalized ads vs. leaked professional documents vs. exposed source identity vs. physical danger. This determines how much friction is worth accepting.
- 5. How much inconvenience will I accept? Perfect privacy requires significant effort. Unsustainable security setups get abandoned. A 70% solution you maintain is better than a 100% solution you use for two weeks.
Real-World Threat Model Examples
Example A: Freelance journalist, covering local politics
Assets to protect: Source identities, unpublished documents, interview notes.
Adversaries: Political targets of reporting, opportunistic hackers, potentially law enforcement with legal process.
Recommended setup: Signal for source communications (disappearing messages on), Tor Browser for sensitive research, ProtonMail for encrypted email, separate devices for work and personal use, full-disk encryption on all devices.
Example B: Remote worker, avoiding behavioral profiling
Assets to protect: Browsing behavior, purchase history, location data.
Adversaries: Data brokers, advertising networks, employer monitoring on work devices.
Recommended setup: Firefox + uBlock Origin (hard mode), NextDNS, email aliasing via SimpleLogin, separate browser profiles for work and personal use, password manager.
Example C: Abuse survivor, protecting location
Assets to protect: Physical location, new contact information, social connections.
Adversaries: Specific individual with moderate technical capability and high motivation.
Recommended setup: New accounts entirely (email, social media) with no overlapping usernames. New phone number (VoIP or new SIM). Location services disabled. No check-ins. Careful about photos containing EXIF data or identifiable backgrounds.
Example D: Activist in a high-surveillance environment
Assets to protect: Communications, contacts, location history, device contents.
Adversaries: State-level actors with legal authority to compel data from service providers.
Recommended setup: Tails OS or Qubes OS, Tor for all communications, cash purchases only, burner devices, in-person key exchange for critical contacts, regular security training. This tier requires professional assistance — consult Access Now's Digital Security Helpline or Freedom of the Press Foundation.
Common Threat Modeling Mistakes
- Treating all threats as equal: Using Tails OS for everyday browsing while using Gmail for sensitive communications. The weakest link determines your real protection level.
- Focusing only on tools, not behavior: The most secure tool is useless if you log into your real account while using it, or discuss sensitive plans over an unencrypted channel.
- Ignoring device security: A compromised endpoint — malware on your device — defeats any network-level protection. Tor cannot protect you from a keylogger.
- One-time setup thinking: Threat models change. A tool that was trustworthy can be acquired by a hostile company, served with a legal order, or have a vulnerability discovered. Security requires ongoing maintenance.
→ Apply your threat model: Full Digital Hardening Guide