Three Privacy Threat Models, and How to Mitigate

When thinking about your digital privacy it is important to consider what is the threat model that you are protecting against. You have to consider how important each is for you, and what you are willing to do to protect against it.

Privacy Threat Models

You can break down the data privacy threats into three layers, device, network, and servers.

And for each of these threats, you can consider

  1. What is the worst-case harm if your data was revealed to an unwanted party?
    • Mild annoyance (for example at ads you don't want)
    • General disquiet at being surveilled
    • Embarrassment, for example, someone finding you watching pornography
    • Being fired, for example in retaliation for labor organizing or whistle-blowing
    • Being prosecuted, for example by an authoritarian regime or by a US state enforcing regressive abortion laws
    • Being physically harmed or killed, for example, if you are the subject of intimate partner violence (domestic violence)
  2. What is the probability of that worst-case harm happening?
    • Are you a member of some vulnerable minority that has enemies?
    • Does your work mean you have highly valuable confidential information?
  3. Who are the stewards of your data? These are the people or institutions that have access to your data in the normal course of business.
  4. Who might be the unwanted parties who would cause you harm if they see your personal data?
  5. What mitigation can you do to reduce the probability of harm?
    • For device protection, you can use incognito or private browsing
    • For network protection, you can use a paid VPN (avoid most free VPNs, they actually reduce your privacy)
    • For server protection, use the privacy settings of each service to increase your privacy, and if you are in Europe reject consent for anything except essential cookies
  6. What is the cost of doing that mitigation, whether direct cost or reduction in usefulness of the service you are using?

As a summary, here is a framework for thinking about privacy threat models:

Device Network Servers
Data under threat on your physical device, or accessible in the cloud via your account in transit stored or logged in the cloud
Stewards of your data Apple, Samsung, Google, Mozilla, Firefox, app developers, ... coffee shop, airport, employer, Verizon, AT&T, Comcast, Akamai, Cloudflare, ... Google, Facebook, Amazon, TikTok, ...
Who might take your data family members, police, ... employer, prosecutors, government security services, ... prosecutors, government security services, hackers ...
Good Mitigation incognito mode, private browser, don't log in paid VPN, Tor don't log in, reject cookies, modify privacy settings
Cost of mitigation lose convenience of personalization monetary cost, reduced speed lose convenience of personalization