Privacy and Threat Modelling
One often hears people ask if a product or service is “good for privacy” or if some practice they intend to incorporate is “good enough” for their privacy needs. The problem with most such questions is that they often lack the necessary context, called a threat model, in order to even begin to understand how to answer them. Understanding your own threat model (and making any implicit model you carry more explicit to yourself) is one of the most important steps you can take to improve your privacy.
What is a Threat Model?
A threat model is a list of possible vulnerabilities, often with attached priorities. In the context of personal privacy, this includes anyone who you might not want to learn private information about you, what private information you most want that party to remain ignorant of, and why. For example, someone may not want their ISP to learn that they are communicating on LGBTQ+ forums, because their ISP is their school and their school might tell their parents, whom they are not yet ready to tell. In this example they might say “I don’t want the school to learn” but because of the reasons it may actually be more important to say “I don’t want my parents to learn.” So the ISP, the school, and the parents all represent potential vulnerabilities, with the parents as the most important.
Why is a Threat Model Important?
You cannot protect your privacy unless you know what your are protecting and what you are defending against. Otherwise you may take extra steps to secure something not worth protecting, omit something you were unaware needed protected, or even protect something at the detriment of something you would have cared more about. Privacy is not a slider from zero to infinity, you cannot be simply “more” or “less” private in some general abstract way.
For example, someone may be a part of a group of insurgents in a small country. They wish the contents of their communication to be kept a secret from the current government if any one of them is found out, so they choose to use an end-to-end encrypted messaging app. They have prevented their mobile carrier and government from logging their messages! They also secure their devices with biometrics so they cannot be stolen. However, due to the unpopularity of this app in their country, when asked the carrier can immediately identify the current location of anyone using it. When any of these people are brought in for questioning, the investigator forces the biometric (face or fingerprint) onto the device from the person in custody, unlocks it, gets access to all the decrypted messages, and let’s just say the insurgency is over.
So did the insurgents make “un-private” choices? No! For other people with different vulnerabilities, their choices may have been ideal. But when their identity and current location is more at risk than the content of their messages, sending messages less-encrypted over a more-popular app or protocol (which could have all contents logged for all users, but very likely does not), and deleting them regularly from the local device in case they are caught, would have been more effective.
“Privacy LARPing” is what happens when someone wants to be “more private” because it is cool and not because they have any well-reasoned need for privacy. Believe it or not, this kind of use case also has a threat model. The model may be more built on what kinds of vulnerabilities are currently trendy to defend against, but it exists nonetheless. Putting thought and explicit description into your threat model can be a great way to seem even more “with it” so it’s highly recommended. You may even identify real threats of concern (there certainly are some for everyone) and move beyond the LARP and into addressing your real needs.
How to Build a Threat Model
This is really an introspection activity. Ask yourself what kind of entities are most concerning to you. Estranged friends or lovers? The other people at the airport or coffee shop? Local police? Local SUV owners? Federal agencies? Data brokers? The list of people who may want to know more about you than you want them to is endless, so revisit your model from time to time. Try to add to it and refine it. This kind of work is never “done” because the scope is so vast. Do talk to others and educate yourself about what the set of possible threats is, but do not take each new threat you learn about with the same weight. Try to understand whether mitigations or new techniques are able to acheieve what you need, rather than blindly applying every “defense” without regard for context.