Threat Modelling: Building a Personal Privacy Plan

Privacy advice often comes as a list of tools: use Signal, use a VPN, use Tor. But tools without a threat model are just friction. Someone whose primary concern is stopping targeted advertising needs a different approach than a journalist managing sensitive sources. Applying the journalist's setup to the advertising problem adds complexity without proportionate benefit. Threat modelling is the process of reasoning clearly about what you are protecting, from whom, and what level of effort is proportionate — before choosing any tools at all.

What threat modelling is

Threat modelling comes from information security practice, but the underlying logic is general. You are identifying: what assets you have that are worth protecting, which adversaries might want those assets, what capabilities those adversaries have, what the consequences of a failure would be, and what you are prepared to do in response.

This is not a paranoid exercise. It is a rational one. Every security decision involves a trade-off between protection and convenience. Threat modelling lets you make those trade-offs consciously instead of randomly.

The five-question framework

The Electronic Frontier Foundation's Surveillance Self-Defence guide uses five questions as a framework. They are worth working through explicitly:

• What do I want to protect? Be specific. "My privacy" is too broad. Consider: contact lists, financial records, location history, communications with specific people, professional work, health information, or political activity.
• From whom? Advertisers and data brokers? Your employer? A hostile ex-partner? Law enforcement in your jurisdiction? A foreign intelligence service? The capabilities of these adversaries differ by orders of magnitude.
• How likely is the threat? A generic data breach at a company you use is likely. A targeted operation by a sophisticated state actor is not, for most people. Calibrate effort to likelihood.
• What happens if I fail? Targeted advertising is annoying. Exposure of a journalist's source risks that person's freedom or life. Proportionate response requires understanding the stakes.
• What am I willing to do? Technical solutions require effort to implement and maintain. Social solutions require changing behaviour. Both have friction. Be honest about your capacity.

Threat actors and their capabilities

Understanding what different adversaries can actually do prevents both underestimation and overestimation:

• Advertisers and data brokers: Operate through cookies, fingerprinting, device identifiers, and data aggregation. Can build detailed profiles without any individual data point being sensitive. Cannot compel access to your device; rely entirely on your participation in their data collection ecosystem.
• Data brokers: Aggregate public records, purchase data from apps, and create identity files. Their data is accurate in aggregate. They cannot intercept communications but know a great deal about your offline life, movements, and relationships.
• ISPs: See all unencrypted DNS queries and traffic destinations. Can sell this data in some jurisdictions. Can be compelled to produce records. Cannot read end-to-end encrypted content.
• Employers: If you use employer-owned devices or networks, they have broad visibility and broad legal authority. MDM software can read email, track location, and remotely wipe devices.
• Domestic law enforcement: Can obtain records via legal process. Can compel unlocking in some jurisdictions. Cannot break modern encryption in practice but can seize devices and attempt forensic analysis.
• Nation-state intelligence services: The most capable adversary. Can conduct zero-click attacks on devices, intercept traffic at the infrastructure level, deploy custom malware, and coerce providers legally and extra-legally. Defending against this level of adversary is extremely difficult and usually only relevant if you are in a specific high-risk category.

The proportionality problem

Privacy advice on the internet frequently conflates threat models. Recommendations appropriate for a journalist managing sources with nation-state interest get applied to someone who wants to stop seeing personalised ads. The result is either that people adopt unnecessarily complex tools they abandon after a week, or that people assume privacy is all-or-nothing and don't bother at all.

Neither response is correct. The advertising threat model is real and affects essentially everyone. Addressing it does not require Tor or air-gapped computers — it requires a browser with sensible defaults, a de-Googled phone, and some friction with data-hungry services. That is achievable for most people without significant lifestyle change.

Your device is your biggest surface area

For most people's threat models, the smartphone is the single largest privacy liability. It knows your location continuously, has access to your contacts, listens (or has the capability to listen) via microphone, stores your communications, and is operated by a platform (iOS or Google Android) with deep data collection interests. A privacy-hardened phone running GrapheneOS addresses this surface area more comprehensively than any other single action most people can take.

After the phone, the laptop is the second largest surface. After the laptop, the network. A layered approach addresses each in order of impact for the relevant threat model.

Example threat models

• "I want to stop targeted advertising and reduce data broker profiles on me": Hardened browser, de-Googled phone, DNS-level ad blocking on your home network, opt-out requests to major data brokers. No Tor required.
• "I am a journalist with sensitive sources": GrapheneOS phone, Signal for source communication, Tails for sensitive document work, source compartmentalisation, secure drop for initial contact. Significant discipline required across the full workflow.
• "I run a business with commercially sensitive IP": Encrypted laptops, encrypted communications for sensitive discussions, access controls on business data, a router that doesn't expose your network structure, consideration of travel protocols for border crossings.

Your threat model determines your tools. Norypt devices are built to match different threat models — from everyday privacy protection to high-risk professional environments. Understanding yours is the first step to choosing equipment that actually fits your needs.