Published 2026-04-28 8 min read Topic: opsec

Threat Models for Normal People

Most privacy advice on the internet is written by people defending against the wrong threat. Before you buy a hardware key, learn the names of three encrypted messengers, and switch to GrapheneOS, you need to answer one question: who actually cares about you, and what would they do?

What a threat model is

A threat model is just a structured answer to four questions. The answers don't have to be paranoid; they have to be honest.

  1. What am I trying to protect? (your assets)
  2. Who am I trying to protect it from? (your adversaries)
  3. How likely is each adversary to try? (capability × motivation)
  4. What is the cost of being wrong? (consequence)

Notice what's missing: nothing about which app to use, which browser is best, or whether you should run Tails on a Faraday-bagged ThinkPad. Tools come last. Most people pick tools first and then back-fill the threat model to justify them, which is how you end up using Signal to message your mom about dinner while logged into Facebook on the same device.

The five archetypes

Real threat models cluster into a small number of patterns. Find the one closest to yours and start there.

1. The default citizen

Who you are: Employed, unremarkable politically, no public profile, no enemies, not a journalist or activist or executive.

Real adversaries: Ad networks, data brokers, breach aggregators, the occasional opportunistic phishing crew, and your ISP selling browsing history.

Not your adversary: Nation-state actors. The FBI. Mossad.

Your problem is bulk surveillance and credential stuffing, not targeted attack. The right tools are: a password manager, hardware-backed 2FA on your email, an ad-blocker, and a default-encrypted browser. Spending a weekend hardening a Linux laptop will not improve your safety because the threats you face don't go through that laptop.

2. The semi-public person

Who you are: Streamer, mid-tier creator, small-business owner, local politician, doctor with a public address, anyone whose name + city is enough to start trouble.

Real adversaries: Stalkers, harassers, doxers, swatters, opportunistic identity thieves who know your real name.

Not your adversary: Probably still not a nation-state, but maybe a determined individual.

Your problem is name-to-address linkage. Spending money on data-broker removal services (DeleteMe, Privacy Duck, Optery) is genuinely useful here in a way that it isn't for archetype 1. So is a P.O. box for your business registrations, a separate "public" phone number (Google Voice or a SIM you can burn), and removing your home address from voter rolls where state law allows.

3. The high-value target

Who you are: C-suite executive, crypto holder with public wallet, lawyer with notable cases, anyone whose compromise is worth five or six figures to someone.

Real adversaries: Targeted phishing crews, SIM-swap rings, business email compromise operators, contractor-level corporate espionage.

Your problem is account takeover and social engineering. The mitigations are different in kind: hardware security keys (YubiKey, Titan) on every account that supports them, a SIM-swap PIN with your carrier, a separate device for high-value account access that does not run your daily email, and — critically — verbal authentication codewords with people who can authorize wire transfers.

4. The journalist or activist

Who you are: Reporting on power, organizing against it, or sourcing leaks.

Real adversaries: Subpoenas, legal orders to platforms, source-protection failures, infiltrators, and in some jurisdictions, the state.

Now the heavy machinery starts to matter: SecureDrop for source intake, Signal with disappearing messages for routine comms, encrypted laptops with verified-boot OSes, and an actual operational discipline around device separation. The Freedom of the Press Foundation's guides are written for this archetype and you should read them before improvising.

5. The high-risk dissident

Who you are: Opposition organizer, exiled critic, leaker of state secrets, whistleblower against organized crime.

Real adversaries: Nation-state intelligence services with implants, supply-chain access, and physical-world capability.

If you are in this category, no blog article is your starting point. Get a referral to a non-profit that does individualized threat modeling: Access Now Helpline, EFF, or Citizen Lab. Boilerplate advice will get you killed.

Where most people get it wrong

The Tor Trap. A surprising number of archetype-1 users route their daily browsing through Tor. This raises their suspicion profile, breaks half the sites they use, encourages them to log in to identity-bound accounts (Gmail, banking) over Tor (which destroys both anonymity and account security), and solves a problem they don't have. If your threat is ad-tracking, you want a private-by-default browser, not anonymous routing.

The other common error is treating privacy as a binary: "I have Signal, therefore I am encrypted." Encryption is necessary, not sufficient. Your metadata — who you talked to, when, for how long, from where — leaks even when content is sealed. Your endpoints are where the real attacks land: a perfect protocol does not protect you from a compromised phone. Your recovery flow (the email or phone number you use to reset everything) is usually the weakest link in the chain.

A worked example

Imagine you are a freelance accountant. Your clients send you sensitive documents. Walk through it:

QuestionAnswer
AssetsClient tax records, bank statements, my own login credentials
AdversariesPhishers, opportunistic ransomware, a future disgruntled client
LikelihoodPhishing attempts: weekly. Targeted attack: low. Nation-state: ~zero.
ConsequenceLoss of license, civil liability, IRS enforcement

The right interventions fall out of this table: encrypted document portal (not email attachments), hardware key on the email account, separate work device, professional liability insurance, and a written incident-response plan. None of those are "privacy tools" in the consumer sense — they are professional risk management. Which is what threat modeling actually is.

Two rules that keep you honest

  1. If the tool isn't solving an adversary in your model, you are LARPing. Buying a Faraday bag because it's cool is fine; buying one and pretending it improves your safety against ad networks is not.
  2. The thing you do every day matters more than the thing you do perfectly once. A password manager you actually use beats a hardware key you forgot at home. Signal you remember to open beats PGP you set up in 2019.
The exercise. Open a text file. Write your four answers. Be specific — "hackers" is not an adversary, "credential-stuffing bots replaying my breached LinkedIn password" is. Now look at every privacy tool you use and ask which row of your model it serves. Anything that doesn't map is decorative.

Privacy is not a product, an aesthetic, or a personality. It's a function of your specific situation. The people who get it right have done the unglamorous work of figuring out what they actually need to defend, and stopped at the point where additional friction outweighs additional safety. That point is different for everyone — and finding yours is the entire game.

← All articles 0data.net home