< Ali Reza Hayati


Your Threat Model
1357 words. A 8 minute read.

Most people when they’re requesting a secure service, like a mailbox on Autistici, Systemli, or Riseup, claim that they need these services to protect their privacy. The truth is a secure mailbox or a private network can never promise privacy protection. What can promise you such protection is you taking control of your data, communications, and information exchange.

Of course having a privacy-respecting service for your emails and communications can be a step forward but these services are only tools to help you reach your goals in your data protection model. The first step you need to take, even before you switch on your computer, is asking yourself a couple of questions:

  1. What do you want to protect by using secure services?
  2. From whom do you want to protect it?
  3. What do you know about these people/entities?
  4. Why would they want to surveil you or know who you are?
  5. What means have they used so far to do similar thing with others?
  6. What resources do they have? Do they have strong allies?
  7. Would they use these resources or these allies to get directly at you?

What Do You Want to Protect?

Some of these secure service providers don’t analyze your communication network. They don’t sell your data with advertisers nor they share your information with marketing companies. But using these services won’t protect you from some third-party whose business model is violation of your privacy rights. If you have a privacy-focused mailbox but you sign-up on services with an undesirable privacy policy, you’re as vulnerable as someone using Gmail or AOL mail.

You can’t be anonymous only with a secure mailbox. Your secure mailbox can do nothing when you provide your real name and information to sign-up on a website. Or when you download a software with trackers and privacy-violating components, whether you’re using a trusted VPN or not, you’ll be at danger.

If you want to protect your information, you should think before you do anything. Anything with an IP address is vulnerable. Any software you can’t study or modify (basically any proprietary software) is vulnerable. Before you do anything, think about what do you want to protect and how can you protect it. Think about how this software or thing you use can reveal your real identity and personal information.

From Whom Do You Want to Protect It?

If you want to protect your privacy, you should first review the online services you use, and possibly switch to less invasive alternative services. It is also a good idea to install an anti-tracking plugin in your browser, like Privacy Badger and uMatrix, together with an extension to block ads like uBlock Origin.

You can’t trust anything online. If it’s so important to discuss, then discuss it in real person but if you need to talk about it online, make sure you’re doing whatever is needed to keep third-parties away from your conversation. You using a secure mailbox is not enough. All of us have friends that are using Gmail, Outlook, etc. as their mailboxes and obviously messaging them is not as secure as what you think. If you need to contact them, you should encrypt your messages. Encryption doesn’t need to be only for sharing serious information. Even for scheduling a birthday party in a park, it better to encrypt your messages.

No matter if your contact is using a secure privacy-focused mailbox or not, encryption is a good practice for privacy protection.

Data Protection

What Do You Know About These People/Entities?

Always try to learn about companies. Never trust any company or collective because they say nice things. Judge them based on what they did and how much transparency they have. There’s a lot of services that gained trust from people but betrayed them. Hushmail, which claimed to be a secure mail service, was giving government agents data and PGP encryption keys behind their clients back.

This is for companies who claimed to be secure. Imagine what evil companies like Google will do to you. Learn about companies and people who are giving you options and services and also learn about services and stuff you’re using. Try to learn about how secure the thing you’re using is and how the service you’re using treats you as a user/client. This is not only about online services; you should protect your information in real life and physical services too. You should know that offline services can violate your privacy too. Always try to be anonymous as much much as you can.

There’s a lot of ways that your real identity can be revealed. For example, if you pay for stuff with your credit card, a record of your payment and your identity will be accessible for a bunch of people including the payment company you’re using and the person you’re buying from.

Why Would They Want to Surveil You or Know Who You Are?

It’s really a good question. Learn about why they want your information. Advertising is one reason. Getting to know you is another thing. To let you know how sensitive your personal information is, just think about a possible war. Imagine a government with backup of series of technology giants, attacking you and your country and they know every single soldier they’re attacking. How terrifying is that?

Technology giants and privacy-violating services are not only collecting data for themselves. They share these information with third-parties like governments and other companies. Always think about how your personal information can be used. No reason is good enough for collecting your information.

What Means Have They Used so Far to Do Similar Thing With Others?

Imagine you’re safe, completely, but there’s bunch of personal details and information about you in your friends’ hands. Are they safe too? Are you safe now? Always help and teach your contacts about their security and information. Let me explain something to you. NSA agents claim that they don’t collect your data. They only collect metadata. They know enough metadata can be worthy more than data itself. You won’t be safe in an unsafe community.

Imagine all houses in a city were made by glasses only. Everything was see-through and everyone was known, except you. Everybody will know who are you as the only person in town that does not have a see-through house is you. Securing community and your contacts is as important as securing yourself.

Mass Surveillance

What Resources Do They Have? Do They Have Strong Allies?

What services are you using? Imagine buying a secure VPN with a credit card. How safe are you now? A VPN service probably has a limited range of IP addresses. If a surveillance third-party has allies and one of their allies happens to be your credit card company, they probably will know about you buying a VPN from a service and they probably will know what IP address possibly are you using, or at least, what range of IP addresses are you on.

This is only an example of what can happen if you don’t follow a single rule of being anonymous and how a big network of mass surveillance can track your activities. And worst part is it’s nothing for them. All of these can happen in minute using robots and algorithms.

Would They Use These Resources or These Allies to Get Directly at You?

Are you living in a dictatorship? Or maybe a country with a limited freedom? You get the point, huh? Talking with your mobile phone, sending a single text message, or even carrying you cellphone with yourself can reveal the place you are in, the area you’re traveling in, the subjects you’re talking about, and whole lot of other information about you.

Not only your mobile phone. Using your credit card, posting a picture on Instagram or Facebook, opening Google website, looking at a CCTV camera, or passing a red light. All can simply lead to identifying you. Being anonymous in this world, needs a lot of work to do but it’s not impossible. You just need to ask these question before anything you do.


If you have any question or thing to say, please send me an email message (PGP key).

21 Oct 2019 #software, #privacy