Privacy threat modeling

Privacy threat modeling

A threat model is a disciplined answer to five questions:

  1. What must be protected?
  2. From whom?
  3. What capabilities do they have?
  4. What would failure cost?
  5. Which risks remain after the proposed controls?

It prevents a privacy company from selling the same tool to everyone with the same promise. The customer facing a data broker, an abusive partner, a phishing campaign, a malicious employee, a service breach, or a lawful investigation does not have the same problem.

The record

Every sensitive engagement and product change should record:

  • assets such as messages, files, identity, address, social graph, device, money, or support transcript
  • likely adversaries and their realistic capabilities
  • harms to safety, dignity, money, continuity, legal position, or reputation
  • controls proposed and the reason each one helps
  • limits and residual risks that the customer must understand
  • escalation path if the matter is legal, urgent, or beyond scope

The record should be short enough to use, not a compliance-theatre document. The customer should receive a version that tells them what to do next.

Common assets and limits

Messages and files benefit from end-to-end or client-side encryption, but an unlocked or compromised endpoint can expose plaintext.

Identity, address, and relationship data benefit from minimization, exposure reduction, and product-specific accounts, but billing, delivery, public records, and support can still create linkage.

Metadata benefits from separate services and fewer global identifiers, but timing, IP addresses, device fingerprints, and usage patterns may remain revealing.

Devices benefit from supported hardware, verified boot, strong local authentication, and recovery planning, but physical control of an unlocked device is serious risk.

Support needs consent, redaction, short retention, and limited access, because a support interaction can be the weakest privacy boundary.

Scope boundary

Threat modeling is not a service for concealing crime, destroying evidence, or evading lawful duties. It can provide privacy education, data minimization, account safety, recovery, legal-rights referrals, and evidence-preservation guidance.

When a matter touches a seizure, criminal allegation, court order, domestic violence, or acute danger, the model should trigger Privacy legal and regulatory posture and a qualified external referral.

Product role

Privacy business proposals#Digital safety desk uses threat modeling as the first paid service. Privacy product architecture uses it as a release gate. Privacy trust and governance uses it to prevent misleading promises.

Sources

  1. nist.gov
  2. csrc.nist.gov
  3. imy.se