A Macintosh Resource Site
for the Milwaukee Metro Area

Defining Your Threat Model

First published: May 2019. Latest revision: March 2023.

Introduction

This is a continuation of my series of articles about evaluating and choosing a trustworthy VPN service for one’s own use.

In choosing a trustworthy VPN service, you need to determine the degree of threat (risk) to your security and privacy to which you will be exposed when connecting to and using the Internet. The greater the threat, the greater security and privacy your VPN needs to provide you.

Definitions

In discussing this topic, let’s start with some definitions:

Threat
In computer security, a threat is a potential event that could undermine your efforts to defend your data. Threats can be intentional (conceived by attackers) or accidental (you might leave your computer turned on and unguarded).

Adversary
Your adversary is the person or organization attempting to undermine your security goals. Adversaries can be different, depending on the situation. For instance, you may worry about criminals spying on the network at a cafe, or your classmates logging into your accounts on a shared computer at a school. Often, the adversary is hypothetical.

Threat Model
A way of thinking about the sorts of protection you want for your data so you can decide which potential threats you are going to take seriously. It's impossible to protect against every kind of trick or adversary, so you should concentrate on which people might want your data, what they might want from it, and how they might get it. Coming up with a set of possible threats you plan to protect against is called threat modeling or assessing your risks.

(from a previous version of the web page https://ssd.eff.org/en/module/your-security-plan)

You may at this point be thinking that this talk of an “adversary” and “threats” and a “threat model” has nothing to do with you as someone who wants to use a VPN service merely to achieve a modicum of security and privacy.

However, we should really look at the “big picture.” We need to keep in mind that there is a wide-ranging spectrum of potential security and privacy issues for Internet users, and just because you and I are an average “Jane” or “John Doe” does not mean we are not included within the range of threat models. Our threat model may be skewed far to the side of simplicity and mere annoyance as opposed to the side of complexity and actual danger, but as long as we use the Internet in any manner, shape, or form, we and our data are threatened.

Creating a comprehensive security plan

When considering how to protect your privacy and stay secure on the internet, carefully consider who or what worries you most. Defending yourself against everything is almost impossible. And any attempt to do so will likely seriously degrade the usability (and your enjoyment) of the internet.

(from https://proprivacy.com/guides/the-ultimate-privacy-guide/)

Every Internet user is exposed to at least a minimal level of threat to their security and privacy. One’s personal security plan must be adequate yet not overbearing, providing protection within a reasonable expenditure of time, effort, and other resources.

“How do I make my own security plan? Where do I start?

“Security planning helps you to identify what could happen to the things you value and determine from whom you need to protect them. When building a security plan answer these five questions:

  • What do I want to protect?
  • Who do I want to protect it from?
  • How bad are the consequences if I fail?
  • How likely is it that I will need to protect it?
  • How much trouble am I willing to go through to try to prevent potential consequences?

(from https://ssd.eff.org/en/module/your-security-plan#1)

Let’s examine these questions… I’ll provide some items to consider in answering them and provide examples of a common scenario and a “worst-case” scenario threat model.

What do I want to protect?

Not only is your transmitted data and metadata potentially exposed during an Internet session, but so too is your privacy, your reputation, all of the data on your computer (including contact lists), your location, your habits, your likes and dislikes, etc.

E.g., let’s say your physician has ordered tests for a potentially serious medical condition. You may actually be fairly healthy, but naturally you are quite anxious about this. So you scour the Internet for information about that medical problem.

It’s very likely that you would prefer to keep this situation private, at least for now. So you definitely have something to “protect.”

What needs to be protected in another scenario not only includes data, but also the actual identity of an individual and others who are involved with that person. Consider a journalist who is investigating a corrupt politician in a non-democratic country. The journalist is working with “reliable sources” within the government who have furnished information regarding corruption. The journalist needs to send the story to a media outlet in another country via the Internet. It’s obvious that this data (including the identity of the jounalist and the “reliable sources”) is something to be protected. Security and privacy are essential.

Who do I want to protect my data and metadata from?

The answer to that question is the “adversary” that was defined at the beginning of this article. Note that the definition of this term does not require that the adversary be an utterly nefarious criminal who is “out to get you.” Certainly an adversary can be a criminal, but may also be your ISP (Internet Service Provider) if the ISP would like to take advantage of information it can gather about you.

Since 2017, when, during the Trump administration, the US internet privacy rules were dissolved, your ISP can “snoop” on your Internet activity with no legal ramifications. Your ISP can monitor and record your web browsing history, location data, device information, date and time of connections, etc. Moreover, your ISP can sell any or all of that data to any marketer or other third party of their choice.

Let’s return to the earlier example situation in which you are investigating a potentially serious medical condition. If your Internet connection was not secured through a VPN, now your ISP knows all the websites you visited when researching the medical condition. The ISP can sell that information to an insurance company database that collects information on the medical conditions of individuals. Hence, your ISP is your adversary, and secondarily, so is the insurance company database.

Another adversary may be the “hacker” sitting in the coffee house who is snooping on the free public Wi-Fi network there, gathering all sorts of information by capturing the data flow of customers who are sipping away at their coffee while they surf the Internet.

Returning to the journalist example, protection of the data (from investigative reporting) from a corrupt government and its agents is the most important secrecy/privacy goal.

How bad are the consequences if I fail?

To answer this question, we have to consider the capabilities of the adversary.

As noted above, your ISP has many legal options as to what it wants to do with your data. However, it is unlikely (one would hope) that they would engage in fraudulent use of data collected from your Internet activity. Nevertheless, there is still the consequence of the loss of personal privacy.

Consequences may well be worse for the “hacker” who snoops on public Wi-Fi connections. Such an adversary would likely use or sell financial or other personal information that was obtained. All sorts of problems could be the result.

In our example cases, the dissemination of information about a medical condition could result in the denial of an insurance application. Consequences could be much worse for the journalist, who could be imprisoned or killed.

How likely is it that I will need to protect my data?

Here we need to assess the likelihood of a threat succeeding and how severe the consequences would be for you if the threat does succeed. If either the likelihood of succeeding or the untoward consequences approaches zero, then you may decide to ignore that threat. This decision depends on one’s personal priorities.

Returning again to our examples, the threat of the release of information regarding your potential medical condition may not bother you all that much. Perhaps you already have plenty of insurance and you already freely share your medical information with all of your acquaintances. To you, it’s no big deal if some more information gets out. Thus, even if the risk of the ISP selling the data is moderate or high, because the other factor (the effect on you) is minimal (because you don’t care), then this threat can be ignored.

On the other hand, the journalist in the foreign country is at least moderately at risk that a threat will succeed. Furthermore, the consequences of a successful threat are dire. Hence, the journalist needs the greatest possible level of privacy and security protection.

How much trouble am I willing to go through to try to prevent potential consequences?

The solution to this question relies on the answer to the previous question and also on an analysis of the time, effort, and cost one is willing to expend to attain the necessary level of privacy and security.

Regarding Internet privacy and security, different strategies can be implemented to provide at best two of the following three factors, but never all three together:

  • convenience
  • low cost
  • strong protection

Thus, in our example of a medical condition, since we’ve declared the privacy of this information to be not important, no special measures are needed to protect the data This approach results in preserving convenience and low cost but completely losing protection.

The foreign journalist, however, is greatly motivated to seek strong protection, even at the expense of convenience and cost. Highly private and secure Internet communication may require initiating connections from randomly rotated public Wi-Fi hotspots, routing connections through an anonymizing network (like Tor) and securely tunneling connections through not just one but two VPN services.

Don’t minimize your threats

So, if we answer these questions for our own personal situation, we should be able to come to a conclusion about our threat model and the security plan that our threat model suggests that we implement.

However, please beware of underestimating your threats. Let’s reiterate the current situation of privacy regulations in the US:

Previously, the FCC’s Internet Service Provider (ISP) broadband consumer privacy rules, as adopted in 2016, required ISPs to obtain explicit permission from their subscribers in order to share information such as a user’s browsing history, application usage, location, and content of emails and other Internet communications.

In 2017, those privacy rules were negated. Now, an ISP can sell any information that it collects from its customers. ISPs do not hesitate in collecting that data:

Internet Service Providers are Logging EVERYTHING You Do Online

A shocking new report compiled by the FTC (US Federal Trade Commission) details how internet service providers are collecting vast amounts of private information that includes browsing history, device information, and location data. This data is often shared within a broad network of advertisers and partners…

(from https://restoreprivacy.com/internet-service-providers-isp-privacy-data-collection/)

The full FTC-ISP report is available online in .pdf format: Examining the Privacy Practices of Six Major Internet Service Providers.

The “Conclusion” section of that FTC report states:

The findings from our report show that many of the ISPs in our study amass large pools of sensitive data, and that their uses of such data could lead to significant harms, particularly when consumers are classified by demographic characteristics, such as race, ethnicity, gender, or sexuality…

(from Examining the Privacy Practices of Six Major Internet Service Providers)
(bold emphasis added by me)

This FTC report confirms that the loss of the FCC privacy regulations exposes every one of us to at least some degree of “threat.”

Indeed, I consider my ISP to be an adversary, and the threat to my privacy by that adversary is sufficient reason for me to implement a security plan. That plan definitely includes the use of a trustworthy VPN service.

For further reading, a very comprehensive discussion of threat models and mitigations is presented in the article “Will a VPN Protect Me? Defining Your Threat Model,” which is available at https://www.ivpn.net/privacy-guides/will-a-vpn-protect-me.

Summary

Ascertaining your threat model and creating a security plan are critically important steps in the process of choosing a trustworthy VPN that can help you protect your Internet security and privacy.

In the next article of this “Choosing a Trustworthy VPN” series, titled “Summary of How to Choose a VPN”, we’ll review the issues that have been raised in the quest for a VPN service, and I’ll present my personal ranking of the relative importance of the various factors influencing my choice of a trustworthy VPN.