Defining Your Threat Model
First published: May 2019. Latest revision: April 2021.
This is a continuation of my series of articles about evaluating and choosing a trustworthy VPN service for one’s own use.
In choosing a trustworthy VPN service, you need to determine the degree of threat (risk) to your security and privacy to which you will be exposed when connecting to and using the Internet. The greater the threat, the greater security and privacy your VPN needs to provide to you.
In discussing this topic, let’s start with some definitions:
In computer security, a threat is a potential event that could undermine your efforts to defend your data. Threats can be intentional (conceived by attackers), or they could be accidental (you might leave your computer turned on and unguarded).
Your adversary is the person or organization attempting to undermine your security goals. Adversaries can be different, depending on the situation. For instance, you may worry about criminals spying on the network at a cafe, or your classmates logging into your accounts on a shared computer at a school. Often the adversary is hypothetical.
A way of thinking about the sorts of protection you want for your data so you can decide which potential threats you are going to take seriously. It's impossible to protect against every kind of trick or adversary, so you should concentrate on which people might want your data, what they might want from it, and how they might get it. Coming up with a set of possible threats you plan to protect against is called threat modeling or assessing your risks.
(from a previous version of the web page https://ssd.eff.org/en/module/your-security-plan)
You may at this point be thinking that this talk of an “adversary” and “threats” and a “threat model” has nothing to do with you as someone who wants to use a VPN service merely to achieve a modicum of security and privacy.
However, we should really look at the “big picture.” We need to keep in mind that there is a wide-ranging spectrum of potential security and privacy issues for Internet users, and just because you and I are an average “Jane” or “John Doe” does not mean we are not included within the range of threat models. Our threat model may be skewed far to the side of simplicity and mere annoyance as opposed to the side of complexity and actual danger, but as long as we use the Internet in any manner, shape or form, we and our data are threatened.
Creating a comprehensive security plan
When considering how to protect your privacy and stay secure on the internet, carefully consider who or what worries you most. Defending yourself against everything is almost impossible. And any attempt to do so will likely seriously degrade the usability (and your enjoyment) of the internet.
Every Internet user is exposed to at least a minimal level of threat to their security and privacy. One’s personal security plan must be adequate yet not overbearing, providing protection within a reasonable expenditure of time, effort and other resources.
“How do I make my own security plan? Where do I start?
“Security planning helps you to identify what could happen to the things you value and determine from whom you need to protect them. When building a security plan answer these five questions:
- What do I want to protect?
- Who do I want to protect it from?
- How bad are the consequences if I fail?
- How likely is it that I will need to protect it?
- How much trouble am I willing to go through to try to prevent potential consequences?
Let’s examine these questions… I’ll provide some items to consider in answering them and provide examples of a common scenario and a “worst-case” scenario threat model.
What do I want to protect?
Not only is your transmitted data and metadata potentially exposed during an Internet session, but so too is your privacy, your reputation, all of the data on your computer (including contact lists), your location, your habits, your likes and dislikes, etc.
E.g., let’s say your physician has ordered tests for a potentially serious medical condition. You may actually be fairly healthy, but naturally you are quite anxious about this. So you scour the Internet for information about that medical problem.
It’s very likely that you would prefer to keep this situation private, at least for now. So you definitely have something to “protect.”
What needs to be protected in another scenario also includes data, but also the actual identity of an individual and others who are involved with that person. Consider a journalist who is investigating a corrupt politician in a non-democratic country. The journalist is working with “reliable sources” within the government who have furnished information regarding the corruption. The journalist needs to send the story to a media outlet in another country via the Internet. It’s obvious that this data is something to be protected — security and privacy is essential.
Who do I want to protect my data/metadata from?
The answer to that question is the “adversary” that was defined at the beginning of this article. Note that the definition of this term does not require that the adversary be an utterly nefarious criminal who is “out to get you.” Certainly an adversary can be a criminal, but may also be your ISP (Internet Service Provider) that would like to take advantage of information it can gather about you.
Since early 2018 when the US internet privacy laws were dissolved, your ISP can “snoop” on your Internet activity with no legal ramifications. Your ISP can monitor and record your web browsing history, location data, devices used information, date and time of connections, etc. Moreover, your ISP can sell any or all of that data to any marketer or other third party of their choice.
Let’s return to the earlier example situation in which you are investigating a potentially serious medical condition. If your Internet connection was not secured, now your ISP knows all about the searches you performed and the websites you visited. The ISP can sell that information to an insurance company database that collects information on the medical conditions of individuals. Hence, your ISP is your adversary and, secondarily, so is the insurance company database.
Another adversary may be the “hacker” sitting in the coffee house who is snooping on the free public Wi-Fi network there, gathering all sorts of information by capturing the data flow of customers who are sipping away at their coffee while they surf the Internet.
Returning to the journalist example, protection of the data (from investigative reporting) from a corrupt government is the most important secrecy/privacy goal.
How bad are the consequences if I fail?
To answer this question, we have to consider the capabilities of the adversary.
As noted above, your ISP has many legal options as to what it wants to do with your data. However, it is unlikely (one would hope) that they would engage in fraudulent use of data collected from your Internet activity. Nevertheless, there is still the consequence of loss of personal privacy.
Consequences may well be worse relative to the “hacker” who snoops on public Wi-Fi connections. Such an adversary would likely use or sell financial or other personal info that was obtained. All sorts of problems could be a result.
In our example cases, the consequence of the dissemination of information about a medical condition could result in denial of an insurance application. Consequences could be much worse for the journalist, who could be imprisoned or killed.
How likely is it that I will need to protect it?
Here we have to assess the likelihood of a threat succeeding and how severe the consequences would be to you if the threat does succeed. If either the likelihood of succeeding or the untoward consequences approaches zero, then you may decide that you can ignore that threat. This decision depends on one’s personal priorities.
Returning again to our examples, the threat of release of information regarding your potential medical condition may not bother you all that much. Perhaps you already have plenty of insurance and you already freely share your medical information with all of your acquaintances. To you it’s no big deal if some more information gets out. Thus, even if the risk of the ISP selling the data is moderate or high, because the other factor (the effect on you) is minimal (because you don’t care), then this threat can be ignored.
On the other hand, the journalist in the foreign country is at least moderately at risk that a threat will succeed. Furthermore, the consequences of a successful threat are dire. Hence, the journalist needs the greatest possible level of privacy and security protection.
How much trouble am I willing to go through to try to prevent potential consequences?
The solution to this question relies on the answer to the previous question and also an analysis of the time, effort and cost one is willingly to expend to attain the necessary level of privacy and security. Regarding Internet privacy and security, different strategies can be implemented to provide at best two of the following three factors, but never all three together: convenience, low cost, high protection.
Thus, in our example of a medical condition, since we’ve declared the privacy of this information to be not important, no special measures are needed to protect the data, preserving convenience and low cost but completely losing protection.
The foreign journalist, however, is greatly motivated to seek high protection, even at the expense of convenience and cost. Highly private and secure Internet communication may require initiating connections from randomly rotated public Wi-Fi hotspots, routing connections through an anonymizing network (like Tor) and securely tunneling connections through not just one but two VPN services.
Don’t minimize your threats
So, if we answer these questions for our own personal situation, we should be able to come to a conclusion about our threat model and the security plan that model suggests that we implement.
However, please beware of underestimating your threats. Let’s reiterate the current situation of privacy regulations in the US:
Previously, Internet privacy rules, as passed in 2016, required ISPs to get explicit permission from their subscribers in order to share information such as a user’s browsing history, application usage, location and content of emails and other Internet communications.
In 2018, those privacy rules were negated. Now, an ISP can sell any information that’s it collects from its customers.
The loss of the FCC privacy regulations would seem to expose every one of us to at least some degree of “threat.”
Indeed, I consider my ISP to be an adversary, and the threat to my privacy by that adversary is sufficient reason for me to implement a security plan. That plan definitely includes the use of a trustworthy VPN service.
For further reading, a very comprehensive discussion of threat models and mitigations is presented in the article “Will a VPN Protect Me? Defining Your Threat Model” which is available at https://www.ivpn.net/privacy-guides/will-a-vpn-protect-me.
Ascertaining your threat model and creating a security plan are critically important steps in the process of choosing a trustworthy VPN that can help you in protecting your Internet security and privacy.
In the next article of this “Choosing a Trustworthy VPN” series, titled “Summary of How to Choose a VPN”, we’ll review the issues that have been raised in the quest for a VPN service, and I’ll present my personal ranking of the relative importance of the various factors influencing my choice of a trustworthy VPN.