Your Threat Model: Who Are You Actually Defending Against?
A threat model is a concept borrowed from information security that answers a deceptively simple set of questions: what are you protecting, who wants it, how would they get it, what happens if they do, and what are you willing to do about it. Every security professional builds threat models. Almost
A threat model is a concept borrowed from information security that answers a deceptively simple set of questions: what are you protecting, who wants it, how would they get it, what happens if they do, and what are you willing to do about it. Every security professional builds threat models. Almost no ordinary person does — and the absence of one is the reason most privacy efforts are either disproportionate or misdirected. Edward Snowden, who understands the surveillance apparatus better than almost anyone outside of it, has argued that thinking clearly about your actual adversaries is more valuable than any single privacy tool you could install.
Why This Matters for Sovereignty
Sovereignty is not a blanket posture. It is a set of deliberate decisions calibrated to your actual situation. Thoreau did not fortify Walden against every conceivable threat. He built what he needed, where he needed it, and left the rest alone. The same principle applies to digital privacy. Without a threat model, you are defending against everything and nothing simultaneously — installing tools because they feel protective, toggling settings because they exist, and spending effort on adversaries who have no interest in you while ignoring the ones who do.
The sovereign approach is to name your adversaries, assess the realistic consequences of their success, and invest effort proportional to the actual risk. This is not a complicated exercise. It takes thirty minutes, requires no technical knowledge, and will fundamentally change how you allocate your privacy efforts. Everything else in this series builds on the framework established here.
How It Works: The Five Questions
Threat modeling reduces to five questions, asked in sequence. The answers are different for every person, which is precisely why generic privacy advice is so often wrong.
What are you protecting? Start with an inventory. Your email accounts contain password reset links for everything else you use — making email the skeleton key to your digital life. Your financial accounts contain money. Your phone contains location history, communications, photographs, and health data. Your browsing history reveals interests, concerns, medical questions, political leanings, and purchasing intent. Your social media accounts contain your social graph — who you know and how you interact with them. Not all of these carry the same weight. For most people, email and financial accounts are the crown jewels. Everything else matters less.
Who wants it? This is where threat modeling becomes useful, because the answer determines everything that follows. We can organize potential adversaries into tiers based on their capability, their motivation, and the likelihood that they are actually interested in your data specifically.
How would they get it? Each adversary has different methods. Data brokers aggregate from public records and purchase from app developers. Hackers use credential stuffing, phishing, and malware. Your employer monitors company devices and networks. Law enforcement obtains warrants. Intelligence agencies have capabilities documented by Snowden and others. The methods matter because they determine which defenses are relevant.
What happens if they succeed? The consequences range from mildly annoying (targeted ads that feel creepy) to severely damaging (identity theft, financial loss, personal safety risks). Calibrating your response requires honest assessment of the realistic worst case, not the theoretical worst case.
What are you willing to do about it? Every privacy measure has a cost — in money, time, convenience, or social friction. Using Signal for all communication is more private than using iMessage, but if none of your contacts use Signal, you are talking to yourself. The best threat model is one you will actually follow.
The Adversary Tiers
Tier 1: Data brokers and advertisers. These are the most common adversaries for most people, and the least dramatic. Companies like Acxiom, Oracle Data Cloud, and thousands of smaller brokers aggregate personal data from public records, purchase histories, app data, location data, and web browsing into detailed profiles. These profiles are sold to advertisers, employers, landlords, insurance companies, and other data brokers. The consequence is that you become a product — your behavioral patterns are packaged and sold without your meaningful consent. Zuboff documented this machinery in detail. The defense is moderate effort: data removal services, limiting app permissions, using privacy-respecting browsers and DNS resolvers. None of these eliminate data collection entirely, but they make your data more expensive to collect, which is the realistic goal.
Tier 2: Hackers and scammers. Automated attackers cast wide nets. They buy leaked credential databases and run them against thousands of services simultaneously. They send phishing emails that impersonate banks, employers, and government agencies. They exploit weak passwords and the absence of two-factor authentication. The consequences here are concrete and personal — identity theft, financial loss, compromised accounts, ransomware. The defense is also moderate effort but non-negotiable: a password manager with unique passwords for every account, two-factor authentication on critical accounts, and basic awareness of phishing techniques. These practices block the vast majority of automated attacks. We cover this in detail in the next article.
Tier 3: Your employer. If you use a company device or a company network, your employer can monitor your activity — and many do. Company laptops often run monitoring software. Company Wi-Fi can log network traffic. Company email is, legally and practically, the company’s email. The consequence varies by context, but the defense is straightforward: maintain a complete separation between your personal and professional digital lives. Use your personal phone on your personal cellular connection for anything you would not want your employer to see. Do not use company devices for personal activity. This is not paranoia — it is basic operational hygiene.
Tier 4: Law enforcement with a warrant. If law enforcement obtains a valid warrant, they can compel platforms to disclose your data. Google, Apple, Meta, and every other major platform comply with valid legal process. Your email provider will hand over your emails. Your cloud storage provider will hand over your files. Your phone carrier will hand over your call records and location history. For the vast majority of people, this tier requires no specific defensive action because the probability of being subject to a warrant is negligible. If you are engaged in activities that might attract law enforcement attention, the appropriate response is legal counsel, not privacy tools.
Tier 5: Nation-state intelligence agencies. Snowden documented that agencies like the NSA have the capability to access most digital systems when sufficiently motivated. They can intercept communications, compromise endpoints, and leverage relationships with technology companies. The consequence of being a target at this tier is severe. But the probability, for ordinary people, is effectively zero. Unless you are a journalist covering national security, a political dissident, or an activist operating in a hostile state, optimizing your privacy for this tier is disproportionate — the equivalent of installing a bank vault door on a residential home.
The Proportional Response: Building Your Threat Model
The key insight from this framework is that most people’s actual adversaries are in Tiers 1 and 2. Data brokers want to package your behavioral data. Automated attackers want your credentials and financial information. These are the threats that statistically affect ordinary people, and they are the threats that yield most readily to practical countermeasures.
Optimizing for Tier 5 when your actual threat is Tier 1 is not just disproportionate — it is counterproductive. The practices required to defend against a nation-state intelligence agency (using Tor for all browsing, communicating exclusively through encrypted channels, running a de-Googled phone, avoiding all commercial platforms) impose severe lifestyle costs that most people will abandon within weeks. Meanwhile, the practices that defend against Tiers 1 and 2 (password manager, two-factor authentication, privacy-respecting browser, DNS change, app permission audit) take a weekend to implement and require minimal ongoing effort.
Here is the exercise. Set aside thirty minutes. Open a document or take a sheet of paper. Write down your answers to the five questions above. Be specific and honest. List the accounts and data that matter most to you. Name the adversaries that are realistically relevant to your life. Assess the actual consequences — not the worst imaginable scenario, but the probable one. Then look at what you are currently doing about it and ask whether your efforts are proportional to your actual exposure.
Most people who complete this exercise discover two things. First, they are doing too much in some areas — running tools and performing rituals aimed at adversaries who have no interest in them. Second, they are doing too little in the areas that matter most — reusing passwords, neglecting two-factor authentication, leaving default app permissions in place. The threat model corrects both imbalances.
What to Watch For
Threat models are not static. Your adversaries, their methods, and the tools available to you all change over time. A few shifts are worth noting as of early 2026.
Data brokers are facing increasing regulatory pressure. The California Consumer Privacy Act (CCPA) and similar laws in other states give residents the right to request data deletion, though enforcement remains inconsistent. The European GDPR has been in effect since 2018 and has produced significant fines against major companies, but its impact on the data brokerage industry specifically has been uneven. New AI-driven data aggregation techniques are making behavioral profiles more detailed with less raw data, which means that the bar for “expensive to collect” is rising.
On the defensive side, passkeys are reducing the credential-stuffing threat by eliminating passwords for supported accounts. Hardware security keys are becoming more affordable and more widely supported. Privacy-respecting services that were niche five years ago — encrypted email, private DNS, tracker-blocking browsers — are now mainstream options with mature interfaces.
The through-line remains the same: know your adversaries, calibrate your response, and invest your effort where it produces the most protection for the least cost. The rest of this series translates that principle into specific practices, starting with the one that matters most for nearly everyone — passwords and authentication.
This article is part of the Data & Privacy series at SovereignCML.
Related reading: The Privacy Landscape: What’s Real, What’s Theater, Passwords and Authentication: The Foundation You’re Probably Getting Wrong, Your Phone: The Most Intimate Surveillance Device You Own