day nineteen
A tangible way to threat model?
Most privacy guides tell you to start implementing a privacy system by threat modelling. I've understood what it means in general, but the next question that arises is: how do I do this in a tangible way? Answering these questions is easy, but how does this help me make low-level, day-to-day decisions about the softwares I use and the actions I perform? This is what I've come up with:
- I choose to not go the path of 100% privacy. This is because using certain aspects of the Internet for entertainment and education in a convenient fashion is important to me. However, I would like to improve my privacy in places where I can.
- I recognise that a “three-letter agency” can, if they were to target me specifically, gain access to my data. I do not consider any form of targeted surveillance by a similarly massive adversary part of my threat model.
- I would, however, like to reduce the personal data that is stored in corporate databases I have no control over. I would not like this data to be used to target, profile or understand me or the human psyche in general. Thus, I will take steps to prevent this.
- I have certain personal conversations and files that are of great importance to me. I will go to great lengths to keep them safe and backed up in all places.
- If I am required to download non-private or social media software for collaboration or if I see a massive convenience benefit, I will always attempt to develop strict rules (taking the template of Cal Newport's Digital Minimalism) and restrict my use of these softwares.
Is there a more nitty-gritty or developed approach to doing this? Or is this kind of what I should go by?
Please answer at advait@fosstodon.org, or this Reddit thread...