What's Your Threat Model? -Part 1

(And Why You're Probably Getting It Wrong)

A threat model sounds like something only hackers and government agents need to think about. It's not. A threat model is simply this: who would realistically want your data, how would they get it, and what would they do with it?

Every person who uses the internet has a threat model whether they've thought about it or not. The problem is that most people haven't thought about it, and the ones who have are usually thinking about it wrong.

They fall into one of two camps. Either they assume it's hopeless and do nothing, or they go full tinfoil hat trying to defend against threats that will never apply to them. Both responses leave them exposed to the threats that actually matter.

The "Why Bother" Trap

This comes up constantly in privacy conversations. Someone starts taking steps to protect their data, then the thought creeps in: if the federal government really wants to know, they're going to find out. There are satellites in the air. What's the point?

This is the black-pilled privacy mindset, and it paralyzes people into doing nothing at all. If perfect privacy is impossible, why bother trying?

Here's the flaw in that thinking: it assumes you're important enough to be actively targeted by the most powerful surveillance apparatus on Earth.

And you're not.

You're Not on the List (and That's Great News)

If you're on the FBI's top ten list, if you're a wanted, targeted enemy of the state, then run and hide. No technology is going to save you at that point.

But how many people reading this are on that list? Zero.

There's a certain vanity in thinking you are. Everyone thinks they're on a list. You're not. You really, really have to be a significant threat for that level of attention. Even the people building technology specifically designed to enable sovereign computing aren't on that list.

Think about home security. Is your home defensible against a battalion of a thousand soldiers? No. Does that bother you when you go to sleep at night? No, because you'd have to be delusional to think a battalion is coming to your home. It's the same thing with digital privacy.

This is actually the best news you'll hear all day. Because the threats you do face? Those are completely solvable.

The Four Real Threats

So if nation-state targeting isn't your threat model, what is? There are four actual threats that normal people face, and none of them require a tinfoil hat to address.

Threat #1: Passive Mass Surveillance. Nobody is sitting in a room reading your emails. But your data is being vacuumed up along with everyone else's because the infrastructure is designed to capture everything. This matters less for what you're doing today and more as an insurance policy you never bought. Things you say and like on social media now might be perfectly acceptable today but could put you on a radar after a political shift. Privacy isn't about hiding from current laws. It's about protecting yourself from consequences you can't predict.

Threat #2: Corporate Data Mining. The business model of cloud computing is your data. These platforms exist to build profiles on you, advertise to you, and sell your information to the highest bidder, including government agencies. As privacy laws force apps to ask permission (and most people hit "no"), that revenue is drying up. The result? Aggressive monthly subscriptions. Free tiers are shrinking. People are going to be shocked at how expensive their phones become when every app charges $5 to $10 a month.

Threat #3: Catastrophic Data Breaches. This is the one most people underestimate. In 2024, over 1.7 billion individuals received breach notifications in the U.S. alone. Six breaches each exposed more than 100 million records. Four of the five largest were preventable, caused by companies failing to implement basic multi-factor authentication. (Source: ITRC 2024 Annual Data Breach Report) When you store your data on someone else's server, you're trusting that their security is perfect and that their employees can't be socially engineered. All it takes is one person with the right access keys getting phished, bribed, or blackmailed, and everything on that server is exposed.

Threat #4: Censorship and Algorithmic Control. When you communicate through third-party platforms, those platforms control your voice. Not primarily through outright deplatforming (that actually draws attention), but through shadow banning, reduced reach, and algorithmic amplification of preferred narratives. Nobody even realizes it's happening. Any platform where you agree to terms and conditions is a platform where someone else controls your ability to be heard.

Now What?

These four threats share a common root cause: you handed your data to someone else. And none of them can be solved within the cloud computing paradigm. They're built into it.

The good news is that your threat model is more mundane than you think, and far more solvable than you've been told. You don't need to defend against nation-state actors. You need to defend against the four things listed above. And for that, real solutions exist.

In Part 2, we get into what those solutions look like, why the law is actually on your side when you own your own infrastructure, and the one critical mistake people make when they start pursuing privacy.

You're not on the list. That means you can win. But first you have to understand the game you're actually playing.