OPSEC: Know your threat model and act accordingly
#Privacy is different for everyone. Not everyone needs privacy in the same way as another.
A Journalist or a whistle-blower working in a repressive regime needs more stringent protection than someone who sits on the couch and watches Netflix every day.
Having privacy is essential for anyone, but what level of privacy you need depends on your threat model and personal preference.
Know your threats:
First, you need to understand what is your need for privacy. Some want privacy from spying apps. Some from their police or government and some from their spouse or stalkers online.
A lot of people have something to protect, and you should build your #threat model around that.
Some people say, “I do not have anything to hide.” If that's the case, get the f$ck out of here! This website is not for you.
Suppose you want to protect your secrets or stay protected from large corporations and governments. In that case, you should immediately make your threat model.
Creating a threat model:
To create your threat model first, you need to ask yourself some questions and make a checklist:
1. Protect what's vital:
You may be a journalist or a person who has access to something confidential. You may be a whistle-blower with state secrets. You may be a protester who wants to protect your identity. You may wish to prevent leakage of your private data to the big companies or government.
You must now what's vital in your possession that needs to be protected, and then, you should know how many critical areas you should concentrate on.
2. Know your vulnerabilities:
Have you ever been careless with the data that you intend to protect? Have you told someone about your possession of this crucial data, or have you posted anything online that links back to you?
You must try to regain any memories where you might have already made a mistake. Any vulnerability can trace back to your identity.
Stand in the shoes of those threats you are trying to avoid in the first place. Think like them. How easy will it be to bring you down?
Like some people say, “Think like a thief to catch the thief,” you need to do the same. If you were to hunt yourself down, what areas would you attack? Write them down in your vulnerabilities.
3.Mark your threats:
Some users are more vulnerable than others. A groundbreaking journalist or a whistle-bower with state secrets has the highest degree of a risk than someone who watched pornhub on his/her office computer.
Always mark your threats with a danger level so that you can take action as necessary.
Classify any immediate threat as “Very High” if you feel you are being watched 24x7 by the governments or big corporations. You need to take precautions of the highest degree.
If you believe you may be prone to danger within the next few days and have some time to act on it, then classify your threat level as “High.” This level will even suit protesters as well.
If you have something in possession or know something that may not be life-threatening nor land you in jail, you can mark your threat as “Normal.” Even if you want to reduce your online footprint and prevent and personal information from leaking, this will do for average users.
Suppose there is nothing prominent in your possession or secrets that you know. In that case, you are mostly in the “Low” level threat category.
4. Always be wary of your threats:
If your threat is a big government or a big corporation, they have massive resources to hunt you down. So you need to maintain the utmost care and privacy.
If your threat is physical, then know who is coming for you. How many and if those threats are physically powerful than you? Do they possess weapons? You need to ask yourself these questions to act accordingly.
The threat may be substantial or minuscule. You always have two options, “Fight or flee.”
You can't fight large corporations or governments, so in those conditions, you should flee.
If you want a fight, you should first assess that you are undoubtedly better than them and that you can win.
If you choose to flee, you should do so without leaving a trace. Know what traces you could leave behind or have already left behind. Sometimes a simple email address can turn things upside down.
5. Start deploying countermeasures:
Whether your threat level is very high or low, you want to fight or flee, always deploy countermeasures.
The first thing that can identify you personally is your mobile phone. The next comes your desktop or laptop. Then your email address and social media.
The list to identify a person can go longer depending on how careful or careless you were to this exact point.
If you have left little or no traces until this point, you have already implemented OpSec.
If you left a gigantic mess that can identify you, you need to start cleaning up.
6. Always believe you are under an unknown threat:
Threats don't come announcing themselves to you. But you should be ready when they do. You must make your threat model and deploy countermeasures so that you have already sailed when the threat comes.
Remember always to have one idea in your mind: “There is always an unknown threat of unknown consequence that can happen to you anytime.”
If that happens, how will you respond? If you do not make a transparent threat model and be future-ready, you will likely lose your privacy at that very point.
Make sure to implement countermeasures even before you get to the threat.
When it comes to personal privacy, “Prevention is better than cure.” Create your threat model and act immediately without leaving a trace.
In the upcoming posts, I will discuss how to choose your mobile, computer, and other communication platforms.