by Lisha SterlingMarch 22, 2018
“When you give in to privacy nihilism and you decide that you are not going to do anything, you’ve let the government win already.” - Eva Galperin, EFF Director of Cybersecurity
Most activists and other practitioners of civil resistance realize that governments can use various methods of digital surveillance to find and silence dissenters. The question of how to protect ourselves can seem overwhelming. Wherever you look there are different and often contradictory recommendations. It can all seem too complicated, just impossible to keep up with. What you need is a place to start. You need a framework to help you make good security decisions, choose the right tools, and keep your privacy secure. Creating a threat model gives you just that.
Threat modeling is a way to identify and prioritize potential threats to your security, the security of your digital property, or threats to people and things you care about. A threat model can help you figure out what I like to call the “appropriate level of paranoia” for any given situation, in order to decide which steps to take to prevent and/or defend against an attack. This model can also give you a sense of control over the risks that you choose to take at any given time, with clear-eyed recognition of the value of your actions and their potential consequences.
You already do it all the time. You look at a busy street and cross against a red light. You decide whether or not you are willing to let your children play a dangerous sport, and so on.
To create a threat model, you start with the formula for risk: “potential loss times probability of occurrence.” You’re essentially calculating what bad thing might happen and how likely it is that bad thing will occur. A threat model also helps determine who is likely to cause you harm so you can figure out which tools they are likely to use against you.
To create a threat model, we ask these questions:
The first question is important because your threat model can be very different when you’re, say, a prominent dissident’s distant acquaintance, versus when you’re the mother of a whistleblower, or a leader in a movement nonviolently struggling for environmental protection, and so on.
Risk is context-specific: Your actions can affect the security of those around you, and their vulnerability can increase the likelihood that you may be under surveillance. Take steps to protect the most vulnerable in your group. You also want to be aware that adversaries may target people who are in contact with a person of interest to them. This is why defining yourself both by your own actions and by your relationships is important.
The second question will help you determine the capabilities of your adversary, and that will come into play when you consider risk mitigation. You may have multiple adversaries, and they may be working together, or toward conflicting ends.
The third question can sometimes be a little more tricky. You can start with a general idea like, “They want to build a pipeline, so they want us to get out of their way.” Then drill down into that generalization to more specific targets: “They want to arrest as many of us as possible,” leads to, “They want information about where we will be so that they can arrest us.”
The last question gets to the heart of the problem. If you know the capabilities of your adversaries and what they want to accomplish, you can decide if it is likely that they will use video surveillance, audio recording, social media surveillance, Stingrays to get your phone data, or attacks against your devices and online accounts.
Once you have this model you are ready to consider what steps are most important to keep yourself, your friends and family, and your work safe. Developing a threat model in the lead-up to a specific nonviolent action or during a nonviolent campaign can help your movement build consensus about how to protect the movement’s participants.
In my next post, I’ll explain different ways to keep your communications private through encryption and how that fits into your threat model.
Lisha Sterling is executive director of Geeks Without Bounds, a nonprofit organization supporting open source technology in low resource situations through education, hackathons, and an accelerator program to help promising humanitarian technology projects become sustainable. She is also on the board of directors at Frontline Wellness United.Read More