Threat Models

Edward Snowden and the journalists who worked with him took extraordinary measures to safeguard themselves against state-level actors [Snowden2019], but most of us aren't involved in issues of national security and don't need to take those kinds of precautions. Instead, we typically face one of three kinds of threat illustrated by the examples below.

• Casual threats are opportunistic. For example, Monica, a professor in psychology, is targeted by Mohan, an undergraduate in computer science who spends hours every day in online echo chambers complaining about how "SJW bullshit" is ruining tech. He really didn't enjoy Monica's guest lecture on discrimination and inclusivity in his software engineering class, and thinks it would be a laugh to make her the target of anonymous abuse online. He is unlikely to invest significant effort in his attack (at least not initially), but his attack may be backed up by more knowledgeable members of online forums. They are almost certainly not computer security specialists; instead, they are probably older versions of Mohan who have picked up a few tricks and bits of software and enjoy the digital equivalent of throwing bricks through strangers' windows.

• Intimate threats come from people who know their targets' passwords or have a chance to install spyware on their targets' devices [Leitão2019]. For example, Elena, graduate student, is targeted by her former romantic partner Eric, who is also a graduate student but not in the same department. Their relationship had become increasingly abusive over the last two years. With the help of friends, Elena has moved out of their shared apartment and is rebuilding her life; Eric is obsessed with the idea that she left him for someone else and is now stalking her.

• Insider threats come from people who have legitimate access to accounts and devices. For example, Boris, professor of medicine, is targeted by Bethany, who works for the university's IT department. Boris has agreed to serve as an expert witness in an upcoming liability case involving a large chemical company; Bethany has been asked by a former colleague to find out what he is going to say in order to discredit his testimony.