Criticisms of threat modeling

This episode of a privacy podcast made this introduction.

Unlike just about any other show, we practice what we preach: private payment options, no threat modeling, no statist or collectivist solutions, and no sponsors ever.

That made me wonder about their reasons for being opposed to threat modeling.

My question is simple. What are criticisms of threat modeling?

I believe threat modeling has merits, without which people may be prone to going overboard with security measures without justification. I also see some general problems which may lead to underestimation of risks and consequently false sense of security.

• Some threats may be unknown, for instance data collection and surveillance done in secret.
• Some vulnerabilities, in someone’s current situation or in their new security measures, may be unknown.
• Accurate risk assessment is very difficult, requiring good knowledge of technology, laws etc.

Discussion of whether each criticism is valid, common, mythical etc would help.

It’s impossible to achieve 100% privacy or anonymity. The only way to achieve this would be to live in the middle of the Amazon rainforest and not engage with the rest of the world. You’ll also develop mental health issues sooner or later because it’s an endless and exhausting marathon. That’s why threat models matter.

As I said, no matter what you do, you can’t avoid it. However, you can reduce the amount of data collected. That’s a win for me.

Honestly, there’s not much you can do. There will always be vulnerabilities, and anyone who says otherwise is lying to themselves. You’ve got to protect what you have now doing the best you can.

Are you actively being “hunted” by a secret agency? If not, I don’t think you need to know that much. (If you answered yes, I’m afraid I’ve got some bad news for you.. )

That is the purpose of threat modeling. However, my question is about criticisms of threat modeling. I’m trying to understand why some people are opposed to it. I listed those points as things that complicate threat modeling.

They’re elitists who lack realism.

I think the problem you see with threat modeling—yes, occasionally in this community, and certainly from many other privacy advocates and channels—is that it can be used as an excuse to not be private at all.

Take using stock Android for example. You can definitely use threat modeling to assess the whole ecosystem and come to the conclusion that stock Android, or ChromeOS, or Windows, or whatever is the best choice for you specifically, sure. If you think it through and truly believe that then who am I to stop you? Whatever. However, if you then try and claim this usage is private simply because you used threat modeling to select them, this becomes problematic. In reality, what the threat modeling actually did was tell you that you value some things more than privacy.

I think threat modeling could have a better reputation if people simply acknowledged that in some cases it simply led them down a less private path, rather than tried to use threat modeling as a way to twist non-private products into seeming like they are providing adequate privacy.

I was once on that podcast myself, but I have not kept up with it or him, so I don’t really know what his thoughts are in general. My impression just based on the introduction to that video and his website escapethetechnocracy.com is that they have “no threat modeling” because they are telling you exactly what the threats are (as they see them) and what to do about them.

This is certainly an approach, and I do not immediately discredit publications which do that. There is a certain level where you can know your audience a bit and still present reasonable advice within that framework. I also think most people are reasonable enough to recognize when that advice might be overkill and will naturally leave these more absolute communities on their own.

However, the unfortunate problem is that (IMO) most privacy advocates who do not acknowledge/promote threat modeling are doing so to scam their audiences. Which, again, I do not think is the case here specifically, but I can certainly think of many YouTubers and others who use fear-based messaging to sell products, etc.

I think this community here has always been geared more towards education than activism, although we certainly do both. The approach I think we have always been good at is putting all of the most correct possible information out there as we can, and letting people do as they want with it. If people read this forum and my posts and privacyguides.org, and then make decisions about privacy that I’d personally disagree with, well, you can lead a horse to water, but you can’t make it drink, that’s what I think

The activist’s approach would be more direct, and would tell people exactly what they see as the threats and how to protect themselves against them.

I think that is what Gabriel Custodiet is doing here, I think that is what people like Edward Snowden are generally doing, and as long as they are not doing that to scam people I am not really opposed to that approach. I do think this approach is less educational, because people are less likely to dive into why the threats matter on their own, but it can still lead to real-world impact and net privacy gains and those are still big wins

Thank you @jonah for the in-depth comment.

A side issue is some people use “it depends on your threat model” as an answer to every question without adding anything valuable.

I was hoping to focus on arguments. Perhaps you’re right about that podcast episode though.

At the end of the day, if you don’t know why you’re defending against, how are you gonna defend against it? I do have a problem with how a lot of privacy creators take a framework like LINDDUN that’s more meant for software developers and push it for regular people. It kinda turns the process into a huge chore when it’s not really needed, most of the work of threat modeling has been done by the people making the software you use. So you can just think of Signal as protecting you against eavesdropping between you and your friend without having to think about it too much.

I think people threat model without even trying to really, like you don’t want your communications to be intercepted so you use an encrypted messenger. I think it’s important to understand what the tools you use are capable of though so you don’t fall into “vibe” privacy, like a lot of people don’t understand that VPNs don’t encrypt all the way between you and your destination website, they just think of it as “encrypted”.

If the threat is unknown, then how would you defend against it? I think here we can fall back on the software developers a bit, like most people’s phones randomize their MAC address nowadays even though most people probably aren’t aware of cross-network WiFi tracking. You can cover the vague overall threat of “tracking” in your personal threat model and fall back on the work engineers have done to deal with the specifics.

Ideally people shouldn’t have to worry so much about the nitty gritty, human error should be removed from the equation as much as possible, and you should mostly only have to think about the big picture.

Most people have specific things they’re worried about, whether it’s something they actually need to worry about is another matter. The way I see it, you have things you want to defend against and then your technology needs to meet you where you’re at.

basically I think dismissing threat modeling entirely is throwing the baby out with the bath water, even though there’s things that can improve imo

That doesn’t even make sense conceptually, it’s like saying your car is 100% fast. You have to define what you’re defending against before it can make any sense.

They really can’t answer until they know most of the time, anything you tell them could be counter productive against the wrong threat.

After diving deeper into security, I’ve come to asses that the threat modeling often discussed in the privacy community seems to be very bespoke and not formalized. After having created a formal threat model, I have not seen one here that really comes close. This isn’t to say the bespoke versions aren’t useful, but that criticisms of bespoke ones shouldn’t speak to the formal threat modeling practices. But if people are making threat models and haven’t heard of STRIDE, among other methodologies, and CIA, I would say the understand is high level.

Threat modeling is a single step to a wider process that is risk management. It’s to help manage expectations of remediation and mitigation, to help not waste time on unnecessary patches or ignore critical actions. We’ve only got so much time, might as well figure out what’s worth investing in instead of adding so much friction to our lives that isn’t necessary.

A lot of threat modeling and cybersecurity discussion is geared towards enterprise, and largely difficult to apply to personal privacy and cybersecurity, which is why we don’t dive into these topics or frameworks.

On the other hand, I do agree some people do not even attempt the very basic framework we lay out on our website in any formal/serious way.

It has always been my pet peeve to see threat models described as a scale from “high” to “low” which makes no sense, and this is something I see even many content creators in the privacy space do regularly

I agree with a lot of the other assessments here.

But I also think some people are prone to giving far more weight to risks that can be more paranoid than realistic. In which case a threat modelling system can do far more harm than good.

This isn’t because threat modelling is bad pracrice but rather because it’s badly inplemented.

You should take into account what you mean to protect.

You should take into account against what sort of threats you want to protect it.

But you should also take into account how likely that threat actually is and how much harm is actually realistic. Which is something humans are so predictably bad at that entire fields of economics are now dedicated to exploiting those flaws.

As an incomplete thought. The point isn’t to be secure. But rather to ensure that the threats you want to be protected from have to expend far more resources than you or the things you seek to protect are worth in order to pull off a meaningful attack.

Exactly, I think simply defining the threat and what they’re capable of gets most people where they need to be mentally to start making decisions about what they want to do. Keeps the mental load low and lets them think about how everything fits into the bigger picture instead of getting bogged down in details.

Well I think this is exactly the problem, that some people only think about what the threats are theoretically capable of.

If they also defined who the threats are very specifically, then it still wouldn’t really be a complete model, but I’d agree that they’d be in a much more workable situation at the very least.

Unfortunately many people will just say they are concerned about everyone and everything. This is kind of what I was getting at when I was saying the “no threat modeling” approach from some creators could be acceptable. Especially if you can find a publisher/creator in this space who you can relate to or is in the same communities as you.

It isn’t great to eschew threat modeling, but when it comes to these people who have unrealistic concerns, they might honestly be better off finding some person they trust and listening to them tell them exactly what the threats and actionable prevention steps are from their perspective.

Definitely not an approach that works for me or this community in general though.

It’s not difficult if it’s understood. It’s sort of like music theory: once you know the rules, you know how to break them. However, t’s tough as someone getting into it will have to trust the distilled version is effective. It makes sense to strip the frameworks out for a privacy based audience

That is exactly an analogy I would use for basically anything in this space. My problem is with people doing this, and then encouraging others to break the same rules they did, even though those other people don’t have the same grasp of the rules in the first place. The rules are still there for a reason.

Also want to say threat modeling is still very much community based. It significantly helps to have others review what you’ve discussed and to come together. That’s why this forum is a great resource for those who don’t have others IRL to assist with this, and why one-way comms (podcast, video, essay) makes it tough to know if you are looking at the right things.

It is difficult for me to imagine threat modelling as an approach that scales well to people who need privacy. Partially because I believe everyone needs privacy and partially because I don’t think regular people will ever have the deep knowledge or foresight needed to assess the likelihood, personal impact and second-order consequences of threats.

The partial answer to me has always been for the hardware product makers and software developers themselves to understand and make choices/trade-offs in mitigating threats.

Activism/awareness from communities and individuals can be part of a many-pronged approach to pressure the producers of hardware and software to continuously improve their work, make serious architectural changes to mitigate/eliminate threats and raise the bar for any known or unknown party accessing people’s data and metadata without them explicitly going out of their way to do share it.

Standards-based approaches (both in terms of technical quality and in terms of culturally enforced minima/criteria) are where the biggest wins in universal privacy come from. For these improvements to be proactive rather than reactive, they have to be driven and informed by communities/people with intimate knowledge of how to survive, avoid or inflict privacy abuses.

I’m against the concept of threat modeling because in my opinion, privacy is not about an individual choice (putting aside the very real exceptions like journalists or activists). IMO, privacy should be a collective choice and a political statement: “hey, we’re not ok with this massive surveillance sh*t.”

I’ll quote myself:

Privacy is already political. Threat models are not as political.

Threat models contextualize things. They tell us what we should do in the context of what our privacy goals are. Just because one uses threat models does not mean one cannot be political and campaign for privacy. It’s a false dichotomy.

It’s one thing to say that we should politically advocate for privacy. It’s another thing to say we should not use threat models because it somehow threatens that very political effort.

We can criticize the Privacy Guides website for not pushing its audience to be politically active, or being too focused on threat models. But that doesn’t mean that threat models have no use for the average Joanne who visits the website.