You Don't Have a Privacy Problem — You Have a Threat Model Problem
You read an article about online privacy. Now you are anxious. You install a VPN. You switch to a private browser. You delete your social media accounts. You buy a new email service. You turn off location services. You tape over your webcam. You research Linux.
Two weeks later, you are exhausted. The VPN breaks half the websites you visit. The private browser does not have your saved passwords. You miss Instagram. Your friends cannot reach you. You quietly undo most of it, feel guilty, and decide that privacy is for paranoid people with something to hide.
This is the privacy burnout cycle, and it happens because you started with the wrong question. You asked "how do I get private?" when you should have asked "what am I actually protecting, and from whom?"
That second question is a threat model. And it changes everything.
What Is a Threat Model?
A threat model is a framework that security professionals use to make rational decisions about protection. Instead of trying to defend against everything, you identify:
- What are you protecting? (Your assets)
- Who are you protecting it from? (Your adversaries)
- How likely is the threat? (Your risk)
- What are the consequences if you fail? (Your impact)
- What are you willing to sacrifice for protection? (Your trade-offs)
The beauty of this framework is that it makes privacy personal and practical instead of abstract and overwhelming. The right answer is different for everyone because the threats are different for everyone.
Five Real Threat Models (And How They Differ)
Let us walk through five actual people with actual privacy concerns and see how the threat model changes the prescription.
Person 1: The Parent Limiting Ad Tracking
Protecting: Family browsing habits, children's data, purchase history
From: Advertising companies (Google, Meta, data brokers)
Risk level: High (this is happening right now, constantly)
Impact if breached: Targeted manipulation, data profiles on children, creepy accurate ads
Acceptable trade-offs: Moderate — willing to switch some tools, not willing to abandon major platforms entirely
The prescription:
- Use Firefox or Brave instead of Chrome (blocks trackers by default)
- Install uBlock Origin (blocks ads and tracking scripts)
- Use DuckDuckGo instead of Google for most searches
- Opt out of personalized ads in Google, Meta, and Apple settings
- Use a private email relay (like Apple's Hide My Email or SimpleLogin) when signing up for things
- Review and restrict app permissions on all family devices
What this person does not need: a VPN (ad tracking happens at the browser and app level, not the network level), Tor (massively overkill), a burner phone (unnecessary), or deleting all social media (unrealistic for a parent managing playdates and school groups).
Person 2: The Journalist Protecting Sources
Protecting: Source identities, unpublished story details, communication records
From: Government agencies, corporate legal teams, opposing political actors
Risk level: High for certain stories, low for routine reporting
Impact if breached: Source imprisonment, career destruction, legal consequences, potential physical danger
Acceptable trade-offs: High — willing to use specialized tools and accept significant inconvenience
The prescription:
- Signal for all source communication (disappearing messages enabled, short timer)
- Proton Mail for encrypted email with sources
- Tor Browser for sensitive research that must not be linked to your identity
- A dedicated device (separate phone or laptop) for sensitive source work
- Full disk encryption on all devices
- Physical security measures (awareness of surroundings during meetings, no phones present during sensitive conversations)
- SecureDrop for anonymous document receipt (if the organization supports it)
This person needs tools that would be overkill for a parent managing ad tracking. The stakes justify the inconvenience.
Person 3: The Crypto Holder Protecting Assets
Protecting: Cryptocurrency holdings, wallet addresses, exchange account access
From: Hackers (remote), social engineers (phishing), physical thieves (wrench attack)
Risk level: Medium to high (depends on the size of holdings and how public they are)
Impact if breached: Permanent, irreversible financial loss — crypto theft cannot be undone
Acceptable trade-offs: High for financial accounts, moderate for general browsing
The prescription:
- Hardware wallet for all significant holdings (Ledger or Trezor, never leave large amounts on exchanges)
- Unique email address for crypto exchanges (not your main email)
- Hardware security key (YubiKey) for 2FA on all exchange accounts — never SMS-based 2FA
- Never discuss holdings publicly or on social media
- Use a VPN when accessing exchanges (prevents ISP and network-level snooping)
- Separate browser profile for all crypto activity
- Physical security for hardware wallet and seed phrase (fireproof safe, geographically distributed backups)
What is unique here: the physical security component. A $5 wrench applied to your kneecaps is a more realistic attack vector for a known crypto holder than a sophisticated hack. Not broadcasting your holdings is the most important protection.
Person 4: The Person Avoiding a Stalker or Abusive Ex
Protecting: Current location, daily routine, new contact information, social connections
From: A specific known individual who is motivated and persistent
Risk level: High and immediate
Impact if breached: Harassment, physical danger, emotional trauma
Acceptable trade-offs: Very high — safety overrides convenience completely
The prescription:
- New phone number (port the old number to a Google Voice so you can still receive messages without revealing your new number)
- New email address that is not connected to any previous accounts
- Audit all social media for location data, tagged photos, check-ins, and mutual connections who might share information
- Disable location sharing in all apps
- Review Google, Apple, and social media account settings for shared access or logged-in devices
- Enable Find My device but ensure the stalker does not have access to the associated Apple ID or Google account
- Use a P.O. Box or a virtual mailbox service for all mail
- Consider an address confidentiality program (available in most US states for domestic violence survivors)
- Talk to every person in your close circle about not sharing information about you
The privacy tools here are less important than the operational security. The threat is a motivated human with personal knowledge, not an algorithm. The response is about cutting information channels that specific person can access.
Person 5: The Privacy Enthusiast (General Digital Hygiene)
Protecting: General digital footprint, reducing data collection, maintaining autonomy
From: Big tech companies, data brokers, and the general surveillance economy
Risk level: Low to medium (no immediate threat, but cumulative exposure over years)
Impact if breached: Erosion of autonomy, increasingly accurate behavior prediction, data used in ways you cannot anticipate
Acceptable trade-offs: Moderate — willing to change habits but not willing to become a hermit
The prescription:
- Use Firefox with uBlock Origin and strict tracking protection
- Use Proton Mail for personal email
- Use Signal for messaging
- Use DuckDuckGo for search
- Review app permissions quarterly
- Use a password manager with unique passwords everywhere
- Enable 2FA (authenticator app, not SMS) on all important accounts
- Periodically request data deletion from data brokers
- Read privacy policies (at least the summary) before signing up for new services
This person does not need Tor, does not need to abandon social media entirely, and does not need a Faraday bag for their phone. Their threat is diffuse and long-term, so their response is proportional: consistent digital hygiene, not extreme measures.
The Three Questions That Define Your Threat Model
If those five examples feel like a lot, simplify it to three questions:
1. What would actually hurt if it were exposed?
Not theoretically. Actually. Would it cost you money? Your job? A relationship? Your safety? If you cannot articulate specific harm, the threat might not require specific tools.
2. Who would realistically try to access it?
A random hacker scanning the internet is a different adversary than a nation-state intelligence agency. A data broker is different from an abusive ex-partner. Match your defense to your adversary.
3. What friction are you willing to accept?
Every privacy tool adds friction. A VPN slows your internet. Encrypted email means your recipients need compatible software. Disappearing messages mean you lose conversation history. Two-factor authentication means extra steps on every login.
The privacy setup you will actually maintain beats the perfect setup you abandon in two weeks. Be honest about what you will stick with.
The Biggest Threat Model Mistake
The biggest mistake is not having the wrong tools — it is having no priorities. When everything is equally important, nothing is effectively protected. You spread your effort across 20 tools and 50 settings changes, maintain none of them consistently, and end up with a false sense of security.
A journalist who uses Signal for sources but leaves their laptop unlocked in coffee shops has failed at threat modeling. A crypto holder who uses a hardware wallet but brags about holdings on Twitter has failed at threat modeling. A stalking survivor who uses encrypted messaging but has location sharing enabled has failed at threat modeling.
Threat modeling forces you to rank your risks, allocate your effort, and accept that you cannot protect everything. That acceptance is not defeat — it is strategy.
Start with one strong privacy foundation
Proton offers encrypted email, VPN, cloud storage, and calendar in one ecosystem — built in Switzerland, funded by users, not ads. It covers the basics well for most threat models.
How to Build Your Threat Model in 15 Minutes
Grab a piece of paper. Write three columns.
Column 1: What I am protecting. List your most sensitive assets. Financial accounts. Private communications. Location data. Medical information. Professional secrets. Embarrassing personal information. Be specific.
Column 2: Who I am protecting it from. For each asset, name the realistic adversary. Advertisers? Hackers? A specific person? Your employer? The government? "Everyone" is not an answer — it means you have not thought about it.
Column 3: What I will do about it. For each asset-adversary pair, pick one or two specific actions. Not ten. One or two. The actions that address the highest-risk items first.
Do the top three items on your list. Ignore everything else for now. Once those are handled and habitual, revisit and add the next priority.
This is how professionals approach security. Not by installing everything. By identifying what matters, what is likely, and what is proportional — and then doing those things consistently.
Key Takeaways
- "How do I get private?" is the wrong question. "What am I protecting, from whom, and what am I willing to sacrifice?" is the right one.
- A parent limiting ad tracking needs different tools than a journalist protecting sources or a crypto holder protecting assets.
- Match your defense to your adversary. Overkill leads to burnout. Underkill leaves real gaps.
- The privacy setup you maintain consistently beats the perfect setup you abandon in two weeks.
- Start with three priorities. Do those well. Expand later.
- A threat model is not paranoia — it is the opposite. It is rational, proportional, and sustainable.
Privacy is not a binary state. You are not "private" or "not private." You are making trade-offs every day, whether you realize it or not. A threat model just makes those trade-offs conscious and deliberate instead of accidental and reactive.
Get practical privacy guides every week
No paranoia, no tinfoil hats — just clear steps to protect your data and your life online. Join 3,000+ readers.
Affiliate Disclosure: This article may contain affiliate links. If you make a purchase through these links, we may earn a small commission at no extra cost to you. We only recommend products we genuinely believe in. This helps support our work and allows us to continue providing free content.