Threat Model

• What information should I protect?
• Who might be interested?
• What resources can they mobilize?
• What are the consequences if they manage to access this information?
• What means am I willing to use?

What are you protecting?

emails, chat, phone calls, photos, rush, addresses and identities of my contacts, etc.

Who are you protecting this from?

• The organizations or individuals that are the subject of my article
• A government
• A judge or police officer
• A private company

What kind of resources can they mobilize?

• Technical: interception, hacking
• Legal: wiretapping, subpoenas
• Social: social engineering
• Physical: theft, installing malware

What are the consequences if there is a leak?

• Grilled topic
• Problems with the law for a source
• Physical threats

How many resources am I going to invest?

• Techniques
• Legal

Scenarios

#1

Photojournalist. Objective: to take out photos from an authoritarian country. Internet access is available in a cyber café. The identity of the people in the photo must not be revealed or they will be imprisoned. You must remain anonymous until the photos are published in order to continue working there and leave the country without problems.

#2

Two whistleblowers working for a major bank have contacted you to alert you about internal irregularities. If your sources are identified they may lose their jobs and be sued by the bank. A large amount of documents needs to be analyzed.

#3

You are working in Europe and helping a human rights activist in China. This personn is working with other activists in China. The Chinese government has not identified them as such. You have met one of the activists only once. You have his phone number but need to set up a secure communication channel.