Most people skip straight to VPNs, burner phones, and encryption without asking the first question: what am I actually protecting? This guide breaks down threat modeling in plain language so you can build a privacy plan that’s realistic, human sized, and tailored to your life. Learn how to define your assets, threats, and comfort level so you stop collecting tools and start protecting what matters.
When you’re ready for planning, read the OPSEC guide
You’re not Jason Bourne. You’re not Snowden. You’re not being hunted by a foreign intelligence agency, but make no mistake you’re still a target.
Not because you’re famous. Not because you’re dangerous, but because your data has value. Your actions are recorded and the people watching don’t need a reason.
Stop Copying Spies. Start Modeling Like a Human.
Most “privacy” guides go tactical first with masks, VPNs, burner phones. But if you don’t know what you’re protecting, why you’re protecting it, or who you’re protecting it from you’re just collecting toys. Privacy isn’t about tools. It’s about threat modeling.
What is Threat Modeling?
Threat modeling is how you figure out:
- What you’re protecting
- Who you’re protecting it from
- What happens if you fail
- What your limits are
Simple. Grounded. Human.
It’s not about building a spyproof life. It’s about knowing how exposed you are and deciding how much exposure you’re willing to live with.
You start with your minimum required level (based on your threats), then build up to your comfort level (based on your personal values, risk tolerance, and lifestyle).
That’s the two level system most people miss.
Level One: Minimum Required Privacy
Your threat model sets your baseline. This is the minimum protection needed to keep real damage from happening.
Ask yourself:
- If someone got into my inbox, what could they do?
- If my address got leaked, who would want it?
- If someone cloned my phone number, what accounts would they control?
- If someone searched my name, what would they find?
Then go deeper:
- Are you vulnerable to stalkers, obsessive fans, disgruntled clients, that crazy ex?
- Are you visible online? Do you use your real name for work?
- Are you involved in activism, crypto, journalism, legal battles, or anything political?
Your baseline is built from your risk + exposure.
Here’s how that might look:
| Risk | Exposure | Baseline Action |
|---|---|---|
| Doxxing | Real name tied to home address | Remove public records, use mail forwarding |
| SIM swap | 2FA on phone number | Move to app based 2FA, use alias for recovery |
| Stalking | Public social media | Lock profiles, scrub images, rotate accounts |
| Platform ban | Work tied to one platform | Backup content, diversify presence |
This isn’t theoretical. It’s protection against the things that already happen to regular people. Not just whistleblowers.
Level Two: Comfort Zone Privacy
Once you’ve built your baseline, you get to ask a different question:
What level of surveillance am I willing to live with?
This is personal. It’s where your values come in. Your boundaries. Your control.
Maybe your minimum requires using a password manager, but your comfort says “I want all my storage encrypted.” Maybe you don’t need to run GrapheneOS, but you feel better doing it anyway.
This is the layer of voluntary refusal. It’s not about threats, it’s about reclaiming space. The second level is how you claw back dignity. Not because you have to but because you can.
Examples:
- Using a Faraday sleeve even if no one’s tracking you, because you don’t consent to the possibility of tracking.
- Avoiding Google Maps not because it’s leaking live location, but because you don’t want to feed the system.
- Running your own email server, not because Proton failed, but because you want the control.
Your comfort zone is the difference between surviving surveillance and living free from it.
Checklist: Build Your Two Level Privacy Model
Start here. Build upward.
1. Define What You’re Protecting
Not vague concepts. Actual assets.
- Access to your bank, crypto, work tools
- Your physical location
- Your inbox and calendar
- Your social graph
- Your identity and reputation
Write it out. Put it in front of you.
2. Define Who You’re Protecting It From
Again, not just “the government.”
- Creeps
- Corporations
- Ex’s
- Data brokers
- Random opportunists and thieves
- Platform mods
Each one demands a different defense line.
3. Define What Happens If You Fail
What’s the real cost of exposure?
- Financial loss?
- Loss of access?
- Embarrassment?
- Physical risk?
This is the difference between scenario planning and paranoia.
4. Lock In Your Baseline
These are your non-negotiables.
- Unique passwords, stored encrypted
- Encrypted phone and laptop
- Safe backup plan
- 2FA not tied to SIM
- Locked down social media
Don’t move to level two until level one is solid.
5. Push to Your Comfort Level
This is where it gets personal.
- De-Google your phone?
- Use aliases and compartmentalize accounts?
- Host your own services?
- Travel with burner gear?
You choose. You build the map.
If you need help, check out the Essentials Starter Pack in the Field Manuals tab. It has several free guides and worksheets to walk you through this process. If you need a deeper dive on how to map risks, then pop over to the Master Guides tab, especially the Threat Modeling and OPSEC: A Practical Guide for Real Humans.
A Human Model, Not a Hacker Fantasy
We’ve been sold the lie that privacy is only for people doing something wrong. Or worse, that it’s only achievable by secret agents who know how to code and disappear.
Bullshit.
You don’t need to live in a cave. You don’t need to be a ghost in the machine. You need a plan.
A human sized threat model. A baseline that protects you from real world fallout. A comfort layer that gives you back autonomy. You build it one choice at a time. You don’t get it perfect. That’s fine, but you damn sure get it better.
Claw it back. Stay quiet. Protect what matters.
-GHOST
Written by GHOST, creator of the Untraceable Digital Dissident project.
This is part of the Untraceable Digital Dissident series — tactical privacy for creators and rebels.
Explore more privacy tactics at untraceabledigitaldissident.com.