PSA: Please provide your threat model when asking for advice

Disclaimer: This isn’t an official thing - just putting this out there for folks to consider when asking for advice. Maybe we can make this more formal with a pinned post for newcomers but that’s up to the community and Techlore to decide.


When asking for advice in this forum, please provide some detail about your threat model so that the folks answering your question can narrow down their recommendations.

Privacy and security can be very simple or very complicated depending on what you’re trying to protect, who you are trying to protect against, and how far you are willing or able to go in order to provide yourself with that protection. Making a decision on those three factors is basically what threat modeling is. If you know that for yourself in general, or at least for the specific area you have a question about, you will get a much more dialed in answer.

For example, if you want to ask “what phone should I buy”, here are two threat models you might have.

  1. I’m not a very techy person but I want to keep my information safe from scammers and hackers.
  2. I work in IT and all I want the government to know about me is that I’m alive and I pay taxes.

In response to the first case, almost anyone on here would recommend you just get an iPhone and turn off a few things here and there to be secure. In response to the second situation people may recommend installing Graphene OS on a Google Pixel and only using it for the most basic functions.

If the community doesn’t know your threat model, you may get answers that are below or, more often than not, above what you are able or willing to do. If you are someone who is not very technical or just looking for enough privacy and security to stay away from identity theft, please say so in your question so that you don’t get answers that are overkill for you.


Note to the community: I think we already do a decent job of this, but let’s remember that not everyone who asks for advice on here is looking to maximize privacy. Some folks can’t even do a lot of what is recommended on here. When we only give solutions that are for advanced threat models, we’re potentially spooking people who would otherwise at least be doing something that improves their situation.

It’s more likely with this forum specifically because Techlore tries to target people at all threat models. The folks who watch Mental Outlaw and the Hated One are probably way more advanced than the person who’s just learning about how much Google tracks people. I don’t want us to alienate those people with our answers because they represent the vast majority of people.

But like I said, I think that by and large we’re doing alright. I just wanted to put the vibe out there that we want to remain open to the non-techies who pop in. :slight_smile:

15 Likes

Absolutely good points!
This community is so diverse that we might sometimes end up giving too little or too much for some people to do.

Maybe @techlore can add a badge or something next to a user’s profile that indicates the threat model of the user (this can either be done in a level system ex. lvl 1 is meta fanboy and lvl 5 is criminal on the run, or with something like term grouping ex. tech-savvy or noobie etc…)

This imo would be great to avoid repetition in various posts and is a better way overall to classify users.

2 Likes

I like the idea, but I think it’s kind of hard to quantify. There is also a degree of bias/opinion from both parties, the OP and replier.

I cannot think of a good way of doing it. Whether its done by score, flair, or something else. They all have problems.

What I propose, is more of a advice template. Something which when the user creates an advice thread, they need to populate. Something like:

What do you want advice about?

What have you considered, and/or looked at?

In brief, tell us about your privacy threat model?

I thought it would be cool to have something similar. What I thought was to use the same Zone 1, Zone 2, and Zone 3 format that Techlore use in their videos and in there quiz. It’s a format that’s familiar to long-time viewers, easy to explain, and potentially easy to display (give people a green, yellow, or red circle next to their profile pic).

I have no idea how easy or hard that would be to implement.

@Blurb5778’s idea might be cleaner, of just providing a template whenever someone wants to use the Get Advice category.

I’m sure there are lots of ways to suggest this idea, but I’m also ok with not implementing anything yet. I just wanted to get the word out for new people.

2 Likes

Great idea. However, as already mentioned above, this would require to define some categories if we want to implement anything new. Alternatively, we can just copy-paste notes about one’s threat model to each new post, either following a template or just in unformatted text.

Just as some food for thought, I think that the most straightforward solution would be to use the About Me section of user’s profiles. Everyone could write a few points about their threat model there, and the respondents could view these notes anywhere on the forum. If one cares enough to respond, the few seconds of reviewing the user’s profile should not be that much of a burden. Furthermore, we could respond appropriately in every situation. Not just to the original poster who provided the information about their threat model in the first post, but to all users active in the comments as well. This way, there is no duplication of text, templates etc., no requirements for implementing anything. Moreover, when someone’s threat model is not specified in their profile, one could just ask them if they could write a few notes there and then notify the post thread again. After that, whenever the new user writes anything anywhere, everyone can review their profile and see for themselves what is their threat model.

Considering this option, if one would like to ask a general question for some specific threat model, not only their own, they could specify this fact in the post itself. Otherwise, there would be a template to fill with false information about their “current” threat model or badge to change just for this one post. But then the user changes this badge again and the original post loses its threat model category.

Nevertheless, I agree that having a colourful badges and/or circles around their profile pictures etc. would be severely cool, but also much more difficult to implement, manage and in general do properly (specify categories, etc.).

This would not be exceptionally difficult, we already theme users/posts based on forum groups anyways (see this very reply distinguished as Techlore Team for example, so I’ve already figured out the custom CSS is possible). As already brought up, the difficult part is quantifying what the different groups would actually be. I don’t quite see how people could belong to a certain Zone like you mentioned. You can see plenty of examples in the SPA thread where people complete zones 1 and 3 but get half on 2, or only partially complete all of them, etc.

This is an excellent idea, I’ve added these questions to the topic template!

Agreed.

1 Like

using the about me section is the most straight-forward way, however I’m trying to come up with something more new user friendly

adding a new layer to this: maybe have a field in either the profile, the preferences section or even the new user creation page where someone can briefly type what their threat model is.
Since it’s pre-written, it would be easier to implement a button you can press to fill it in the template or even autofill it on every new post.
This would save a little bit of time and be easier for new users, with the added benefit that other people can still see it for replies if it’s part of the profile.
It would be a field that would look something like:

-Briefly define your threat model:
Type threat model here 

I would like to add that even when someone has a threat model or strategy or goal listed, it should be acceptable to show there are multiple routes to achieving that threat model or strategy or goal.

For instance, with a “what phone to buy”, I’d talk about both an iPhone with certain settings off and GrapheneOS, while explaining the pros and cons, along with potentially solid use cases for both.

Even something like “I’d like to avoid the data-sucking of Gmail” is a totally valid threat model or goal. It is specific, reasonable, and perfectly understandable.

As what can happen when a threat model or strategy or goal is completely ignored is a very unhealthy thing to do: I have seen people go out of their ways to put themselves in even more danger than if they didn’t do anything at all. This includes engaging in crime, always striving for near-perfect anonymity to the point people will naturally come to distrust and shun them, being extremely hostile and aggressive to the point they think in absolutes (“All Big Tech companies are extremely user-hostile and deserve nothing but absolute hostility! Fuck these pure evil pricks who must go out of business and never come back!” or “How dare you use [insert company or service]. Fuck off.”) , harassing/intimidating people who even slightly question their threat model and reasoning, and so on.

There is a reason why I really like the Techlore, PrivacyGuides, and PrivacyToolsIO communities a lot. At worst, some may become hyper-pragmatic, but this is a huge difference from gatekeeping. Hyper-pragmatic means to be idealistic (yet somehow realistic) while gatekeeping is irrational.

1 Like