Surveillance threat models - resources needed for a documentary film

Ojiro · 2017-08-01 10:18:49 UTC

Hi there,

I just discovered Tinfoil.press, very happy about it. A Tinfoil.press member I was writing with recommended to adress my question to the community.

I am researching users threat models for a documentary film dedicated to surveillance. The idea is to identify the threat model (asset to protect, attacker, attacker's capabilities, threat, risk of an attack) of different categories of people to help create a better understanding of surveillance and counter-surveillance tactics.

For example:
A US citizen might want to protect some assets (i.e. sensitive information) from trackers to avoid a credit rating/ banking credentials from a black-hat hacker.
A journalist in Germany working on an insider trading scandal will need to protect his source from his employer in order to get his story out without a trial.
A Kurdish activist living in Ankara needs to communicate with his fellows to publish a forbidden fanzine. His group is scrutinized by Turkish authorities. (...)
Others categories could be: human rights researcher, teenager being bullied, LGBT...
I also try to identify the threat model of people who would be less at risk and to whom "normal/random" people could easily relate to: a lawyer, an entrepreneur with an innovative technology, a doctor, a professor......

I didn't find much on this approach on the net, a part from the EFF Surveillance Self Defense guide, this interesting article, a slate and a wired story.

What are your thoughts on this approach? Do you find it relevant/reducing to apply a threat model to social categories, considering their environment/regime they live in?
I am looking for material/reads related to the issue.

Thank you in advance,

Ojiro

stuohy · 2017-08-01 15:44:10 UTC

Hey Ojiro,

I would guess that the reason you are not finding much on threat modeling being applied in the way you describe is because that process is usually called risk assessment, not threat modeling. Here is a short link list of risk assessment related documents you can start with. The terminology used in these documents can guide you to a plethora of other resources.

Ojiro · 2017-08-07 09:30:10 UTC

Hi Stuohy,

thanks for the answer and the links. Went through all of them, and then further into Callagher and Shostack writings. I see some people still use the term threat modeling for privacy.

For example in the Self Defense Surveillance guide from the EFF or in the Arsenica article:
"In the most basic sense, threat models are a way of looking at risks
in order to identify the most likely threats to your security. And the
art of threat modeling today is widespread. Whether you're a person, an
organization, an application, or a network, you likely go through
some kind of analytical process to evaluate risk.
Threat modeling is a key part of the practice people in security often refer to as "Opsec."
By using threat modeling to identify your own particular pile
of risks, you can then move to counter the ones that are most likely and
most dangerous."
Grateful for the links, feel free to send more.

eyesopen117 · 2018-01-14 21:01:45 UTC

Hi Ojiro,
I just joined, I would fall under the category of human rights researcher; I do not fully understand if you are seeking examples of the need for digital security or physical security; though the two are not mutually exclusive.
In any case here is an extreme brief on what I know and what has happened to me.
The law rules us all and to not understand or deal with it is fatal.
I have studied like a maniac the law for five years; as I was sickened by what allegedly passes as justice in Canada and therefore committed myself to not letting law be used as a weapon against me and my family; and I have figured out how they do what they do; why their laws are so conflicting; and why; though you are told you have all of these wonderful rights; you have never been taught how to enforce any of them; and it is your lawful enforcing of these rights that is deemed a threat to national security; but almost no one understands how to enforce them.
By the way: national security is most often a reference to monetary issues not military; and with the signing of the Bretton Woods and Related Agreements Act, each signing nation gave up control of their central bank and therefore their currency to international private bankers and therefore cannot claim sovereignty;
I have figured this out and that is why upon my mailing myself lawful documents I produced; my home was invaded by a warrant to search; by a “justice of peace” acting outside his jurisdiction and therefor was acting as my minister; and the RCMP took my many original mailings and notices; for which they have neither cataloged nor returned;
I don’t know if this is what you are looking for; or are still looking for; I am in the middle of several legal battles with the state party and have little time to deal with internet and other security breaches; but I have had my word documents close without warning or cause more than once; loosing vital work and time.
Regards,
Eyesopen117