Terminology#

What is a threat model#

For any given piece of information the threat model is who or what you are protecting it from. For example for your social security number, the threat model is identity thieves, it is not however the government, who already know it. Threat modeling is important because trying to use privacy models without it can lead you to paranoia or to getting burned out and giving up as it is impossible to hide everything from everyone

What is a secret project#

“Secret project” is a term I made up to describe any activity that has a higher threat model than your usual one, it can be anything, even as small as buying a cake for a surprise birthday party, which you need to hide from the birthday person which has a higher threat model than other purchases. In this guide I will frequently make a distinction between something that’s part of the normal threat model or a secret project

Signal#

Keep using Signal!#

If you are using Signal as part of your normal threat model or because it is convenient then by all means keep using it. My criticisms of Signal in this section are mainly a reaction to it being over-recommended and recommended for secret projects

Criticisms of Signal#

  1. Signal requires a phone number to create an account, this makes very difficult to use anonymously
  2. Signal pretends to be open source

I mentioned this in my previous privacy guide, Signal releases its source code but there no way to prove that the app on their website and app stores is built from the same source code they released in order to prove it has no backdoors

Community Self Hosting#

What’s more secure than a service you can trust? A service that you run, self hosting

Nextcloud#

Nextcloud is an all-in-one self hosting solution that includes Files (to help you ditch google drive), Talk (an alternative to Signal for texting and calling) and hundreds of other Nextcloud Apps


A more paranoid setup#

Okay fine here’s the paranoid setup, all the concepts here will be expanded on later in the series. Go to proton mail’s onion service, make a burner account with just a username and password (no recovery email). Make a pgp key for the account and store it in a keybox (VM or tails with persistent storage or air-gapped machine). When using the email attach pgp messages as attachments to prevent leaking metadata. So there, go be paranoid now.