More on Threat Modeling Privacy

Recently, we shared a privacy threat model which was centered on the people of Seattle, rather than on the technologies they use.

Because of that, we had different scoping decisions than I’ve made previously. I’m working through what those scoping decisions mean.

First, we cataloged how data is being gathered. We didn’t get to “what can go wrong?” We didn’t ask about secondary uses or transfers — yet. I think that was a right call for the first project, because the secondary data flows are a can of worms, and drawing them would, frankly, look like a can of worms. We know that most of the data gathered by most of these systems is weakly protected from government agencies. Understanding what secondary data flows can happen will be quite challenging. Many organizations don’t disclose them beyond saying “we share your data to deliver and improve the service,” those that do go farther disclose little about the specifics of what data is transferred to who. So I’d like advice: how would you tackle secondary data flows?

Second, we didn’t systematically look at the question of what could go wrong. Each of those examinations could be roughly the size and effort of a product threat model. Each requires an understanding of a person’s risk profile: victims of intimate partner violence are at risk differently than immigrants. We suspect there’s models there, and working on them is a collaborative task. I’d like advice here. Are there good models of different groups and their concerns on which we could draw?

(Cross-posted to my personal blog.)

TA3M February 2018: Privacy Threat Modeling for The Seattleite

February 19 @ 6:30 pm – 9:00 pm

SURF Incubator
999 3rd Ave Suite 700
Seattle, 98104 United States

6:30 – 7 Casual chat, Cryptoparty / PGP key exchange / Signal
Verification, Intro slide(s)

We’ll have pizza! **


Privacy Threat Modeling for The Seattleite

Speaker: Adam Shostack

Seattle Privacy Coalition, led by Adam Shostack and #6 worked through 2017 developing a privacy threat model for an average person in Seattle. If you are an activist, journalist, lawyer, politician etc – these baseline threats still apply. Where and how is privacy violated during the every day activities of someone who lives and/or works in or near Seattle? What can be done to mitigate or protect one’s privacy?

  • Model and categorize the ways data are collected (for example, government vs non-government, is there an opt-out, what does it cost?).
  • Create an inventory of things people do and ways data is gathered to form a set of building blocks, from which to do further analysis.
  • Get to a method, process, or tool that can be applied by different target groups with different threat models effectively and help us think about more holistic defenses.
  • Ultimately, to inform, influence, and identify areas for intervention.

Project homepage:

Initial post:

Latest update:

Exciting recent news – Seattle Privacy Coalition was formed around the incident of Seattle Police Department acquiring a drone, and the creation of a DOD subsidized surveillance mesh network. The drone was promptly removed (to LA – sorry LA), but the mesh network remained.. ostensibly unused, until now, finally:

Speaker Bio:

Adam is a consultant, entrepreneur, technologist, author and game designer. He’s a member of the BlackHat Review Board, and helped found the CVE and many other things. He’s currently helping a variety of organizations improve their security, and advising and mentoring startups as a Mach37 Star Mentor. While at Microsoft, he drove the Autorun fix into Windows Update, was the lead designer of the SDL Threat Modeling Tool v3 and created the “Elevation of Privilege” game. Adam is the author of Threat Modeling: Designing for Security, and the co-author of The New School of Information Security


Pizza sponsored by Cloudflare.

Be prepared that there will be an opt-out group photo, taken from the back of the room to fulfill the sponsorship requirements.

Threat Modeling the Privacy of Seattle Residents

[Update Feb 23: Updated spreadsheet based on initial feedback]

[Update, Feb 21: here’s the deck I used: web version, pptx deck.]

I’m pleased to say that we have some first results from our threat modeling for Seattle resident privacy project. In this post, I’m going to share those results, and look forward to what we might do next. (See A Privacy Threat Model for the People of Seattle and Introducing Threat Modeling For Seattlites for more background.)

This blog post provides an overview, and there’s a longer discussion in Seattle Resident Threat Model white paper (draft).

Overall, I’m happy to say that the effort has been a success, and opens up a set of possibilities.

  • Every participant learned about threats they hadn’t previously considered. This is surprising in and of itself: there are few better-educated sets of people than those willing to commit hours of their weekends to threat modeling privacy.
  • We have a new way to contextualize the decisions we might make, evidence that we can generate these in a reasonable amount of time, and an example of that form.
  • We learned about how long it would take (a few hours to generate a good list of threats, a few hours per category to understand defenses and tradeoffs), and how to accelerate that. (We spent a while getting really deep into threat scenarios in a way that didn’t help with the all-up models.)
  • We saw how deeply and complexly mobile phones and apps play into privacy.
  • We got to some surprising results about privacy in your commute.



What we can learn from this:

  • Walking and biking are the most privacy preserving commutes. Everything else generates long-term records of your movement. However, some electric bikes have anti-theft GPS built in, as do the new dockless rental bikes.
  • It’s easier to prevent camera tracking on a bike because a helmet is not as attention-grabbing as a mask. Bikes also limit “gait biometrics.”
  • Motorcycles have far less electronics and fewer radios than a car, but still carry license plates and may be tracked via road toll systems. There’s obviously complex tradeoffs involved in motorcycle commuting, but it wasn’t obvious to us going in that privacy could play in those tradeoffs.
  • Between Lyft/Uber and your own car, your own car is trackable in more ways, and more ways that tie to you.  Unless you’re worried about those companies, you’re better off with a taxi or carshare.  If you’re worried about Feds or local government, there are a lot of parties a government will subpoena, and so that’s neutral.  (Taxis vs app-driven: if you call a taxi, your pickup location/phone combo may be recorded.  If you hail it, then pay with a card, your dropoff location may be recorded.  If you hail and pay cash, then you’re more private than with an app.  Thanks to @internmike for teasing that out.)

We also looked at phones. There’s a set of radios, some of which (bluetooh, wifi) can be turned off with less impact on usability. The cellular network radios can only be turned off with a substantial loss of function. We also discussed differences in usability of turning off app access to location between various brands.

Next Steps

One of the things we did not do was a risk assessment for any particular vulnerable group, but we believe that the information we’ve gathered can support and accelerate such analysis. For example, we know that cell site location information can only be disabled by discarding a mobile phone or leaving it in airplane mode. We also know that DHS collected mobile phone information from DACA applicants . We have not attempted to analyze this or its implications, but we’d be happy to do so in partnership with organizations that have specific concerns.

Since we were exploring how we might do this, we have not yet produced a guide to doing it yourselves.

The Raw Data

The raw data is available under a creative-commons attribution license. Here it is as an Excel spreadsheet. (We use xlsx rather than CSV because we needed Excel’s “sheets” feature.) Here’s a version in Excel and a web view, exported HTM here.

CTAB Privacy, January 2018

Hello CTAB Privacy & Cybersecurity! My name is Torgie, and I’m very excited to announce our first meeting of 2018 as chair of this committee! I had hoped to have our first meeting a little sooner, but wanted to ensure everyone had enough time to make it. Please review the details and agenda, and let me know if you want to add or include additional items. Thank you very much!

* * * * *

Date: Tuesday, 1/30/2018
Time: 5pm-6pm
Seattle Public Library – Montlake branch
2401 24th Ave E, Seattle, WA 98112

– Introductions
– Approve agenda
– Election of vice-chair
– Gather schedules for recurring meetings
– Define 2018 goals
– Open floor / comments

Click and press Send:
Privacy and Mailing List Policy:


From: Torgie Madison, torgie at gmail dot com

TA3M Seattle for January 2018

In case you’ve forgotten us with our holiday hiatus, we’ll be back in January, so save the date:

6:30 – 7 Casual chat

We’ll have pizza! **

7 – 7:45 Emerald Onion

Emerald Onion has been online for 7 months now! They will provide a review of what they started, current work, and future ideals. More info at

7:45 – 8:15 Seattle Privacy Coalition meetup

It has been a while since Seattle Privacy Coalition has had an open members meeting, and a lot has happened! None of these are formal talks, just quick updates on what SPC has been up to, and how you can get / stay involved. More info at

8:15 – 9PM

Currently unknown!


** We’re going to try and get food sponsored by Cloudflare this time, if they’ll do it:

Of course, they require us to list them as a sponsor, but the biggest potential issue is that they require a photo of the group, for proof. The current plan is to have (willing) folks stand in-frame with their backs to the camera, or a mask.