A threat model is a way to organize "what you are protecting, from whom, and to what degree."
When thinking about anonymity, choosing tools first leads to mistakes.
Do you need a ? Do you need ? Is account separation enough? Should you avoid publishing at all? These decisions change depending on what you are protecting and from whom.
Beginners should start by making a simple threat model.
Who are you protecting against?
First, think about who would create problems for you if they saw the information.
Actor
Example
General readers
People viewing social media, people who find it through search
People you know
Family, friends, coworkers, school-related people
Service operators
Websites, SNS, cloud services
Organizations
Employer, school, group
Powerful actors
Organizations with investigative capability, state agencies, attackers
When the actor changes, the countermeasures also change.
A post you do not want family to see and a situation where you do not want an organization to learn a source require different preparation.
What are you protecting?
Next, separate the information you want to protect.
Think about whether you are protecting only your name, also where you live or spend time, also people involved, or also the communication path.
What to protect
Example
Identity
Real name, face, workplace, school
Everyday locations
Nearest station, region, shops you often visit
People involved
Family, peers, sources, coworkers
Communication path
IP address, destination, communication time
Past information
Old handles, past posts, search results
If what you are protecting is vague, the items you need to check also become vague.
How serious would the impact be?
Separate the severity of the risk as well.
The level of caution you need changes depending on whether it would be a little embarrassing, affect your workplace or school, or put family or sources in danger.
Risk
Example
Low
You do not want people you know to see a hobby account
Medium
It would be a problem if your workplace or school found out
High
Sources, whistleblowers, or activity participants could come under suspicion
Very high
Legal or physical danger, or severe retaliation, may be possible
In high-risk cases, do not make decisions from articles alone. Consider consulting specialists or trusted support contacts.
From where is it visible?
In a threat model, think not only about "who sees it," but also "from where it is visible."
Even with the same information, what is visible differs for a website, a social media operator, a workplace network, family, or a search engine.
Where it is visible
Examples of visible information
Website side
IP address, cookies, login state, access time
Readers on social media
Post content, images, replies, profile
Search engines
Public pages, images, past profiles
Workplace or school network
Destination, communication time, traces of device use
Close acquaintances
Phrases you use, where you live or spend time, photo backgrounds, past stories
Beginners often overlook close acquaintances.
Even if a stranger would not understand something, family, coworkers, or friends may understand it.
Think through examples
Threat models are hard to understand if they stay only in abstract terms.
Looking at several examples makes it easier to see the countermeasures you need.
Situation
Who to protect against
What to watch
You want to create a hobby account
Workplace or people you know
Do not reveal old handles, face photos, or where you live or spend time
You want to ask for advice about family problems
Family or people in the area
Generalize family structure, school, region, and timeline
You want to announce an activity
Opponents or trackers
Protect venue, participants, posting time, and contact network
You want to provide materials
The organization you belong to
Check file metadata, access history, and submission destination
When the situation differs, the places to check also differ.
That is why it is dangerous to skip the threat model and settle for "just use a VPN."
Decide what not to do
A threat model is useful not only for deciding what to do, but also for deciding what not to do.
For example, in a high-risk situation, you may need to decide not to contact people using a real-name account, not to access from a workplace device, not to post from the scene, and not to send the original file as-is.
Action to avoid
Reason
Doing anonymous activity with a real-name account
The behavior connects directly to the person
Using a workplace or school device
Administrative logs and network history remain
Reusing a face photo
Image search connects it to past accounts
Posting before you can judge the risk
Unchecked risks remain
Replying emotionally
It becomes easier to add unnecessary information
Anonymity is often protected more by what you avoid than by what you do.
Questions for beginners
You do not need to overcomplicate this.
First, answer the following questions.
Question
Purpose
Who would it be a problem for if they saw it?
Decide the actor
What would it be a problem for them to see?
Decide the information to protect
What does the current post connect to?
Look at correlation
Would it be a problem if it could not be deleted after publication?
Check information that cannot be taken back
Are there any remaining items you cannot judge?
Find unchecked risks
Even just these five questions can substantially change your pre-publication judgment.
Start small and update it
A threat model is not something you make once and then keep fixed.
It is fine for it to be simple at first. Write down who it would be a problem for if they saw it, what would be a problem if it became visible, and which actions to avoid. After that, update it when your activity or risk changes.
Change
What to revisit
Example
Post content changed
Information to protect
It changed from hobby posts to workplace stories
Actor changed
Who to protect against
You start considering not only people you know, but also organizations
Environment changed
Visible places
You changed from home to public Wi-Fi
You started handling files
Metadata
PDFs and photos need checking
Responses increased
Post-publication operation
Do not reveal too much information in replies or DMs
You do not need to turn a threat model into a difficult document.
What matters is not forgetting what you are protecting.
Choose tools after the threat model
VPNs, Tor, dedicated browsers, and metadata removal tools are useful.
However, which ones you should use is decided after the threat model.
Situation
What to think about first
What remains with tools alone
You want to change the source IP
Who you do not want to show the IP to
s and login state
You want to hide the communication path
What to hide from the ISP or destination
Post content and writing style
You want to publish a file
What exists in metadata or backgrounds
Personal information in the text
You want to create an alias account
What to separate from the real-name side
Topics, time, images
Think not "whether to use a VPN," but "what changes with a VPN, and what remains."
Following this order reduces overconfidence in tools.
In high-risk situations, not publishing is also an option
When you make a threat model, you may also see situations where it is better not to publish.
Content where the candidate set is too small, content that involves other people, content with legal risk, and content related to internal organizational materials or sources is not always best suited to public release.
There are options other than publication, such as consultation, documentation, evidence preservation, and contacting specialists. When choosing where to consult, also check identity verification, how records remain, contact paths, and the scope of information you will submit.
Anonymity is not a technology for publishing everything. It is also judgment about what not to reveal.
Summary
A threat model is the starting point of anonymity.
It decides what you are protecting, from whom, and to what degree.
Beginners should organize the actor, the information to protect, and the strength of the risk before choosing tools.
Not everyone needs the same countermeasures.
Creating a threat model that fits your situation can reduce both excessive anxiety and dangerous carelessness.
Related articles
Basics
Threat models for beginners
A beginner-oriented guide to organizing what you are protecting, from whom, and to what degree before choosing anonymity tools.