When thinking about anonymity, there is something you should decide first.
It is, "What do I want to protect, and from whom?"
It is not realistic to hide every piece of information completely from every actor. The countermeasures needed also differ from person to person.
An ordinary individual, journalist, whistleblower, activist, and company staff member have different things to protect and different likely adversaries.
The way of organizing this premise is a threat model. The way of organizing which services or actors you trust is a trust model.
This article organizes threat models and trust models as premises for thinking about anonymity.
What Is a Threat Model?
A threat model is a way to organize who is targeting what, and by what means risk is created.
When thinking about anonymity, start with questions like these.
Whom do you want to protect against?
What do you not want known?
Which pieces of information would cause trouble if they were connected?
What level of capability does the actor have?
How much risk can you tolerate?
For example, the measures needed when you do not want friends to know about another account are completely different from the measures needed when protecting a source from an organization with strong authority.
If you choose countermeasures without making a threat model, you may do things that are more complicated than necessary, or conversely overlook important risks.
Decide What You Want to Protect
The first thing to think about is what you want to protect.
For anonymity, the thing you protect is not only your real name.
What you want to protect
Example
Real name
Name, face, ID, real-name account
Affiliation
Workplace, school, organization, department
Routine places
Address, commuting area, places you often go
Sources and people involved
Information providers, collaborators, peers
Activity content
Posts, investigations, whistleblowing, browsing history
Communication path
IP address, DNS, destination, communication time
Simply saying "I want to stay anonymous" is not enough. You need to think concretely about what would cause trouble if it were connected with what.
Decide Who You Want to Protect Against
Next, think about the actor you are concerned about.
In anonymity work, the information visible and the means available differ depending on the actor.
Actor
Information that may be visible
Note
Destination website
IP address, cookies, login state, request content
Site-side logs and account information are involved
ISP or telecommunications provider
Connection time, destination IP, traffic volume, and similar information
HTTPS content is hard to read, but metadata may remain
provider
Information related to VPN user connections
When you use a VPN, the trust point moves to the VPN provider
Users on the same Wi-Fi
Unencrypted communication, connection status
Public Wi-Fi requires particular caution
Workplace or school
Device, network, logs, management systems
Administrative authority may be strong
Investigator or third party
Public information, posts, images, past accounts
Correlation through OSINT may be possible
Deciding the actor makes it easier to see the necessary countermeasures.
Estimate the Other Party's Capability
It is important not only who the actor is, but also what level of capability they have.
Is a friend only searching social media? Can a service operator see access logs? Can a workplace or school administrator see network logs? Can a state agency request disclosure of records from a telecommunications provider?
If capability differs, the necessary countermeasures also differ.
Capability
What may be possible
Searching public information
Searching for usernames, images, and past posts
Checking internal service logs
Seeing IP addresses, login history, and operation history
Network administration
Seeing destinations, traffic volume, and DNS queries
Device administration
Seeing browser history, installed apps, and files
Legal authority
Requesting disclosure of records from providers
If you assume every actor has maximum capability, realistic action becomes difficult. On the other hand, underestimating that actor's capability is dangerous.
You need to think within a realistic range that matches your purpose.
What Is a Trust Model?
A trust model is a way to organize who you rely on, and who you do not trust, when using a system.
When you use anonymity tools, the actors who can see information change. The visible information does not simply disappear; in some cases it moves to another actor.
For example, when you use a VPN, your home IP may become harder for the destination website to see. However, the VPN provider may be able to see information related to the user's communication.
When you use , the destination may see the Tor exit node. However, if you use Tor incorrectly, login state or browser information may still create links.
Method
Actor or mechanism trusted
Note
Normal connection
ISP, destination service
Your home or workplace IP may be visible
VPN
VPN provider
You need to trust the VPN provider's logging policy and operation
Tor
Tor network design, Tor Browser operation
If you use it incorrectly, other clues remain
Public Wi-Fi
Wi-Fi operator, facility environment
It may connect with on-site logs or surveillance cameras
Cloud service
Service operator
Accounts, logs, and stored data are involved
When thinking about anonymity, you need to look not only at "Is this tool safe?" but also at "Who is this design trusting?"
Without a Threat Model, Countermeasures Drift
Without a threat model, countermeasures easily drift away from their purpose.
For example, if you only do not want a destination website to see your home IP, a VPN may be enough. However, if you consider the VPN provider an actor you cannot trust, a VPN alone may not fit your purpose.
If you do not want a real-name account and an anonymous account to be linked, cookies, login state, browser separation, writing style, and posting time may be more important than the communication path.
When a whistleblower handles internal organizational materials, not only the network path but also document metadata, access rights, distribution history, and the trustworthiness of consultation contacts become important.
Countermeasures change depending on what you want to protect and who the actor is.
Think in Risk Levels
A threat model is not for assuming the highest level of danger every time.
Risk has levels. A person who wants to post about a hobby under another name and a person who is reporting wrongdoing at work need different preparation, even if both use the word anonymity.
Situation
Main actor
Countermeasures to emphasize
Low-risk posting under another name
Acquaintances, third parties who search
Avoid reusing usernames, writing style, and images
Consultation you do not want your workplace to know about
Workplace-related people, service operators
Avoid workplace devices, and blur content and time
Source protection
Related organizations, investigators
Review contact paths, materials, and reverse inference from published articles
Whistleblowing
Organization, actors with legal authority
Handle document metadata, access history, and submission destination carefully
Accessing information under censorship
ISP, state agencies, service operators
Think separately about communication paths, devices, and real-world safety
The higher the risk, the more important it is not to make decisions from articles alone.
Using trusted consultation contacts, such as lawyers, support organizations, or newsroom safety staff, is also part of the threat model.
A Simple Threat Model to Make First
You do not need to make a complex threat model from the start.
At first, filling in the following table is enough.
Question
Example
What do you want to protect?
Real name, workplace, source, routine places, anonymous account
Whom do you want to protect against?
Destination site, workplace, school, third party, state agency
What would cause trouble if connected?
Real-name account and anonymous post, IP and posting time, document and author
What can the actor see?
Public information, server logs, communication logs, device information
Low-risk anonymous posting, or high-risk whistleblowing
Thinking through this alone organizes the necessary countermeasures considerably.
Summary
A threat model is a way to organize what you want to protect, and from whom. A trust model is a way to organize which actors or services you rely on when you act.
When thinking about anonymity, it is not realistic to hide everything from every actor. You need to separate what you want to protect, the likely actors, their capabilities, remaining clues, and the actors you trust.
Countermeasures such as VPNs, Tor, public Wi-Fi, encryption, and account separation change meaning depending on the purpose.
First deciding "What do I want to protect, from whom, and to what degree?" is the starting point for thinking about anonymity.
Related tools
Public IP Check
WhatIsMyIP
An external resource related to this article. Open it only when it fits your situation and threat model.
Why it is listed: It can help with the article topic, but it is outside Anonymity Sense and should be checked before use.