What Is a Trust Model?

Basics

When thinking about anonymity, it is dangerous to think only, "If I use this tool, I will be safe."

If you use a , the information visible to the ISP changes. However, the VPN provider becomes a new point of trust. Cloud services are convenient, but you need to trust the cloud provider and the people you share with. When using SecureDrop or anonymous posting services, trust in the submission destination and operators is also involved.

A trust model is a way to organize which actors you are willing to show particular information to.

This article explains the basics of trust models in anonymity. Threat models and trust models are closely related, so they are covered in detail in "Threat Models and Trust Models."

What is a trust model?

A trust model is a way to organize "whom you trust" and "what that actor can see."

In anonymity, information rarely disappears completely. In many cases, the actor who can see it changes.

Tool or situation	Trusted actor	Information that may be visible
Normal connection	ISP, destination service	Destination IP, source IP, login information
VPN	VPN provider	Connection source, VPN usage, information related to communication destinations
	Tor's design, node distribution	Visible information is divided between entry and exit
Cloud sharing	Cloud provider, people you share with	Files, owner, sharing history
Anonymous posting destination	Service operator	Post content, logs, submission time

Instead of thinking "no one can see it," look at "who can see it now."

VPN trust model

A VPN changes the IP address visible to the destination to the VPN server.

However, in exchange, you trust the VPN provider. This is why you check its logging policy, operator, jurisdiction, app, audits, and transparency reports.

Actor	What is visible when using a VPN	Caution
ISP	Connection to the VPN server	The final destination is harder to see directly
VPN provider	Information needed to provide the service	Check the logging policy and operation
Destination site	VPN server IP	s and logins remain
The user	Manages post content and logins	Operational mistakes create correlation

A VPN is not a tool that removes the need for trust.

It is a tool that changes where trust is placed.

Tor trust model

Tor does not gather the communication route into a single VPN provider. Instead, it divides roles among multiple relay nodes.

The entry node knows the user's connection source, but does not directly know the final destination. The exit node knows the destination, but does not directly know the user's original IP.

Actor	Visible information	Caution
Entry node	User's connection source	Does not directly see the final destination
Middle node	Part of the route	Hard to see the whole picture
Exit node	Destination	Can see content if communication is plaintext
Destination site	Tor exit node	Logins and cookies remain
ISP	The fact that Tor is being used	Tor use itself may stand out

Tor is designed to distribute trust.

Even so, if you identify yourself through login state or post content, anonymity becomes weaker.

Procedure for checking a trust model

Check the trust model before choosing a tool.

Question	What to check
Whom do you want to protect against?	ISP, destination, workplace, service operator, investigator
What do you not want visible?	IP, post content, files, people involved, time
Who may see it?	VPN provider, cloud, submission destination
Will logs remain?	Server, app, DNS, internal organization logs
What is the impact of failure?	Consultation, whistleblowing, activism, source protection

In high-risk activity, there are situations where it is better not to judge the trust model alone.

When whistleblowing, source protection, or physical safety is involved, consider consulting lawyers, support organizations, or trusted professionals.

Common misunderstandings

A common misunderstanding about trust models is thinking that you can reduce trust to zero.

In reality, in many situations you trust some actor: a VPN provider, Tor's design, a cloud provider, an email service, a submission destination, or a consultation contact. In anonymity, you consciously choose that trust.

Misunderstanding	Correct view
With a VPN, no one can see anything	The VPN provider becomes a new point of trust
With Tor, post content is hidden too	Communication route and post content are separate
Private cloud sharing is safe	Owner names and sharing history remain
Removal request destinations are always safe	You may provide additional information for identity verification
You can tell any consultation contact anything	Look at the actor's reliability and confidentiality

When you are conscious of where trust is placed, tool selection becomes more realistic.

Think of trust in stages

In a trust model, do not treat an actor as only trusted or not trusted.

Think in stages about which information may be visible, which information you do not want to show, which actors can receive legal demands, and which actors can make operational mistakes.

Stage	What to think about
Low trust	Give as little information as possible
Limited trust	Give only necessary information
Operational trust	Entrust part of it to use the service
Trust including legal risk	Consider jurisdiction and disclosure demands
Human trust	Look at the confidentiality of consultation contacts or recipients

For anonymity, being aware of where you place trust is more important than making trust zero.

Review the trust model

A trust model is not something you decide once and finish.

Service terms, logging policies, operators, app specifications, and the countries or regions you use can change. If you continue anonymous activity, periodically review the VPN, email, cloud, submission destinations, and consultation contacts you use.

What to review	Reason
Logging policy	The information stored may change
Operator	The business operator or jurisdiction may change
App specifications	Leaked information or permissions change
Payment method	Correlation with real-name information changes
Consultation contact	Check confidentiality and safety

A trust model is related not only to service selection, but also to choosing consultation contacts.

For removal requests, legal consultations, news tips, and consultations with support organizations, check what information the other party receives, how they store it, and whom they share it with.

How to read tool introductions

When reading articles about VPNs, Tor, cloud services, or anonymous submission tools, always check the trust model.

What does the tool hide? Who can see what? How far do you trust the operator? Do logins or post content remain? If you choose based only on "recommended" without looking at this, your purpose and countermeasure will drift apart.

Question when reading	Reason
What changes?	Understand the tool's effect
What remains?	Avoid overtrusting it
Whom do you trust?	Understand where trust moves
How are logs handled?	Think about later matching
Does it fit your purpose?	Avoid too much or too little

A trust model also becomes a checking axis when reading articles.

Summary

A trust model is a way to organize whom you trust and what that actor can see.

Anonymity tools often do not erase information completely, but change who can see it.

With a VPN, the VPN provider becomes a new point of trust. With Tor, trust is distributed across multiple nodes. Cloud services and anonymous posting destinations also involve trust in the provider or operator.

For anonymity, check not the tool name, but where trust moves.

Related tools

Public IP Check

WhatIsMyIP

An external resource related to this article. Open it only when it fits your situation and threat model.