LINDDUN Privacy Threat Modeling

To increase your digital privacy, you should first create your threat model, an identification of the potential threats you face. Each person’s threat model is unique. You can then plan how to mitigate those threats. LINDDUN is one privacy threat modeling framework.

Photo by Tim Mossholder on Unsplash

LINDDUN Methodology

1. Model the system. Map out the digital systems you interact with, including users or third party services, data stores, processes, and data flows (indicating how the information is propagated through the system).
2. Elicit threats. Analyze each element in the model you created, identifying the privacy threats present in each of the 7 threat categories (see below).
3. Manage threats. Prioritize the threats, then decide specifically what privacy-enhancing techniques and tools you’ll use to mitigate them.

LINDDUN Threat Categories

LINDDUN is an acronym of the 7 threat categories.

• Linkability: Adversary is able to link 2 items of interest without knowing your identity.
• Identifiability: Adversary is able to identify you out of a group of people by using an item of interest.
• Non-repudiation: You’re unable to deny a claim (e.g., that you performed an action, or sent a request).
• Detectability: Adversary is able to distinguish whether an item of interest about you exists or not, regardless of being able to read the contents itself.
• Disclosure of information: Adversary is able to learn the content of an item of interest about you.
• Unawareness: You’re unaware of the collection, processing, storage, or sharing activities of the your personal data.
• Non-compliance: Processing, storage, or handling of personal data is not compliant with legislation, regulation, and/or policy.

Additional Resources

LINDDUN | LINDDUN