The Internet Engineering Task Force (IETF) requires consideration of security threats, and has a process to threat model focused on their organizational needs. As of 2013, they sometimes require consideration of privacy threats. An informational RFC Privacy Consideration for Internet Protocols, outlines a set of security-privacy threats, a set of pure privacy threats, and offers a set of mitigations.
The combined security-privacy threats are as follows:
- Surveillance
- Stored data compromise
- Mis-attribution or intrusion (in the sense of unsolicited messages and denial-of-service attacks, rather than break-ins)
The privacy-specific threats are as follows:
- Correlation
- Identification
- Secondary use
- Disclosure
- Exclusion
(users are unaware of the data that others may be collecting). Each is considered in detail in the RFC. The set of mitigations includes data minimization, anonymity, pseudonymity, identity confi dentiality, user participation and security.
While somewhat specific to the design of network protocols, the document is clear, free, and likely a useful tool for those attempting to threat model privacy.