Are you on a device or network the person can see?

If they might be able to see this device, use one they can’t access — a friend’s phone, a library or public computer, or a domestic-violence shelter’s safe device. If you continue here, your visit may be visible on a synced iCloud, Google account, or shared family plan.

The Quick Exit button(top right) replaces this page with weather.com immediately — but it does noterase this visit from your history, and private/incognito mode doesn’t fully hide it either. To be safe, use a device the person can’t access.

If you’re in immediate danger, call 911. If you have a few quiet minutes, keep reading.

National Domestic Violence Hotline: 1-800-799-7233 · text START to 88788 · thehotline.org — 24/7, free, confidential.

988 Suicide & Crisis Lifeline: call or text 988 · 988lifeline.org — free, confidential crisis and emotional support, 24/7.

NNEDV Safety Net: techsafety.org — technology-safety help for survivors.

You cannot defend against everything, and trying to leaves you exhausted and no safer. Threat modeling, in the EFF’s framing, is just answering five plain questions about a specific story or beat — and then doing the few things the answers point to. It is a half-hour of thinking that prevents a lot of wasted worry.

The five questions

What do you want to protect?Your sources’ identities, your unpublished material, your locations, your communications — name the specific assets, not “everything.”
Who do you want to protect it from? A petty harasser, a corporate legal team, organized crime, and a state intelligence service call for very different responses. Be specific about your adversary.
How bad is it if you fail? An embarrassing leak and a source going to prison are not the same stakes. The consequence sets how much effort is justified.
How likely is it that you’ll need to protect it? Separate the dramatic-but-rare from the boring-but-common. For most reporters, phishing and account takeover are far likelier than mercenary spyware.
How much trouble are you willing to go through?A plan you won’t actually follow protects no one. Pick measures you will keep up.

Turn answers into action

The point is to right-size your effort. A reporter facing harassment and account takeover should prioritize strong, phishing-resistant account protection and good backups. A reporter on a national-security beat who could plausibly be targeted by state-grade tools should add device hardening like Apple Lockdown Mode and stricter source-contact discipline. Same questions, different answers.

Revisit it

A threat model is a snapshot, not a one-time ritual. A new beat, a hostile legal threat, travel to a higher-risk place, or a sensitive new source all change the answers. Redo the five questions whenever the situation shifts — it takes minutes.

Build the plan with help

You do not have to do this alone. The free helplines in the sources below will work through a plan with you, and our digital security for journalists guide covers the hardening steps a model usually points to. If a model surfaces a real suspected compromise, move to checking the device carefully.

Primary sources

Electronic Frontier Foundation, Surveillance Self-Defense — Your Security Plan (the threat-model framework). https://ssd.eff.org/module/your-security-plan

Committee to Protect Journalists (CPJ), Digital Safety Kit — assessing risk before an assignment. https://cpj.org/2019/07/digital-safety-kit-journalists/

Access Now, Digital Security Helpline — free help building a plan that fits your risk. https://www.accessnow.org/help/

Quinnlan Varcoe

Founder & CEO

GIAC-certified · 15 industry certifications

With operational experience across Fortune 50 security programs and the defense industrial base, Quinnlan founded SleuthX in 2022 to provide clients with the caliber of expertise typically reserved for the largest enterprises. Her work in threat intelligence and digital forensics has earned the trust of 26,000+ cybersecurity professionals who follow her analysis.

“26,000 professionals follow my work because I say what others won't — and I can back it up technically.”

Fortune 50 BackgroundDefense IndustryThreat IntelligenceDigital PrivacyIncident Response