Who is at Risk?
In any privacy scenario, we must first identify the individuals whose privacy could be compromised. These individuals can be grouped into distinct roles based on their relationship to a product, service, or process. Click on each role below to learn more about its definition and see an example based on an employee time clock service.
First-Party Consumer
First-Party Provider
Other Party
Bystander
Click a role above to see its description here.
High-Risk Sub-Populations
Certain groups may be more susceptible to privacy harms due to historical, social, or personal circumstances. Understanding these sensitivities is crucial for effective privacy design. Click on each population to understand their specific vulnerabilities.
Who Poses a Threat?
A threat actor is any party that interacts with an individual or their information, representing a potential privacy threat. It's important to distinguish between their inherent abilities and their situational advantages.
Capability
The skills and resources at an actor's disposal. This is about what they *can* do. For example, a hacker trained in penetrating systems has high capability.
Capacity
The affordances or opportunities an actor has due to their position. This is about what they are *positioned* to do. For example, an employee has greater capacity to harm their company's systems than an outsider.
Threat Actor Motives vs. Capabilities
Threat actors have different motivations and varying levels of skill and resources. This table illustrates different scenarios based on the actor's motive and capability.
| Motive | Capability | Scenario |
|---|---|---|
| Make Money | Less Capable | An amateur cyber-criminal accesses your email to blackmail you. |
| Make Money | More Capable | Organized criminals use their resources to blackmail people. |
| Enforce the Law | Less Capable | Local police use a fingerprint found at a crime scene to identify you. |
| Enforce the Law | More Capable | The Federal Bureau of Investigation uses greater resources at its disposal. |
| Inflict Harm | Less Capable | A lover posts nude photos of you on the internet. |
| Inflict Harm | More Capable | A tech-savvy lover knows where to post photos for maximum exposure. |
| Careless disregard | Less Capable | A friend not on social media inadvertently discloses your gambling habit. |
| Careless disregard | More Capable | A social "super-node" friend with a large network increases the harm of disclosure. |
Categorizing Threat Actors
Threat actors can be broadly categorized into groups based on their nature and typical motivations. Their capabilities can range from amateur to superpower levels within each category.
People
Motives: Revenge, money, spite, control, curiosity.
Capability Levels: Amateur, Professional, Crowd/Mob
Organizations
Motives: Money, competitive advantage, social agenda.
Capability Levels: Small, Medium, Large, Multinational, FAAMG
Governments
Motives: Law enforcement, espionage, control, public safety, repression.
Capability Levels: Local, Regional, Nation State, Superpower
Who Else is Involved?
Beyond those at risk and those posing a direct threat, a third group of actors can influence the privacy landscape. These actors may not be the source of a threat themselves but play a significant role in enabling, controlling, or being indirectly involved in privacy events.
Influencers & Controllers
These actors have control over another actor. For example, Employers can institute controls over employees, and Regulators (like the FTC) can restrict corporate behavior.
Proxies
A proxy is anyone who may be a repository of information about or have influence over an individual. This includes friends and family members who might inadvertently reveal information.
Recipients of Information
These are passive recipients who may not be threat actors themselves. For example, if a disgruntled employee posts private personnel records, the public may read it and be judgmental but are not the primary threat actor.