Building Your Threat Model for Tor Usage

A threat model answers four questions: What am I protecting? Who am I protecting it from? How likely is a threat? What are the consequences if protection fails? The answers determine which tools you use, how much effort you invest in OPSEC, and where you can reasonably accept risk.

Without a threat model, people either do too little (using Tor Browser but logging into their real Facebook account) or too much (using Tails on an air-gapped computer to browse cooking recipes). Both extremes are counterproductive — the first provides false confidence, and the second creates friction that leads to abandoning security practices entirely.

Your threat model is personal and contextual. A journalist in a democratic country has different threats than an activist in an authoritarian regime. A whistleblower has different threats than someone who simply wants to avoid targeted advertising. Build your model based on your specific situation, not on generic advice.

Casual observers (low capability): Your ISP, Wi-Fi network operator, employer, or family members. They can see that you use Tor but cannot see what you do on Tor. A VPN before Tor hides even this. Most people's primary adversary is at this level.

Targeted corporate surveillance (medium capability): Advertising networks, data brokers, and social media platforms. They use browser fingerprinting, tracking cookies, and behavioral analysis to identify and profile users. Tor Browser resists these techniques, but logging into accounts tied to your real identity defeats all protection.

State-level adversaries (high capability): Intelligence agencies and well-funded law enforcement. They can operate Tor relays, perform traffic analysis, issue legal orders to service providers, and use zero-day exploits against Tor Browser. Defending against state-level adversaries requires Tails or Whonix, strict OPSEC, and compartmentalized identities.

Global passive adversaries (maximum capability): Entities that can monitor large portions of internet traffic simultaneously (NSA, GCHQ). Tor's design explicitly states it cannot protect against a global passive adversary. Defend against this level by reducing the volume and predictability of your Tor traffic, using VPN + Tor, and varying connection patterns.

Low threat (privacy from ISP and advertisers): Tor Browser on your regular OS is sufficient. Use a VPN before Tor if hiding Tor usage from your ISP matters. Use privacy search engines like DuckDuckGo and avoid logging into personal accounts.

Medium threat (avoiding corporate or local government surveillance): Use Tor Browser with strict security settings. Consider Whonix for VM-based Tor routing. Use KeePassXC for passwords, ProtonMail over Tor for email, and Signal with Tor proxy for messaging. Never mix anonymous and personal identities on the same device.

High threat (targeted by state adversaries): Use Tails exclusively for all sensitive activities. Communicate through Briar or Ricochet. Use Monero for all financial transactions. Access the internet only from public Wi-Fi locations that you do not regularly visit. Assume your home network and personal devices are compromised. Combine VPN + Tor for every session.

Maximum threat (imminent physical danger): All of the above, plus: use air-gapped computers for document handling, communicate only through dead drops or in-person meetings, and have a plan for secure device destruction. At this level, consult with professional security trainers rather than relying on online guides.

Your threat model must extend to your infrastructure. If you host services, your hosting provider is part of your attack surface. AnubizHost provides offshore VPS hosting in Iceland, Romania, and Finland — jurisdictions chosen specifically for their strong privacy laws and resistance to foreign government pressure.

For low-to-medium threat models, our standard VPS plans with cryptocurrency payment provide strong anonymity. For high threat models, deploy your services as Tor hidden services on our infrastructure, paid with Monero, with no KYC or identity verification at any point.

AnubizHost offers full root access, NVMe SSD storage, and enterprise-grade DDoS protection. Match your infrastructure to your threat model without compromise. No identity paper trail, no cooperation with foreign governments, no data sharing. Explore our Tor hosting plans today.