Episode 14 — Model Privacy Threats the Right Way with LINDDUN
In this episode, we’re going to make privacy threat modeling feel approachable by giving you a clean, repeatable way to look at a system and ask what could go wrong for people, not just what could go wrong for servers. Many beginners hear threat modeling and immediately imagine advanced attackers, complicated diagrams, and security-only thinking, which can make the topic feel like it belongs to someone else. Privacy threat modeling is different because the “threat” is often a harmful information flow, an unexpected inference, or a misuse path that exists even when the system is technically secure. The framework we’ll use is Linkability, Identifiability, Non-repudiation, Detectability, Disclosure of information, Unawareness, and Non-compliance (L I N D D U N), and the value of it is that it gives you a structured set of lenses you can apply to almost any processing scenario. When you can apply those lenses calmly, you stop relying on intuition and start spotting privacy risks early, while changes are still cheap. That is exactly the kind of disciplined reasoning the Certified Information Privacy Technologist (C I P T) exam is designed to reward.
Before we continue, a quick note: this audio course is a companion to our course companion books. The first book is about the exam and provides detailed information on how to pass it best. The second book is a Kindle-only eBook that contains 1,000 flashcards that can be used on your mobile device or Kindle. Check them both out at Cyber Author dot me, in the Bare Metal Study Guides Series.
A strong way to understand L I N D D U N is to see it as a checklist of privacy failure patterns that tend to appear whenever personal data is collected, processed, shared, or stored. Instead of starting with a vague fear that something might be risky, you start with a known category and ask whether that category shows up in your system’s design. This matters because privacy risk is often subtle, and subtle risks are easy to miss when you only think in terms of obvious breaches. A privacy design can be perfectly functional and still create harm by enabling unwanted linking, exposing identity, revealing behavior, or hiding processing from the very people it affects. L I N D D U N keeps your attention on the kinds of harms that privacy programs care about, including user trust, fairness, and accountability, not only technical compromise. Another benefit is that it encourages you to reason about controls in the right place, meaning you look for design changes that reduce risk at the source rather than relying on after-the-fact fixes. When you practice it, L I N D D U N becomes a disciplined habit rather than a one-time exercise.
To model threats the right way, you need to anchor L I N D D U N to a picture of how data moves through a system, because privacy threats are usually about flows and transformations. You don’t need fancy tooling to do this, but you do need to be able to describe where data is collected, where it is stored, which services process it, which people or systems access it, and where it is shared. Beginners often focus only on the primary database, but privacy risk is frequently created by secondary paths like logs, analytics pipelines, support exports, and vendor integrations. If you don’t include those paths in your mental model, you will model threats for a simplified system that doesn’t exist in real life. When you have a realistic flow in mind, each L I N D D U N category becomes a set of questions you can ask at each point in the flow. You are essentially walking alongside the data and checking whether the system’s design preserves appropriate boundaries. This flow-first approach also helps you connect the results to real engineering moves, because controls usually attach to collection points, interfaces, storage layers, and sharing boundaries.
A beginner misunderstanding worth correcting early is that privacy threat modeling is the same thing as security threat modeling with different vocabulary. Security threat modeling often prioritizes preventing unauthorized access and protecting integrity and availability, which are essential, but privacy threat modeling also cares about whether authorized processing itself creates harm. For example, a system can have strong authentication and encryption and still be privacy-problematic if it collects more than needed, retains data too long, or enables broad internal access for purposes users would not expect. Privacy threats can also appear when the system supports inferences that weren’t obvious at collection time, like predicting sensitive traits from behavioral data. L I N D D U N explicitly pushes you to examine those subtler harms, such as linkability across contexts or detectability of a user’s actions. This matters for exam scenarios because many questions will describe a system that is “secure” in a basic sense but still fails privacy expectations and obligations. If you treat privacy as just another word for security, you will pick answers that strengthen technical controls but miss the core privacy failure. L I N D D U N helps you locate the privacy failure precisely.
Linkability is the first lens, and it is one of the most common sources of privacy harm because it quietly turns small pieces of data into a coherent portrait of a person’s life. Linkability exists when separate actions, records, or datasets can be connected to each other, even if a direct name is not present, and the ability to link can grow over time as more data accumulates. A simple example is a stable user identifier that appears in many logs and events, allowing anyone with access to those logs to track behavior across sessions, features, or even products. Another example is using the same identifier with multiple vendors, which can enable cross-service profiling even if each vendor only sees part of the picture. The risk is not just exposure; it is the ability to reconstruct behavior patterns that people did not expect to be connected. Mitigations often focus on reducing stable identifiers, using scoped tokens that change by context, separating datasets by purpose, and limiting retention so long-term linking is harder. When you test for linkability, you are really asking whether the system allows a trail to be assembled that exceeds what the context justifies.
Identifiability is closely related but distinct, because identifiability is about whether data can be tied back to a specific individual, either directly or through reasonable effort. Beginners sometimes assume that removing names makes data non-identifiable, but identifiers are broader than names and can include account IDs, device IDs, contact details, and combinations of attributes that uniquely point to a person. Identifiability also depends on the environment, because data that seems anonymous in one setting might be easily identifiable when combined with another dataset or when the population is small. In many processing scenarios, identifiability is necessary to provide a service, like delivering a purchase or showing a personalized dashboard, but the privacy risk comes from how widely that identifiable data is exposed and how long it persists. Mitigations include collecting less identifying data, de-linking identity from event streams when full identity isn’t needed, using pseudonymous identifiers with strong access control, and avoiding sharing identifiable fields with vendors unless it is truly necessary. When you apply this lens, you are asking whether identity exposure is proportional to purpose, and whether the system design prevents casual re-identification.
Non-repudiation can sound abstract to beginners because the word itself feels formal, but the underlying idea is simple: it’s about whether the system creates records that make it hard for someone to deny an action later. In security and commerce, non-repudiation can be a positive feature, like proving a transaction occurred, but in privacy, it can become a threat when it creates permanent evidence of behavior that a person reasonably expects to remain less provable. For example, a system might log every user action with a strong identity link and keep those logs for a very long time, making it possible to prove sensitive behaviors such as viewing certain content, visiting certain locations, or interacting with certain people. The privacy risk is that such proof can be misused, demanded, or exposed, even if the system never intended harm. Mitigations often include minimizing what is logged, separating audit needs from behavioral tracking, limiting retention, and applying strict access controls to logs so only legitimate investigations can view them. When you evaluate non-repudiation as a privacy threat, you are balancing accountability needs against creating permanent, identity-bound footprints.
Detectability is about whether an observer can tell that a particular action, event, or state exists, even if they can’t see the content itself. This is a subtle but important privacy issue because people can be harmed by the fact that something happened, not only by the details of what happened. For example, even if messages are encrypted, metadata can reveal who communicated, when they communicated, and how often, which can be sensitive in many contexts. In a healthcare-like setting, the fact that a user accessed a certain feature could reveal something about their health concerns, even if the content is hidden. Detectability can also appear inside organizations, such as when internal dashboards show that a specific user triggered an alert or used a certain option, creating unnecessary visibility. Mitigations include reducing exposure of event metadata, using aggregation where precise events are not needed, controlling access to activity logs, and designing interfaces so sensitive actions are not broadcast unnecessarily. When you apply the detectability lens, you’re asking whether the system reveals behavioral signals beyond what is necessary for operation and support.
Disclosure of information is the category most beginners recognize immediately because it aligns with the familiar idea of data leaks and unauthorized exposure. However, L I N D D U N encourages you to define disclosure broadly enough to include both accidental and structural disclosure, because many privacy disclosures happen through normal product behavior. A profile page might expose too much by default, a search feature might allow enumeration, or a support export might include more fields than the recipient needs. Disclosure can also happen through third parties if data is shared widely and then reused or exposed outside the original scope. In cloud environments, disclosure risks can come from misconfigurations, overly permissive access roles, and inadequate segregation between environments, which can allow sensitive data to surface in places it shouldn’t. Mitigations include least privilege, strong authorization checks on every data access path, minimizing outputs, encrypting data appropriately, and ensuring monitoring catches unusual access patterns quickly. When you model disclosure threats, you’re not only asking whether attackers can steal data, but whether the system design leaks data through its normal interfaces.
Unawareness is a privacy threat category that is easy to overlook because it doesn’t look like an attack, but it is deeply tied to user trust and to the fairness of processing. Unawareness exists when individuals do not understand what data is being collected, how it is used, who receives it, or what choices they have, and that lack of understanding prevents meaningful consent or informed participation. A system can be technically well-protected and still create privacy harm if users are surprised by processing, because surprise is often a sign of a broken expectation. Unawareness can be caused by unclear notices, buried explanations, confusing settings, or choices that don’t function the way they appear to function. It can also be caused by downstream uses that were never surfaced at the decision point, such as secondary analytics, broad sharing, or sensitive inference. Mitigations include clear, timely transparency in the user experience, meaningful choices that map to real processing changes, and ongoing communication when processing changes materially. When you apply this lens, you’re asking whether the system enables understanding, not whether it merely contains a legal document somewhere.
Non-compliance in L I N D D U N refers to failures to meet legal, contractual, or policy obligations, and while that can sound like a legal-only topic, it is highly practical for privacy technologists because non-compliance often results from system design gaps. If a policy promises deletion within a certain time frame but the architecture cannot propagate deletions into analytics stores or vendor systems, you have a non-compliance threat that is caused by technical constraints. If a notice promises opt-out but preference signals are not enforced downstream, that is another non-compliance risk that can become a real-world incident when users complain or regulators ask questions. Non-compliance also includes failures of accountability, such as missing records of processing, unclear ownership of approvals, or weak incident response documentation. Mitigations include aligning system capabilities to obligations, building workflows that fulfill rights requests reliably, maintaining accurate inventories of data flows and vendors, and collecting evidence that controls are functioning. When you apply this lens, you are connecting the system’s operational reality to the commitments the organization has made, which is a core skill in the C I P T role.
After you understand the categories, the “right way” to model privacy threats is to avoid treating L I N D D U N as a word-matching exercise and instead treat it as a disciplined conversation between the data flow and the harm pattern. Beginners sometimes try to force every category onto every component, which can create fatigue and make the exercise feel pointless. A better approach is to focus on the categories that are plausible for a given flow and to capture why they are plausible in plain language. For example, a component that stores user activity histories might raise linkability, non-repudiation, detectability, and disclosure concerns, while a consent settings interface might raise unawareness and non-compliance concerns. The goal is not to produce the maximum number of findings; the goal is to produce the most meaningful findings that lead to actionable mitigations. This also means you should be careful about false reassurance, like assuming encryption eliminates disclosure risk across all paths or assuming de-identification eliminates linkability. L I N D D U N works best when you remain skeptical and concrete, always tying your concern to a specific flow and a specific harm.
Mitigation selection is where L I N D D U N becomes truly valuable, because it pushes you to choose controls that match the privacy threat category rather than defaulting to the same control every time. If the threat is linkability, a good mitigation often involves changing identifiers, separating contexts, and limiting retention, because those directly reduce the ability to connect events over time. If the threat is identifiability, a good mitigation often involves reducing identifying fields, restricting access, and preventing unnecessary sharing, because those reduce identity exposure. If the threat is non-repudiation, a good mitigation can be reducing detailed identity-bound logging or tightening log access and retention, because that reduces durable proof of behavior. If the threat is detectability, mitigation can involve aggregation or limiting metadata visibility, because that reduces the ability to observe actions. If the threat is disclosure, mitigation can be authorization, minimization, and monitoring, because those prevent leaks and detect misuse. If the threat is unawareness, mitigation is transparency and meaningful control, because those restore informed participation. If the threat is non-compliance, mitigation is aligning capabilities and evidence to obligations, because that makes promises enforceable.
A crucial part of modeling threats correctly is integrating it into how systems are built and operated so it happens early and stays current, rather than being a one-time exercise performed right before release. In cloud-centric environments, changes happen frequently, and privacy risk can drift as new services, new logs, and new vendor integrations are added. If threat modeling is only performed once, it quickly becomes stale, and the program starts relying on outdated assumptions about data flows. A smarter pattern is to trigger privacy threat modeling when key changes occur, such as introducing a new data category, expanding sharing, altering retention, or adding a new analytics capability. This ties directly into privacy operations, because change intake and review are the mechanisms that surface those triggers. The exam often rewards answers that strengthen these operational loops, because they prevent blind spots from forming. When you treat L I N D D U N as part of routine governance rather than a special event, you turn it into a living safeguard that scales with system change.
From an exam perspective, one of the biggest advantages of L I N D D U N is that it gives you a structured way to interpret scenario questions that might otherwise feel subjective. When a scenario describes a new data use, you can ask whether it increases linkability or identifiability, whether it creates new detectability signals, whether it increases disclosure surface, and whether it introduces unawareness through unclear communication. When a scenario describes a logging change, you can ask whether it increases non-repudiation risk or expands disclosure surface, and whether retention creates unnecessary long-term harm. When a scenario describes a rights request workflow, you can ask whether non-compliance risk exists due to missing propagation and evidence. This structure helps you eliminate answer choices that treat privacy as an afterthought and favor choices that address the right harm category at the right point in the flow. It also keeps your reasoning consistent across different contexts, which is essential because exam questions will vary the story while testing the same underlying patterns. Consistency is what turns knowledge into points.
When you can model privacy threats the right way with L I N D D U N, you gain a practical method for finding privacy risks early, describing them clearly, and selecting mitigations that actually reduce harm rather than merely sounding responsible. The framework matters because it keeps your attention on the privacy-specific failure modes that are easy to miss when you focus only on confidentiality and security mechanics. By grounding your analysis in real data flows, you avoid the trap of modeling an imaginary system that’s cleaner than the one you actually operate. By distinguishing linkability from identifiability and detectability from disclosure, you become more precise about what risk exists and what control will help. By including unawareness and non-compliance, you connect technical behavior to user trust and accountability, which is the heart of privacy technology work. For the Certified Information Privacy Technologist (C I P T) exam, that integrated thinking is exactly what you want, because it helps you choose the best action in a scenario even when the wording is unfamiliar. With practice, L I N D D U N stops being a mnemonic and becomes a reliable way of thinking that protects people and strengthens systems.
