Privacy Threat Model

A systematic process for identifying, classifying, and evaluating potential privacy risks that a technology system may pose to its users. Privacy threat modeling extends security-focused frameworks (like Microsoft's STRIDE) to address privacy-specific concerns. The LINDDUN framework, commonly used for privacy threat modeling, identifies six categories of threats: Linkability (connecting data to other information), Identifiability (revealing user identity), Non-repudiation (eliminating plausible deniability), Detectability (discovering that a user exists or uses a system), Disclosure of information (unauthorized data release), Unawareness (users not understanding data collection), and Non-compliance (violating privacy regulations). For assistive technology, privacy threat modeling is especially important because AT data often reveals health conditions, disability status, and changes in ability — information that could affect employment, insurance, and social relationships if exposed — yet this data typically falls outside healthcare privacy protections like HIPAA.