Your starting point: write down what you're protecting and from whom

Recently updated

This lesson was last updated on May 16, 2026. If you've read it before, the body has changed since your last visit.

What this lesson covers

The previous lesson named three worries that apply to anyone using any AI tool: surveillance, storage and leak risk, and vendor lock-in. The worries are real and they are nameable. They are also generic. They do not yet apply to you, in your job, with your students or your clients or your family.

This lesson gives the worries an address. The exercise is short: one paragraph, in your own words, answering two questions. What am I protecting? and Who am I protecting it from? That paragraph is the starting point everything else in the track stacks on top of. It is the smallest possible artifact that turns the worries into something you can actually act on.

The lesson walks through what goes in the paragraph, where most readers tend to overshoot, and how to keep this seed sentence safe so it stays useful.

Who this is for

You, if you finished the previous lesson and now want to make the three worries specific to your own situation. The lesson uses the same teacher-named-Aisha example as the previous one, so the continuity is built in.

If you skipped the previous lesson, you can still get value from this one, but reading it first will give you the three worries this lesson personalizes.

What you’ll learn

By the end of this lesson you will be able to:

• Write a short paragraph (five sentences or fewer) naming what you are protecting and from whom, in your own real situation
• Tell the difference between the cloud answer (“my data”) and a list of specific things (“student names, my district login, draft progress reports with parent contact information”)
• Identify which of four asset buckets apply to you: information about other people in your care, information about yourself you have reason to keep close, credentials and account access, and original work in progress
• Name the relevant adversaries (the vendor, whoever the vendor shares with, whoever might breach the vendor, people with shared access, and yourself in a moment of inattention) and cross out the ones that do not actually apply to your situation
• Avoid the three pitfalls most readers fall into: writing someone else’s threat model, listing assets you do not actually have, and treating the paragraph as final

These are things you can do, not just things to know. The goal is that you write the paragraph today, even imperfectly, because a written paragraph beats an imagined one.

How long it takes

The lesson reads in about 12 minutes. The writing exercise that follows it takes 10 to 15 minutes.

Where this fits

This is the second and final lesson in the first part of the Privacy and Local-First AI track. After this lesson, the track moves from naming and personalizing your worries to understanding the systems behind them: what an AI tool actually sees when you use it, what could go wrong, how to read a vendor’s privacy posture, and what architectural alternatives exist.

The paragraph you write here is the seed. The final lesson in the track returns to it and grows it into a complete personal privacy plan, informed by everything in between.

Sources

This lesson draws on:

• Electronic Frontier Foundation Surveillance Self-Defense (“Your Security Plan” module, Creative Commons Attribution). The two-question framing in this lesson is adapted from EFF’s plain-language guide to personal threat modeling. The full guide is widely used by journalists, activists, and security-conscious individuals.

Full annotated source list and notes on the source’s strengths and limits are on the References tab.