References: Your starting point: write down what you're protecting and from whom

Citations in this lesson are accurate as of the capture date noted on each source. Vendor privacy policies and architectural details may have changed since capture. For current information, follow the linked sources to the live document.

Source material

Source material:
• Electronic Frontier Foundation (EFF)
  "Your Security Plan" (Surveillance Self-Defense)
  https://ssd.eff.org/module/your-security-plan
  License: Creative Commons Attribution (CC BY)

This lesson is original Clawdemy authorship. The two-question seed-paragraph
exercise, the four asset buckets, the five adversary categories, the three
pitfalls, and the no-helplessness recovery tactics are original editorial work.
The lesson draws on EFF Surveillance Self-Defense as background research and
for the verbatim quotes attributed in the lesson body (the "impractical and
exhausting" framing, the asset and adversary definitions). All rights to the
original EFF SSD publication remain with the Electronic Frontier Foundation.
EFF SSD is published under Creative Commons Attribution (CC BY).

Going deeper

A short list of durable resources for readers who want more than the lesson covers.

• EFF Surveillance Self-Defense: “Your Security Plan”. The primary source for this lesson. EFF’s plain-language guide to building a personal security plan around six questions. The lesson uses just the first two (assets and adversaries); the full guide covers four more: how bad are the consequences if you fail, how likely is the threat, how much trouble you are willing to go through to prevent it, and who your allies are. Reading the full guide is the natural next step before Phase 6 of this track builds your complete personal privacy plan.

• EFF Surveillance Self-Defense: persona scenario guides. EFF SSD publishes worked-example scenario guides for specific reader situations, including “Activist or protester?”, “Journalist on the move?”, and “Online security veteran?” These are available from the SSD index. They are useful for readers who want to see how someone in a different situation applies the same two questions (assets and adversaries) to a specific life context. The activist and journalist scenarios in particular illustrate how two different adversary sets produce different priority orderings even when the underlying framework is identical. The lesson’s Common pitfalls section warns against borrowing a journalist’s threat model; reading the actual journalist scenario helps you understand what is different about it.

• EFF Surveillance Self-Defense index. The full SSD catalog. Covers specific tools (secure messaging, password managers, encrypted storage) that this track does not teach at a tool level. If your seed paragraph surfaces a specific adversary category the lesson does not address in depth (for example, targeted surveillance or law enforcement access), the SSD index is where to find the relevant module.

Source limitations

These sources are good. Naming what they are weaker on helps you use them well.

EFF Surveillance Self-Defense (“Your Security Plan” and the scenario guides): EFF SSD is an advocacy-organization guide maintained by EFF’s own team on their own publication cadence, typically updated annually or as circumstances change. The six-question framework it introduces is EFF’s pedagogy for personal threat modeling; it is a well-considered, widely-used approach, not a universal or formally standardized threat-modeling methodology. Other frameworks exist (enterprise threat-modeling standards, for example) that would produce a different vocabulary for the same underlying problem. The lesson presents the EFF framework as one strong, practical approach for non-technical readers, not as the only valid one.

EFF SSD is written primarily for a U.S. reader. The adversary examples it includes (law enforcement, government agencies) reflect U.S. legal and institutional contexts. The core concepts (assets, adversaries, consequences) are jurisdiction-neutral and apply broadly; the specific worked examples and legal commentary are less portable to EU, UK, or other contexts. Readers outside the U.S. should treat the framework as fully applicable and the jurisdiction-specific examples as illustrative only.

The lesson draws on a captured copy of the SSD “Your Security Plan” module (Doc/research/privacy-sources/raw/independents/eff-ssd-your-security-plan.html, captured 2026-05-15; the SSD page’s own footer indicated October 2023 as the last substantive revision date at capture time). A major revision to the SSD framework after capture (for example, a restructuring of the six questions or a change to the asset-and-adversary vocabulary) could shift the framing the lesson cites in ways the 6-month review cadence would not catch immediately. If you notice the lesson’s vocabulary diverges from the current SSD text, that divergence is worth reporting.

Adjacent lessons

Topics this lesson connects to in the rest of the track.

• Lesson 1.1: Why your worry is rational. The previous lesson. Named the three worries (surveillance, storage and leak risk, vendor lock-in) that this lesson gives an address. The seed paragraph you write here is the personalization of those three worries into your own situation.

• Phase 3: Threat models in plain language. The phase that formalizes the vocabulary this lesson introduces informally. After Phase 3, you will have a four-category vocabulary for the threats (vendor retention, training-data inclusion, breach exposure, and government subpoena / bulk surveillance) with distinct defenses for each. The adversary list from your seed paragraph becomes the input to that more formal categorization.

• Phase 4: The five-question vendor rubric. Gives you a ten-minute repeatable check for any AI tool. The assets in your seed paragraph tell you which rubric questions matter most in your situation.

• Lesson 6.6: Your complete privacy plan. The final lesson in this track. Returns to the seed paragraph you write here and grows it into a full personal privacy plan informed by everything the track has taught. The first paragraph is the seed; the final plan is the harvest.