Adversaries

Every well-tended garden has uninvited guests. Some chew at the edges, some uproot your hard work entirely, and others simply trample through with a clipboard and bad intentions. In the lush digital greenery of your life, these are the people rooting around your personal data, intentionally or not. Knowing them helps you decide when to prune, when to compost, and when to build a very large wall.

Data scientists

Armed with Python and plausible deniability.

Not all adversaries come in hoodies. Some wear lanyards and call it “insight.” With access to mountains of data, data scientists build models that can de-anonymise individuals faster than you can say “training set.”

Telltale behaviours:

  • Linking datasets that were “totally anonymised, promise.”

  • Identifying patterns in how you walk, type, or browse.

  • Blaming the algorithm when things get creepy.

Advertising ecosystems

The hydra of your browsing history.

Online ads are not just about persuading you to buy trainers. Behind the banners is a vast network of trackers, bidders, data sharers, and shadowy observers. Your clicks are currency.

Garden crimes include:

  • Real-Time Bidding (RTB) that leaks metadata faster than a gossiping robin.

  • Behavioural profiling from innocent-seeming interactions.

  • Tracking even when you do not click: just loading the page is enough.

Data brokers

Your life, sliced, diced, and monetised.

Data brokers love a messy garden. They hoover up the data trails you did not know you left behind: searches, purchases, movements, and moods, and sell them to anyone with a budget.

Key trades:

  • Matching your online habits with your offline identity.

  • Packaging and reselling your data to, well, just about everyone.

  • Operating in the legal shadows, with opt-out systems no one can find.

Black markets

Where data goes to die. Repeatedly.

Not all data stays within the warm embrace of marketing. Once breached, leaked, or scraped, it often ends up traded on dark web forums where anonymity is a feature, not a concern.

Compostable activities:

  • Selling full identity kits: PII, financials, login credentials.

  • Offering access-as-a-service to compromised accounts.

  • Laundering stolen data back into above-board systems.

Marketers and advertisers

Your inbox is their playground.

Distinct from the advertising ecosystem machinery, these are the people actively planning campaigns and testing messages, armed with behavioural segments built from your data.

Typical tactics:

  • Hyper-targeted emails that know too much.

  • A/B testing your click habits without your awareness.

  • Buying lists that were “ethically sourced” (with a wink).

Insurance companies

Risk assessment with a side of intrusion.

Insurance used to be about age and postcode. Now it is about lifestyle, spending, health data, and what your fridge says about you.

How they root around:

  • Buying data to predict “risk” and adjust premiums accordingly.

  • Profiling health and habits from online behaviour.

  • Using wearables and activity trackers as feedback loops.

Employers

Smiling in interviews, snooping on socials.

From pre-hire vetting to post-resignation surveillance, employers increasingly use data to measure, predict, and control.

Unethical gardening:

  • Social media monitoring, with or without permission.

  • Employee monitoring software (“just for productivity”).

  • Buying datasets to screen applicants “objectively.”

Law enforcement

Lawful, but not always proportionate.

Data access in the name of safety is a slippery slope. Agencies can and do request logs, metadata, and device access, and not always with rigorous oversight.

Trowels in hand:

  • Surveillance and interception under wide legislative mandates.

  • Pressure on platforms to weaken or backdoor encryption.

  • Use of predictive policing based on opaque and often biased algorithms.

State-level intelligence agencies

A different species from domestic law enforcement: better resourced, operating under different legal frameworks, and not always subject to the same oversight structures. National signals intelligence agencies can compel cooperation from platforms, conduct bulk data collection under national security justifications, and operate across jurisdictions in ways that local law enforcement cannot.

The capabilities gap between a national intelligence agency and any individual’s privacy controls is considerable. Mitigations that work against opportunistic adversaries may be insufficient here.

A dedicated threat model covering state surveillance in depth is in development alongside this one.

Stalkers and domestic abusers

Location data, device access, account monitoring, and social graph analysis are all used by people seeking to track, control, or harm individuals they know personally. This adversary type has direct access to the target’s devices, accounts, and physical environment in ways that remote adversaries do not, which changes the threat profile significantly.

A dedicated threat model for survivors of domestic abuse is in development alongside this one.

Private investigators

Operating in the gap between law enforcement capability and public accessibility, private investigators routinely use OSINT techniques, data broker purchases, social engineering, and in some cases legally questionable methods to build profiles on individuals. Their clients range from insurers and employers to estranged relatives and abusive partners.

Politicians

Regulate, confuse, and occasionally campaign with your data.

From GDPR to ad microtargeting, politicians often sit on both sides of the privacy fence: demanding protections while quietly exploiting the system for elections.

Unreliable sowers of seeds:

  • Crafting regulation with loopholes you can drive a tractor through.

  • Partnering with platforms for campaign data and targeting.

  • Using fear to justify expanded surveillance powers.