Now is a good time to update your threat model

Given current developments in the USA, where most of our communication is hosted, many organizations and individuals should revisit their thinking around operational security.

Here are five things I consider facts:

• US spy agencies have in the past had on-demand access to all data stored by US companies, and in many cases even taken full copies by default.
• AI has almost completely removed the friction and cost associated with evaluating each individual message's contents or creating profiles on each person.
• The current administration is taking direct control of many agencies at will, and ignoring checks and balances.
• An increasing list of concepts, keywords and associations can land you on the list of organizations or persons considered "woke" or "radical leftist" (Note: the NIST just instructed AISI to eliminate any mention of "AI safety", probably not yet as bad as working on climate science, but the direction is clear).
• It would be trivially easy for a US agency to make a list of almost all EAs, if it doesn't exist already

In the past, when I advocated for EA orgs to use encrypted communication or platforms they themselves operate and control, the response I have gotten was usually the extra friction/security trade-off is not worth it.

It may well be that for many this trade-off is still not worth it, I just hope everyone is making this decision consciously.

Prediction time

Here are two questions from four years ago, has anyone updated their confidence since then?

(for example withdrawal of operating license, denial of work visas, etc. in any country)