P PrivacyPhones
Guide

What's Your Threat Model? A Privacy Phone Buyer's Framework

A practical, five-level framework for choosing the right privacy phone setup — from blocking ad tracking to defending against state-level surveillance. Find your threat level and build your stack.

TL;DR: Not everyone needs the same privacy setup. This guide breaks mobile privacy into five threat levels — from blocking ad tracking with GrapheneOS on a Pixel (~$500) to defending against state-level surveillance with a hardened OS, Cape carrier, and strict opsec ($1,500+). Most people only need Levels 1–2. Identify who you’re protecting yourself from, then build accordingly.

What’s Your Threat Model? A Privacy Phone Buyer’s Framework

You’ve decided you want a private phone. Good. But before you spend $2,000 on a hardened device with kill switches and a faraday pouch, take a breath. The single most important question in mobile privacy isn’t which phone should I buy? — it’s what am I actually protecting myself from?

That question is your threat model, and it’s the difference between a sensible privacy setup and an expensive one that doesn’t actually solve your problem.

Security professionals have used threat modeling for decades. The concept is simple: figure out what you’re defending, who you’re defending it from, and how much effort is proportional to the risk. You don’t install a bank vault door on your apartment.

Let’s walk through five practical threat levels, from everyday privacy to adversarial-grade operational security. Find your level, build your stack, and stop worrying about the stuff that doesn’t apply to you.

The Landscape: Why This Matters Now

The data broker industry was valued at over $300 billion in 2025 and is growing at roughly 7% per year, with mobile apps and SDKs accounting for more than 35% of all data acquisition (Mordor Intelligence, 2025). Your phone isn’t just a communication device — it’s the single richest source of personal data that exists. Location history, browsing habits, contact graphs, biometric data, purchasing behavior — all of it flows through your handset.

Meanwhile, cell-site simulators (IMSI catchers or Stingrays) remain in active use by law enforcement. In 2025, the EFF released Rayhunter, an open-source detection tool, and community users documented likely cell-site simulator activity in Chicago, New York, and other cities. The surveillance infrastructure isn’t theoretical — it’s operational.

The good news: the privacy phone ecosystem has never been more mature. From GrapheneOS to Cape to purpose-built hardware like HIROH and Punkt MC03, there are real solutions at every price point. You just need to match the right one to your needs.

Level 1: “I Just Don’t Want to Be the Product”

The Threat: Ad Tracking and Data Harvesting

Who this is for: Anyone who’s tired of seeing ads for something they mentioned once in conversation. Parents who don’t want their kids profiled. Professionals who don’t want their employer’s competitors knowing their browsing habits. Basically — most people.

What you’re defending against: Advertising IDs, cross-app tracking, location data sales to brokers, Google and Apple telemetry, pre-installed bloatware that phones home.

The Solution: GrapheneOS on a Google Pixel

GrapheneOS is a hardened, open-source Android operating system that strips out Google’s data collection while maintaining full Android compatibility. It runs exclusively on Google Pixel hardware (for now — the project announced in late 2025 that it’s working with a major OEM to expand device support, possibly as early as 2026–2027).

Why Pixel? Pixels are the only Android phones with a properly unlockable bootloader and full verified boot support. GrapheneOS can re-lock the bootloader after installation, meaning the OS is cryptographically verified every time the phone starts. That’s a security property most custom ROMs can’t offer.

What to do:

  • Buy a Google Pixel 8a, 8 Pro, or 9 series ($500–$800 depending on model)
  • Install GrapheneOS (free, well-documented installation process)
  • Use sandboxed Google Play only for apps that require it — GrapheneOS lets you run Google services in an isolated container with no special privileges
  • Audit your apps: remove anything you don’t actively use, deny unnecessary permissions
  • Use a privacy-respecting browser like Vanadium (included) or Brave

Monthly cost: $0 beyond your existing phone plan.

What this doesn’t protect against: Your carrier still knows your location. Your ISP can see your DNS queries. Standard SMS/MMS can be intercepted. If you sign into Google, Meta, or other accounts, those companies still collect data within their services. This level reduces passive data harvesting, not communications privacy.

Budget: $500–$800 one-time.

Level 2: “I Want Real Communications Privacy”

The Threat: Message Interception, Email Surveillance, ISP Monitoring

Who this is for: Professionals handling sensitive client information (lawyers, therapists, financial advisors). Anyone going through a divorce, custody dispute, or legal proceeding. People in countries with weak privacy laws. Anyone who thinks their email should be as private as a sealed letter.

What you’re defending against: Unencrypted messaging, email metadata exposure, ISP traffic logging, basic account compromise.

The Solution: Level 1 + Encrypted Communications Stack

Start with the GrapheneOS setup from Level 1 (or follow our step-by-step setup guide), then layer on:

  • Signal (and alternatives) for messaging and voice calls — end-to-end encrypted, open-source, widely regarded as the gold standard. Free.
  • Proton Mail for email — end-to-end encrypted email with zero-access encryption. Based in Switzerland. Plans start around $4/month, or use the generous free tier.
  • Proton VPN (or Mullvad VPN) to encrypt your internet traffic and prevent ISP snooping. If you want the details (audits, jurisdictions, anonymous signup), see our VPN guide. Mullvad is $5/month with no account required — just a randomly generated number. Proton VPN is included in Proton’s bundle plans.
  • A good password manager like Bitwarden (free tier available) with unique passwords for every account and two-factor authentication enabled everywhere.

What to do:

  • Move your important conversations to Signal. Yes, you’ll need to convince your contacts — start with the ones who matter most.
  • Set up Proton Mail for sensitive email. You don’t need to migrate everything — even a dedicated address for financial and legal matters is a big step.
  • Run your VPN full-time on your phone to mask traffic from your carrier and ISP.
  • Enable disappearing messages in Signal for conversations that don’t need to be permanent.

Monthly cost: $10–$15 for Proton bundle + VPN (or ~$5 for Mullvad alone).

What this doesn’t protect against: Your carrier still tracks your location via cell tower connections. A sophisticated adversary who compromises your device (rather than the network) can bypass all of this. If your contact’s phone is compromised, your end-to-end encryption only protects one end. And you’re still vulnerable to SIM swapping, SS7 attacks on your phone number, and carrier-level metadata collection.

Budget: $500–$900 one-time + $10–$15/month.

Level 3: “I Need Network-Level Privacy”

The Threat: IMSI Catchers, Carrier Tracking, Location Surveillance

Who this is for: Executives concerned about corporate espionage. Domestic violence survivors whose abusers have technical sophistication. Security researchers. People who work near government buildings, protests, or sensitive locations where cell-site simulators may be deployed.

What you’re defending against: Cell-site simulators (Stingrays/IMSI catchers) that mimic cell towers to intercept your phone’s identity and location. Carrier-level location tracking. SIM-swap attacks. SS7 network vulnerabilities that allow remote tracking.

The Solution: Level 2 + Cape Carrier

Cape is America’s first privacy-focused mobile carrier (MVNO). Launched in beta in 2025 at $99/month, Cape is designed from the ground up to prevent the carrier itself from tracking your location or associating your identity with your phone number. Traditional carriers are required to (and readily do) hand over location data and call records — Cape’s architecture is built so that data doesn’t exist to hand over.

Cape has partnered with Proton to provide subscribers with Proton Unlimited service, which includes Proton Mail, Proton VPN, Proton Drive, and Proton Calendar.

What to do:

  • Set up your Level 1 + Level 2 stack first (GrapheneOS, Signal, Proton, VPN)
  • Switch your cellular service to Cape ($99/month, includes Proton Unlimited)
  • Use your phone’s airplane mode strategically when you don’t need connectivity
  • Consider EFF’s Rayhunter tool on a secondary hotspot device to monitor for cell-site simulator activity in your area

Monthly cost: $99/month for Cape (includes Proton Unlimited, so you can cancel separate Proton subscriptions).

What this doesn’t protect against: If your device itself is compromised with spyware, network-level protections are moot. WiFi-based location tracking still works. Apps with location permissions can still report your position through the internet. And while Cape makes carrier-level surveillance much harder, it doesn’t make you invisible — you still connect to cell towers, and advanced adversaries with direct access to network infrastructure could potentially correlate traffic.

Budget: $500–$900 one-time + ~$99/month.

Level 4: “I Need Hardware-Level Assurance”

The Threat: Firmware Backdoors, Hardware Implants, Covert Camera/Microphone Activation

Who this is for: High-profile business figures. Government officials with clearance concerns. Individuals targeted by sophisticated private surveillance firms. Anyone who needs to know — not just hope — that their camera and microphone are physically disconnected.

What you’re defending against: Firmware-level compromise that persists across OS reinstalls. Remote activation of cameras and microphones via zero-click exploits. Baseband processor vulnerabilities. Supply-chain tampering.

The Solution: Purpose-Built Privacy Hardware

At this level, you’re moving beyond standard smartphones into devices designed with physical privacy controls and hardware-level isolation:

HIROH Phone (~$999)

  • Powered by Murena’s /e/OS (a de-Googled Android fork)
  • Physical hardware kill switch for camera, microphone, and connectivity
  • 108MP camera, AMOLED display — genuinely usable as a daily driver
  • Expected to begin shipping March 2026

Punkt MC03 ($699 + $9.99/mo subscription after year 1)

  • Runs AphyOS, a custom OS built on GrapheneOS with a unique “Vault/Wild Web” dual-space architecture — trusted apps live in the Vault; everything else runs in an isolated sandbox
  • Manufactured in Germany with a removable 5,200mAh battery (removable battery = you can physically ensure the phone is off)
  • Built-in VPN, partnerships with Threema and Proton
  • IP68 water and dust resistance, 120Hz OLED display
  • North American availability expected Spring 2026

Purism Librem 5 ($699)

  • Runs PureOS (based on Debian GNU/Linux, not Android)
  • Three hardware kill switches: WiFi/Bluetooth, cellular modem, and camera/microphone
  • Complete hardware isolation — the cellular modem runs on a separate processor with no access to main memory
  • The most principled approach to hardware privacy, though with significant usability trade-offs (limited app ecosystem, slower performance)

What to do:

  • Choose the device that matches your usability needs: HIROH or Punkt MC03 for smartphone-like experience; Librem 5 for maximum hardware isolation
  • Pair with Cape carrier service for network-level protection
  • Layer on your encrypted communications stack (Signal, Proton, VPN)
  • Physically verify kill switches work as expected upon receiving your device

Monthly cost: Same as Level 3 — $99/month Cape + services, though some may be bundled.

What this doesn’t protect against: Operational security failures. If you log into real-name social media, share your location, or carry both a privacy phone and a regular phone that can be correlated, hardware protections won’t save you. Kill switches protect against remote exploitation but not physical attackers with device access. And purpose-built privacy phones have smaller development teams, which can mean slower security patches.

Budget: $700–$2,000 one-time + $99+/month for services.

Level 5: “State-Level Adversary”

The Threat: Targeted Government Surveillance, Spyware, Physical Interdiction

Who this is for: Investigative journalists working on stories that threaten powerful interests. Human rights activists in authoritarian or semi-authoritarian environments. Whistleblowers. Political dissidents. Sources communicating with journalists. Lawyers representing high-profile defendants.

What you’re defending against: Zero-click exploits (like those deployed by NSO Group’s Pegasus). Targeted physical surveillance. Device seizure and forensic extraction. Parallel construction using telecommunications metadata. Social engineering by professional intelligence operatives.

The Solution: Hardened Stack + Operational Security Discipline

This isn’t about a single product — it’s about a system of practices and layered defenses:

Hardware & Software:

  • Primary device: Hardened GrapheneOS on a Pixel (current-generation for latest security patches), purchased with cash from a retail store, never associated with your real identity
  • Carrier: Cape, registered without connecting to your real identity where possible
  • Communications: Signal with disappearing messages (short timer), Proton Mail with PGP for source communications
  • Secondary/burner device for any activity that must touch your real identity — never carry both devices simultaneously

Operational Security Practices:

  • Compartmentalization: Your privacy phone and your identity phone never exist in the same place at the same time. If cell tower records show two phones always moving together, they’re trivially correlated.
  • Physical security: Use a faraday bag when your phone should not be broadcasting. Power off (fully) when entering sensitive locations.
  • Network hygiene: Connect to WiFi only through VPN. Avoid patterns — don’t always connect from the same café.
  • Social discipline: The hardest part. Don’t tell people about your privacy phone unless they need to know. Don’t mix contacts between your real identity and your protected identity.
  • Regular device rotation: Replace devices periodically. A phone that’s been in continuous use for a year has had a year to be compromised.
  • Secure meeting practices: For the most sensitive conversations, meet in person, leave phones behind (or in faraday bags in separate locations).

Monthly cost: $99+ for Cape, $10–15 for additional services, plus the cost of periodic device replacement and potentially travel for in-person meetings.

What this doesn’t protect against: A sufficiently motivated state-level adversary with unlimited resources can eventually find a way. The goal at this level isn’t perfect security — it’s raising the cost of surveillance high enough that it requires significant, targeted investment rather than passive collection. You’re making yourself expensive to surveil, not impossible.

Budget: $1,500+ one-time (multiple devices) + $100+/month + strict opsec discipline.

Start Here: Our Recommendation for Most People

If you’ve read this far and feel overwhelmed, here’s the honest truth: Level 1 or Level 2 is enough for roughly 90% of people. (And if you want a single recommendation, our Best Privacy Phones in 2026 buyer’s guide summarizes the trade-offs.)

The vast majority of privacy violations are commercial — companies harvesting your data to sell ads or feed data brokers. A GrapheneOS Pixel with basic app hygiene (Level 1) eliminates the bulk of that exposure. Adding encrypted communications and a VPN (Level 2) closes most of the remaining gaps for everyday life.

You don’t need to spend $99/month on Cape unless you have a specific, articulable reason to fear carrier-level tracking. You don’t need hardware kill switches unless you face threats that involve remote exploitation of cameras and microphones. And you definitely don’t need Level 5 operational security unless your personal safety depends on it.

Our “just do this” recommendation:

  1. Buy a Pixel 8a or 9a (~$500)
  2. Install GrapheneOS (free, takes about 20 minutes)
  3. Install Signal for messaging (free)
  4. Set up Proton Mail for sensitive email (free tier is fine to start)
  5. Install Mullvad VPN ($5/month, no account needed)

Total: ~$500 up front + $5/month. That puts you ahead of 95% of smartphone users in terms of privacy, for less than the cost of a flagship iPhone.

A Note on Perfection

No setup is perfectly secure. Every threat model involves trade-offs — between privacy and convenience, between security and usability, between cost and protection. The goal isn’t to build an impenetrable fortress. The goal is to make informed decisions about which trade-offs you’re willing to accept.

The most dangerous thing in privacy isn’t using the wrong phone. It’s using no protection at all because the “right” solution seemed too complicated or too expensive. Don’t let perfect be the enemy of good.

Figure out your threat level. Build your stack. And then go live your life — with a little less of it leaking onto the open market.

Have questions about which threat level fits your situation? Browse our phone reviews and carrier guides for detailed setup walkthroughs, or check our comparison tools to find the right device for your budget.