LINDDUN

Details

Core Concepts:

Linkability: Attacker can link two items of interest (e.g., data items, messages, or actions) without knowing the identity of the data subject
Identifiability: Attacker can identify a data subject from a set of data subjects through items of interest
Non-repudiation: Data subject cannot deny having performed an action or having sent a message; system logs become a liability
Detectability: Attacker can deduce the existence or absence of a data item or communication, even without access to its content
Disclosure of Information: Unauthorized exposure of data to a party without the data subject’s consent; classical confidentiality breach from a privacy perspective
Unawareness: Data subjects are not sufficiently informed about the collection, processing, storage, and sharing of their personal data; violates transparency principles
Non-compliance: System does not comply with privacy legislation, regulations, or organizational privacy policies (e.g., GDPR, CCPA, HIPAA)
Key Proponents: Kim Wuyts, Riccardo Scandariato, Wouter Joosen (KU Leuven / DistriNet Research Group, published 2014)

Conducting privacy threat modeling during the design or architecture phase
Performing privacy impact assessments (PIA) or data protection impact assessments (DPIA)
Identifying privacy risks in systems that handle personal data
Evaluating compliance with GDPR, CCPA, HIPAA, and other privacy regulations
Integrating Privacy by Design into the software development lifecycle
Training development teams on privacy engineering concepts

The prior likely reflects the original academic LINDDUN of the 2010s: a single heavyweight DFD-based method with the old seven categories including plain "Unawareness"
Current LINDDUN (KU Leuven) is a family of three flavors — GO (33-card lightweight deck, 2024 redesign), PRO (systematic), and MAESTRO (most thorough) — built on a 2024-updated threat knowledge base where the "U" became "Unawareness & Unintervenability"