A cautionary guide for those who need to speak out
Whistleblowing means to uncover and share illegal or unethical behavior in your organization. Notable whistleblowers include Edward Snowden, Chelsea Manning, and Reality Winner. Any organization could be the subject of whistleblowing. It may be a public or private organization—either for-profit or non-profit—, a community group, or a multinational. It’s important to note too that blowing the whistle does not necessarily mean alerting the public or the whole world.
Internal whistleblowing is often seen as more legitimate, although organizations are more likely to bow to outside, public pressure more than an internal investigation. But unless the ethics violation is of public interest, it might be difficult for a whistleblower to find an audience outside of their organization.
What do you risk from your whistleblowing?
While it might seem obvious to you that illegal violations and ethical misconduct in your organization must stop, the bigger picture could be complicated and require careful consideration. Are you willing to go public with your allegations and possibly lose your job or career? Are you willing to be exiled, even? Is part of your goal to preserve the integrity of your organization, or are you ready to see it dismantled? From the moment you decide to bring allegations forward, think about your options. Going on record internally about your concerns might make it difficult to go to the public later anonymously. However, reaching out directly to the public might not always be the most efficient option if you want to maintain the integrity of your organization.
If a government or corporate uses illegally obtained information to find you, it’s likely not admissible in court. Though inadmissible evidence might stop an organization from jailing you, it will likely not stop them from retaliating against you in other ways. It’s very much worthwhile to consult a lawyer before you blow the whistle, as the precise circumstances of how you disclose your knowledge might make the difference between protection by the law and “tried in a secret military court.” It’s worth noting, though, that lawyers could be prohibitively expensive and difficult to contact secretly.
Who do you want to reach?
Reaching out directly to upper management is an efficient way to fix problems, but can be more complicated than it appears, especially if management do not share your concerns. Some organizations have internal watchdogs, but they might not be suitable. It’s hard to evaluate who you can trust, and watchdog groups may not be equipped with the technology or knowledge to receive anonymous tip-offs. Regulators too cannot always be trusted. In many countries and industries regulators and those they are supposed to regulate can be very close.
Whether you reach out to upper management, an internal team, law enforcement, or the press will make a big difference to your OPSEC. However, it’s best to assume that your enemies are stronger than you expect. You should not rely on protection from those you leak to; they might have friends, aides, or allegiances in places you don’t expect, and they might not be as savvy or careful as you need them to be. After all, it’s not their skin in the game—it’s yours.
What do you want to reveal?
Keep your communications to a bare minimum. Avoid unnecessary chatter and only submit the information pertinent to your claims. Any piece of information, no matter how small, could lead to your discovery. The less data you exfiltrate, the easier it will be to fly under the radar. If you download an entire hard drive, you’re more likely to be noticed than if you copy a single file. Likewise, long phone calls are more prone to an investigation than short ones, which could be passed off as a misdial.
Keeping your anonymity while blowing the whistle is hard to achieve. A million things could go wrong and lead to your demasking, and it becomes exponentially more difficult the larger and more powerful the organization is that you’re up against. Large corporations could put a lot of funds aside for the surveillance of workers they suspect of “sabotage,” and governments might have near infinite resources. As such, this is not a complete guide to anonymity. The circumstances will be different in each case, and surveillance capabilities differ between organizations and countries.
Seven ways to leak documents and communicate in secret
The most difficult part of whistleblowing the whistle is how to communicate. You must establish a secure channel to extract documents from your organization.
1. Computers serve their owners, not their users
There’s no way to tell what your computer does and which information it will log unless you are sure nobody has ever tampered with the operating system. Ideally, you should install an operating system yourself on a computer you own or use the live operating system, TAILS, from a USB stick.
Moving documents or information from a computer you do not own carries an enormous risk of discovery. Sometimes it might be better to photo files with your own, private smartphone or write down critical information on a piece of paper—although that, too, also carries a significant risk.
Try not to deviate from your usual patterns and only access information as you usually would. When communicating with others, only do so on devices you own and exclusively control.
2. Networks log all information
An organization might record all keystrokes, screenshots, or programs on your computer, or even implement complete network monitoring. The network could timestamp and record abnormal traffic patterns or any piece of data. Furthermore, if you have access to a network hard drive, the system or the drive will log every access by every user.
Some networks go so far as to break the TLS encryption in a man-in-the-middle attack and place their root certificate on the company computers.
Using a VPN or the Tor Network (for example, through TAILS) can help, but on heavily monitored networks the operators might take suspicion at any traffic they cannot decipher.
Always use the Tor Network and a VPN to communicate, and use networks not controlled by the company.
3. Printers and scanners record everything
Similar to network drives, most printers, scanners, and photocopiers will at least maintain a register of every document they print—including a timestamp and which user made the instruction. Some printers even keep a digital copy of the document in their internal hard drive.
More importantly, printers will leave digital tracks on every paper they print, which makes it possible to trace a document back to an individual printer. These tracking features were implemented initially to catch people printing bank notes at home but are one of the most serious hurdles to printing documents privately.
Don’t scan or print documents. Rather, leak printed documents in physical form and electronic documents in electronic form. For maximum security, transcribing documents by hand and back into a text document (.txt) is a good option, though of course, you will have to destroy the handwritten notes.
4. Phones are unencrypted and will disclose your location
Your company might log the location of its phones, but even if it doesn’t, the location can be traced by your telecommunications provider and anybody who has access to it. Phone tracking can give away sensitive information, such as your visits to a regulator or the press. All phone calls and text messages are unencrypted, as is some of your online browsing and app data, and some of the data (and all of the metadata) is stored for a long time.
Do not talk or text on the phone. Leave your phone at home or work when meeting others. Only use encrypted messengers, preferably Signal. If you do need a phone, buy a used one with cash. If you can, don’t activate it with a SIM card at all, or get a prepaid SIM card with cash and only turn the phone on when you need it, ideally far away from your home.
5. Money leaves a trail
Your debit and credit cards leave a trail of where you are at what time which can prompt your adversaries to check security footage and other transaction logs for a bigger overall picture of your actions and accomplices. Similarly, your electronic public transportation ticket might reveal where you have been, and whether this was an unusual destination. Pay for everything with cash when meeting those you are informing. Find a place where cash transactions are common, or somewhere free, such as a public park.
Pay with cash if you can, and use gift cards or Bitcoin if you have to make a purchase online.
6. Everything leaves metadata
It’s not necessary to surveil the entire contents of your emails, chats, or phone calls to find out what you’re up to. The mere fact of you are in contact with a journalist or regulator might be enough to prompt a further and deeper investigation. Be aware that everything you do or say will leave metadata. Every click, every google search, print, text message, credit card swipe, or bus ride leaves a tiny piece of information that might identify you. Even paper mail is scanned and has it’s delivery origin and destination recorded.
Metadata means everything, and even changes in your daily pattern might seem suspicious. If you regularly stay at home, leave your phone at home and turn on the TV to give the impression your life is as usual. If you’re outgoing and enjoy hanging out in bars, it’s safe to meet somebody there, rather than suddenly hanging out in a park.
Be aware of your digital footprint and try to keep any changes to it at a minimum. Use software to find and remove metadata from files you send. Consider file types that don’t have as much metadata, such as .txt and .png.
7. Is digital the best option?
The internet provides many opportunities for privacy and anonymity, more so than any other technology. If you’re savvy, you can virtually disappear online and safely communicate with others without risk of detection. This is not true for every situation, though. It might be far easier to anonymously mail documents to a local newspaper than to find a reporter who’s able to protect you electronically.
A journalist, regulator, or watchdog has a duty to protect their sources. While sources may sometimes be granted legal protection in certain sectors or countries, there’s a chance these protections are worthless or do not cover this particular instance. In addition to the information security advice in this article, it may well be worth learning the legality of whistleblowing in your area. Some protections only exist in particular circumstances and how you communicate or handle documents could mean the difference between a source’s freedom and torture.
Make yourself reachable to a source
Each potential source will have a different understanding of technology, the law, and your organization. It is your duty to open yourself up and become as reachable as possible and to educate your source about how secure communications work.
Developed by Aaron Swartz and Kevin Poulson, dozens of news organizationsaround the world use SecureDrop as a digital mailbox for sensitive material.
How SecureDrop works:
The whistleblower uses the Tor Browser to navigate to SecureDrop’s .onion address, where they can upload documents. After uploading, the source will get a passcode, which they can use to check for replies to their documents. You can retrieve the source’s documents from your SecureDrop server. Files are encrypted with your PGP key so that only you can open them. For further security, use a laptop with the operating system TAILS to inspect the documents.
SecureDrop is considered the gold standard for acceptance of leaks and sensitive material but can be difficult to set up for an individual. It’s also important for whistleblowers to know they should avoid using the Tor Browser on work computers, or on any computer connected to their work network.
Hard to set up for an individual or small organization. SecureDrop requires almost no tech knowledge on the part of the whistleblower
Jabber/XMPP with OTR encryption
Jabber (also referred to as XMPP) services are less common (Facebook and Google have dropped them in favor of more centralized, and less secure, alternatives), they are still relatively easy to set up anonymously—especially when routed through the Tor network (See ExpressVPN’s handy guide). Two newly created anonymous jabber accounts communicating through Tor with OTR encryption have a slim chance of discovery, even through metadata.
- Not widely used, difficult to use on mobile devices
- Cannot handle images or attachments well
- Lowest chance of discovery among all messenger options
The encrypted messaging app, Signal, is available for Android and iOS and makes it possible to not only exchange encrypted messages with a minimal metadata trail, but also communicate by voice. Signal is widely endorsed by the information security community.
- Requires a phone number to sign up (which may not be a good idea)
- Easy to set up on mobile devices and allows encrypted voice calls
All mail is usually photographed (on the outside), weighed, and has the pickup point and destination recorded. However, it’s still possible to send physical mail anonymously—buying stamps doesn’t (yet) raise suspicion at the counter. A parcel shipped to a regulator or news organization might not stick out and, if posted from a busy location in the same town as the recipient, offers little insight to those watching (though the whistleblower has to be careful with hand-written envelopes).
When documents exist in physical form, it might be far safer to ship them directly, rather than digitize them. As a recipient of mail, it’s important to let potential sources know how you handle mail at your organization. Is mail addressed to you in person or opened by somebody else, for example? Or are records kept about who receives what?
- Mail is logged strictly in some countries or organizations
- High legal protections still exist for mail
- Telephone and E-mail
Email and telephone are easy to intercept and produce vast amounts of metadata. Encrypted emails with PGP might work but will leave metadata that could be highly valuable (unless you and the whistleblower are skilled at making this metadata worthless).
Make sure sources can verify you
When you offer yourself as a safe recipient, make sure a potential source can always verify your communications are from you and not an imposter.
Send pictures of yourself
If you meet a source in public, make sure your they know what you look like and cannot be deceived by an imposter. Safety measures could include code words if you’ve had secure communications before the meeting.
Use cryptographic keys
It’s likely you have a strong social media presence or at least a biography hosted on the official website of your organization. Use your profiles to host your public keys and include the fingerprints of all keys you use in your communications (Signal, OTR, PGP). Keys on public record will make it more easy to verify a new identity, for example, because you need to switch accounts
If you’re involved in a whistleblowing case, either as the whistleblower or as a journalist, make sure you adequately deal with metadata.
Only retain data that is absolutely necessary
It might be tempting to retain everything, but it’s better to delete non-pertinent information. Knowing what to delete is hard as some data will be crucial to verify and underpin the claims made by the whistleblower.
Secure your chats
Decide whether to log or record chats and phone calls before you begin the call, and communicate this clearly to your source. Sources might behave differently if you record them, but will also choose their words more carefully.
If you log chats, consider saving them in plain text format to avoid metadata and remove time stamps. You can also edit out spelling mistakes or standardize the language of your source, in the hope the changes make it harder to identify them.
Is it important to retain the envelopes of physical mail delivered to you? Envelopes can reveal information about where and when the contents were posted, and might even contain DNA from your source.
Purge Email headers
Because they include digital signatures, headers can be crucial in verifying the authenticity of an email. But when proving authenticity is not important, it might be better to discard them. If authenticity is somewhat important, it might be a good option for a credible outside expert to verify them then delete the original data.
Remove metadata before you publish documents
No matter if you deal with documents, images, chat logs, or audio files—everything has metadata associated with it. Some metadata might be impossible to remove (such as the length of an audio file), but it’s incredibly important to understand what metadata someone could extract from a document. PDFs, word documents, and .jpg files all carry metadata directly in their structure. The data may include the username of the person who created the document, or even the GPS location of a photo’s capture. You can remove this kind of metadata with a tool like MAT.
Look out for hidden metadata
Other metadata is more complicated to remove or to spot. The background noise of an audio recording might reveal where the recording took place, while every printed document contains barely visible yellow dotsthat show which printer produced the paper and the date of print. Removing every piece of metadata that could identify your source is incredibly important, and you cannot rely on your source to take care of that alone. Depending on what documents you handle, try to inform yourself as much as you can about what links an outsider might draw between the documents, your source, and you
Anonymous whistleblowing TL;DR
- Use your own devices
- Use your own networks
- Don’t print or scan
- Don’t use phones
- Don’t use credit cards
- Don’t change your habits
- Minimize your digital footprint
Be careful, and thank you for standing up for ethics and principles!
Re-posted with permission from: https://www.expressvpn.com/blog/how-to-be-a-whistleblower