With the uncertainty surrounding the legal framework, whistleblowers’ best protection relies on their anonymity.
With the uncertainty surrounding the legal framework, whistleblowers’ best protection relies on their anonymity, yet governmental and para-public agencies seem to discount that parameter either by requesting identity disclosure or not providing secure channels to disclosure. Similarly, whistleblowers may put their security or anonymity at risk by the way they make their disclosure. While there is no way to have absolute anonymity, there is a set of best practices to follow.
Key Points:
- Do not use routine equipments or networks
- Only disclose necessary information
- Avoid email submissions
- Be careful of metadata
- Use secured platforms
Do not use routine equipments or networks
A disclosure should not be made from home, or through a work-issued or managed email, phone, computer, or Internet connection. Equipment and networks managed by employers may contain monitoring software that can capture keystrokes or track the sites that whistleblowers visit.
Recommended best practices are to use a network that the whistleblower doesn’t normally use, such as a previously unvisited public wifi network at a cafe or library, so it cannot be tracked back to the whistleblower.
Whistleblowers should use a public location (e.g. cafe, library) that does not require a valid identification before granting access to a computer or internet. It is pertinent to ensure no one can walk by and see the computer screen without being noticed, and that the browser is logged out of all accounts (e.g. incognito mode of the browser).
Only disclose necessary information
Since anonymity is the best protection against reprisal, it is a best practice to avoid disclosing personal information during a disclosure. Some agencies may invite whistleblowers to disclose information to help with follow ups or to confirm details. If extra information may be needed, it may be best to set up a new anonymous email for them to follow up (see best practice below).
To avoid the need for follow up, it is a best practice to provide all available information at the time of the disclosure. At the same time, whistleblowers should only provide information that is necessary, and avoid disclosing information that only they or a few people had direct access to. Even when using a highly secured system, a whistleblower’s identity may be identified through cross-referencing practices. For example, some information is so confidential that only few have access to it. Therefore, if it is disclosed, it is relatively easy to trace the disclosure back to the whistleblower.
In a recent case, law enforcement was able to uncover the identity of the whistleblower by tracking the file’s access log and invisible traces left by the printer used to retrieve the documentation (CBC, 2017; Timm, 2017).
Whistleblowers should not deviate from their usual patterns and only access information as they normally would. Moving documents or information from a computer they do not own carries an enormous risk of discovery. Sometimes, it might be better to photograph files with their own private smartphone, or write down critical information on a piece of paper, however, this also carries a significant risk.
Avoid email submissions
It is well-documented that email is an unsecured way to share confidential information and protect whistleblower’s anonymity. Email is an easy way of sharing information and communicating with others, but there are numerous risks associated with using email, especially with respect to preserving the confidentiality of the correspondence.
Although an email submission could be encrypted, most agencies don’t offer this option. It is equally worth noting that email encryption simply covers the content, and not the sender information and other metadata attached to the email. Notably, it would not hide the fact that the email was sent by the whistleblower to another party, such as an agency.
If email is the only option available, a new address should be created with a free service, preferably one that has privacy and security at core. This address should not be used for any other reason.
Whistleblowers should be mindful that law enforcement agencies are increasingly seeking to force email service providers to disclose the location from which the mailbox was accessed, as well as other details that may unveil the identity of the user.
Be careful of metadata
Beyond their own contents, electronic documents can contain metadata–hidden information about the file (e.g. creator, authors, dates, source and time of access)–that are automatically embed by programs and storage solutions. Although hidden on normal viewing, metadata can be revealed and accessed by others when a document is circulated electronically.
Additionally, when a document is shared by email, the email itself contains metadata, which may disclose a whistleblower’s location and the networks to which they are connected.
When sharing documents online (either by email or through a secured submission form), whistleblowers should ensure that documents do not contain metadata that could identify them.
Use secured forms and platforms
Whistleblowers should avoid disclosing information on forms that are not served on a secure website to avoid man-in-the-middle attacks and other security and confidentiality breaches. Always verify the website is served over “https://” in the address bar.
Some agencies may offer an electronic PDF form that automatically sends information to their service. It is best to avoid these tools as whistleblowers don’t have control over the other information they might be collecting, and over which networks and platforms transfer this information.
For added security, whistleblowers may want to consider using tools such as Tails. Tails is not a messaging platform, but rather a portable operating system built on the Tor network that makes a computer completely anonymous, and protects whistleblowers against surveillance. No information is saved on the hard disk, it uses only RAM, and once the use is complete everything is automatically erased.
There are free and open source technologies that ensure a high standard of anonymity and security for whistleblowers – such as GlobaLeaks, or state-of-the-art service SecureDrop, an open source solution managed by the Freedom of the Press Foundation.
Some agencies and regulators have set up an electronic portal deemed to be secured and confidential by contracting with private third-party organizations. However, while being served over security layers, the user’s network manager, the Internet access provider or the service provider can collect crucial information that may reveal the whistleblower’s identity. The whistleblower will need to trust a private organization not to disclose their information to anyone. Personal information may be stored on the private organization’s servers that, in turn, may potentially suffer a hack or privacy breach.