Home of internet privacy

Whistleblowing guide: How to stay anonymous when blowing the whistle

** This is part two of ExpressVPN’s whistleblowing guide. **

Part 1: Whistleblowing guide: Blowing the whistle is tough
Part 3: Whistleblowing guide: How to protect your sources
Part 4: Whistleblowing guide: Why you should remove the metadata

Just want the tl;dr?

Keeping your anonymity while blowing the whistle is hard to achieve.

A million things could go wrong and lead to your demasking, and it becomes exponentially more difficult the larger and more powerful the organization is that you’re up against.

Large corporations could put a lot of funds aside for the surveillance of employees they suspect of “sabotage,” and governments might have near infinite resources.

As such, this is not a complete guide to anonymity. The circumstances will be different in each case, and surveillance capabilities differ between organizations and countries.

7 ways to leak documents and communicate in secret

The most difficult part of whistleblowing the whistle is how to communicate. You must establish a secure channel to extract documents from your organization.

1. Computers serve their owners, not their users

There’s no way to tell what your computer does and which information it will log unless you are sure nobody has ever tampered with the operating system. Ideally, you should install an operating system yourself on a computer you own or use the live operating system, TAILS, from a USB stick.

Moving documents or information from a computer you do not own carries an enormous risk of discovery. Sometimes it might be better to photograph files with your own, private smartphone or write down critical information on a piece of paper—although that, too, also carries a significant risk.

Try not to deviate from your usual patterns and only access information as you usually would. When communicating with others, only do so on devices you own and exclusively control.

2. Networks log all information

An organization might record all keystrokes, screenshots, or programs on your computer, or even implement complete network monitoring. The network could timestamp and record abnormal traffic patterns or any piece of data. Furthermore, if you have access to a network hard drive, the system or the drive will log every access by every user.

Some networks go so far as to break the TLS encryption in a man-in-the-middle attack and place their root certificate on the company computers.

Using a VPN or the Tor Network (for example, through TAILS) can help, but on heavily monitored networks the operators might take suspicion at any traffic they cannot decipher.

Always use the Tor Network and a VPN to communicate, and use networks not controlled by the company.

3. Printers and scanners record everything

Similar to network drives, most printers, scanners, and photocopiers will at least maintain a register of every document they print—including a timestamp and which user made the instruction. Some printers even keep a digital copy of the document in their internal hard drive.

More importantly, printers will leave digital tracks on every paper they print, which makes it possible to trace a document back to an individual printer. These tracking features were implemented initially to catch people printing bank notes at home but are one of the most serious hurdles to printing documents privately.

Don’t scan or print documents. Rather, leak printed documents in physical form and electronic documents in electronic form. For maximum security, transcribing documents by hand and back into a text document (.txt) is a good option, though of course, you will have to destroy the handwritten notes.

4. Phones are unencrypted and will disclose your location

Your company might log the location of its phones, but even if it doesn’t, the location can be traced by your telecommunications provider and anybody who has access to it.

Phone tracking can give away sensitive information, such as your visits to a regulator or the press.

All phone calls and text messages are unencrypted, as is some of your online browsing and app data, and some of the data (and all of the metadata) is stored for a long time.

Do not talk or text on the phone. Leave your phone at home or work when meeting others. Only use encrypted messengers, preferably Signal. If you do need a phone, buy a used one with cash. If you can, don’t activate it with a SIM card at all, or get a prepaid SIM card with cash and only turn the phone on when you need it, ideally far away from your home.

5. Money leaves a trail

Your debit and credit cards leave a trail of where you are at what time which can prompt your adversaries to check security footage and other transaction logs for a bigger overall picture of your actions and accomplices.

Similarly, your electronic public transportation ticket might reveal where you have been, and whether this was an unusual destination.

Pay for everything with cash when meeting those you are informing. Find a place where cash transactions are common, or somewhere free, such as a public park.

Pay with cash if you can, and use gift cards or Bitcoin if you have to make a purchase online.

6. Everything leaves metadata

It’s not necessary to surveil the entire contents of your emails, chats, or phone calls to find out what you’re up to. The mere fact of you are in contact with a journalist or regulator might be enough to prompt a further and deeper investigation.

Be aware that everything you do or say will leave metadata. Every click, every google search, print, text message, credit card swipe, or bus ride leaves a tiny piece of information that might identify you. Even paper mail is scanned and has it’s delivery origin and destination recorded.

Metadata means everything, and even changes in your daily pattern might seem suspicious. If you regularly stay at home, leave your phone at home and turn on the TV to give the impression your life is as usual. If you’re outgoing and enjoy hanging out in bars, it’s safe to meet somebody there, rather than suddenly hanging out in a park.

Be aware of your digital footprint and try to keep any changes to it at a minimum. Use software to find and remove metadata from files you send. Consider file types that don’t have as much metadata, such as .txt and .png.

7. Is digital the best option?

The internet provides many opportunities for privacy and anonymity, more so than any other technology. If you’re savvy, you can virtually disappear online and safely communicate with others without risk of detection.

This is not true for every situation, though. It might be far easier to anonymously mail documents to a local newspaper than to find a reporter who’s able to protect you electronically.

Anonymous whistleblowing TL;DR

Be careful, and thank you for standing up for ethics and principles!