Home of internet privacy

Whistleblowing guide: Blowing the whistle is tough

** This is part one of ExpressVPN’s whistleblowing guide. **

Part 2: Whistleblowing guide: How to stay anonymous when blowing the whistle
Part 3: Whistleblowing guide: How to protect your sources
Part 4: Whistleblowing guide: Why you should remove the metadata

A cautionary guide for those who need to speak out

Whistleblowing means to uncover and share illegal or unethical behavior in your organization. Notable whistleblowers include Edward Snowden, Chelsea Manning, and Reality Winner.

Any organization could be the subject of whistleblowing. It may be a public or private organization—either for-profit or non-profit—, a community group, or a multinational. It’s important to note too that blowing the whistle does not necessarily mean alerting the public or the whole world.

Internal whistleblowing is often seen as more legitimate, although organizations are more likely to bow to outside, public pressure more than an internal investigation. But unless the ethics violation is of public interest, it might be difficult for a whistleblower to find an audience outside of their organization.

What do you risk from your whistleblowing?

While it might seem obvious to you that illegal violations and ethical misconduct in your organization must stop, the bigger picture could be complicated and require careful consideration.

Are you willing to go public with your allegations and possibly lose your job or career? Are you willing to be exiled, even? Is part of your goal to preserve the integrity of your organization, or are you ready to see it dismantled?

From the moment you decide to bring allegations forward, think about your options. Going on record internally about your concerns might make it difficult to go to the public later anonymously. However, reaching out directly to the public might not always be the most efficient option if you want to maintain the integrity of your organization.

If a government or corporate uses illegally obtained information to find you, it’s likely not admissible in court. Though inadmissible evidence might stop an organization from jailing you, it will likely not stop them from retaliating against you in other ways.

It’s very much worthwhile to consult a lawyer before you blow the whistle, as the precise circumstances of how you disclose your knowledge might make the difference between protection by the law and “tried in a secret military court.”

It’s worth noting, though, that lawyers could be prohibitively expensive and difficult to contact secretly.

Who do you want to reach?

Reaching out directly to upper management is an efficient way to fix problems, but can be more complicated than it appears, especially if management do not share your concerns.

Some organizations have internal watchdogs, but they might not be suitable. It’s hard to evaluate who you can trust, and watchdog groups may not be equipped with the technology or knowledge to receive anonymous tip-offs.

Regulators too cannot always be trusted. In many countries and industries regulators and those they are supposed to regulate can be very close.

Whether you reach out to upper management, an internal team, law enforcement, or the press will make a big difference to your OPSEC. However, it’s best to assume that your enemies are stronger than you expect.

You should not rely on protection from those you leak to; they might have friends, aides, or allegiances in places you don’t expect, and they might not be as savvy or careful as you need them to be. After all, it’s not their skin in the game—it’s yours.

What do you want to reveal?

Keep your communications to a bare minimum. Avoid unnecessary chatter and only submit the information pertinent to your claims. Any piece of information, no matter how small, could lead to your discovery.

The less data you exfiltrate, the easier it will be to fly under the radar. If you download an entire hard drive, you’re more likely to be noticed than if you copy a single file. Likewise, long phone calls are more prone to an investigation than short ones, which could be passed off as a misdial.

In part two of this series, ExpressVPN looks at potential hazards when you leak material out of your organization and communicate with journalists or regulators.