Home of internet privacy

Whistleblowing guide: How to protect your sources

** This is part three of ExpressVPN’s whistleblowing guide. **

Part 1: Whistleblowing guide: Blowing the whistle is tough
Part 2: Whistleblowing guide: How to stay anonymous when blowing the whistle
Part 4: Whistleblowing guide: Why you should remove the metadata

Just want the tl;dr?

A journalist, regulator, or watchdog has a duty to protect their sources.

While sources may sometimes be granted legal protection in certain sectors or countries, there’s a chance these protections are worthless or do not cover this particular instance.

In addition to the information security advice in this article, it may well be worth learning the legality of whistleblowing in your area. Some protections only exist in particular circumstances and how you communicate or handle documents could mean the difference between a source’s freedom and torture.

Make yourself reachable to a source

Each potential source will have a different understanding of technology, the law, and your organization. It is your duty to open yourself up and become as reachable as possible and to educate your source about how secure communications work.

SecureDrop

Developed by Aaron Swartz and Kevin Poulson, dozens of news organizations around the world use SecureDrop as a digital mailbox for sensitive material.

How SecureDrop works:

The whistleblower uses the Tor Browser to navigate to SecureDrop’s .onion address, where they can upload documents.

After uploading, the source will get a passcode, which they can use to check for replies to their documents.

You can retrieve the source’s documents from your SecureDrop server. Files are encrypted with your PGP key so that only you can open them. For further security, use a laptop with the operating system TAILS to inspect the documents.

SecureDrop is considered the gold standard for acceptance of leaks and sensitive material but can be difficult to set up for an individual. It’s also important for whistleblowers to know they should avoid using the Tor Browser on work computers, or on any computer connected to their work network.

Jabber/XMPP with OTR encryption

Jabber (also referred to as XMPP) services are less common (Facebook and Google have dropped them in favor of more centralized, and less secure, alternatives), they are still relatively easy to set up anonymously—especially when routed through the Tor network (See ExpressVPN’s handy guide).

Two newly created anonymous jabber accounts communicating through Tor with OTR encryption have a slim chance of discovery, even through metadata.

Signal

The encrypted messaging app, Signal, is available for Android and iOS and makes it possible to not only exchange encrypted messages with a minimal metadata trail, but also communicate by voice. Signal is widely endorsed by the information security community.

Postal Address

All mail is usually photographed (on the outside), weighed, and has the pickup point and destination recorded. However, it’s still possible to send physical mail anonymously—buying stamps doesn’t (yet) raise suspicion at the counter.

A parcel shipped to a regulator or news organization might not stick out and, if posted from a busy location in the same town as the recipient, offers little insight to those watching (though the whistleblower has to be careful with hand-written envelopes).

When documents exist in physical form, it might be far safer to ship them directly, rather than digitize them. As a recipient of mail, it’s important to let potential sources know how you handle mail at your organization. Is mail addressed to you in person or opened by somebody else, for example? Or are records kept about who receives what?

Telephone and E-mail

Email and telephone are easy to intercept and produce vast amounts of metadata. Encrypted emails with PGP might work but will leave metadata that could be highly valuable (unless you and the whistleblower are skilled at making this metadata worthless).

Make sure sources can verify you

When you offer yourself as a safe recipient, make sure a potential source can always verify your communications are from you and not an imposter.

Send pictures of yourself

If you meet a source in public, make sure your they know what you look like and cannot be deceived by an imposter. Safety measures could include code words if you’ve had secure communications before the meeting.

Use cryptographic keys

It’s likely you have a strong social media presence or at least a biography hosted on the official website of your organization. Use your profiles to host your public keys and include the fingerprints of all keys you use in your communications (Signal, OTR, PGP). Keys on public record will make it more easy to verify a new identity, for example, because you need to switch accounts.

How to protect your sources TL;DR