Headline
How Whistleblowers Navigate a Security Minefield
Exposing wrongdoing is risky on the best of days. Whistleblower Aid cofounder John Tye explains the extensive steps needed to keep people safe.
Initial contact is just the start. Beyond this—once Whistleblower Aid has signed on clients—it recommends using Signal for most messaging. “A lot of time is spent trying to keep our secure devices secure,” Tye says.
Not all whistleblowing is the same, and every whistleblower has their own set of risks. Someone who is calling out Big Tech malpractices will face different possible threats to a national security whistleblower, for example. Tye says Whistleblower Aid conducts threat modeling for each of its clients, assessing the risks they face and where or who those risks may come from. One consideration, he says, is whether certain cloud computing services can be used—a service may be riskier to use if it has a relationship with a government.
“With many clients, we give people special devices that they use with only us,” Tye says. Most communication happens over Signal. Sometimes, Whistleblower Aid uses phones that don’t include baseband chips, which control radio signals emitted from the device, to reduce risk. “We come up with ways to isolate the devices, we use them without baseband chips. That’s one attack vector that we’ve eliminated,” Tye says. In some cases, the organization uses custom VPN setups; in others, phones are transported in faraday bags. “There are ways that we can get devices to people that, if they use them according to the instructions, there’s no way to trace any metadata back to that person,” Tye says.
For whistleblowers, taking extra steps to try and keep their anonymity can be crucial. The European Commission’s whistleblower reporting system advises people using its own reporting tool to not include their names or any personal information in the messages they send, and, if possible, access its reporting tool “by copying or writing the URL address” rather than clicking on a link to reduce the creation of additional digital records.
There’s not only digital security that needs to be considered—in some cases, people’s physical security can also be put at risk. This could include national security issues or controversial topics. For instance, officials at the FBI, CIA, and State Department once held daily meetings working out ways to capture Edward Snowden, who famously leaked a trove of documents detailing classified NSA surveillance programs.
“In five years, we’ve had two cases where we’ve had to put armed guards on people, lawyers, and clients,” Tye says. Sometimes, this includes meeting clients in “unusual locations,” including booking Airbnbs for meetings—occasionally, third parties are used to make the booking so it is in another name. “It doesn’t even look like us renting the place to meet with somebody,” Tye says.
But in a world where we’re constantly being tracked through our devices and the signals they broadcast to the world, the best thing can be to keep records offline. “In person is the best,” Tye says. The nonprofit advises having meetings away from devices. “We even have a typewriter that we use for sensitive documents.”