Introduction
(to be written last)
Who is it for?
whistleblowers - they are at risk because they carry a message in the interest of the public. In the eye of the law they would be found guilty if it was not the case. But the nature of the message they send to authorities or journalists grants them immunity. And when it is not the case because of unfair laws, they need to remain anonymous.
(indirectly to) lawyers when attorney/client conversations are effectively protected they should be the first to advise whistleblowers.
(indirectly to) journalists when whistleblowers go to the press so their message becomes public knowledge, they rely on journalists to verify its content and express it in leyman’s terms
The context
Communications between whistleblowers, lawyers and journalists have fundamentally changed — technology increasingly facilitates human interactions, making them vulnerable to interception. While in the past, evading surveillance could be accomplished through payphones or handwritten letters, almost everyone now carries a mobile phone that can record the audio around it and transmit location data. The devices we depend on can betray us, and anyone who cares about privacy must go to extraordinary lengths to secure their communications.
When Snowden revealed the extent of the global surveillance apparatus in 2013, thousands of journalist and lawyers became aware of the importance of encrypting their communications so they stay private. But a new trend has emerged since: digital breadcrumbs form a trail of evidence that has led to the identification and in some cases conviction of whistleblowers. It is easier than ever for governments to identify whistleblowers, and mitigating this requires steps beyond encryption. https://flowersforsocrates.com/2015/02/13/cia-whistleblower-jeffrey-sterlings-trial-by-metadata-does-it-set-a-dangerous-precedent-for-free-speech-rights-in-the-united-states/
While some lawmakers are fortunately working to implement policies that proactively protect whistleblowers, journalists, and privacy, securing sensitive communications today requires a toolbox of technical digital security tools. https://www.opensocietyfoundations.org/sites/default/files/global-principles-national-security-10232013.pdf
Three practical scenarios/cases
The most common case. Brigitte Heinisch works in a nursing home where patients are kept in horrifying conditions. https://youtu.be/z6tBCMljTCc . In this case, neither intelligence agencies nor well-resourced private entities are involved, so Brigitte must take only basic steps to remain anonymous if she wants to blow the whistle. She shouldn’t email journalists from her personal email address, or tell anyone that she intends to expose abuse in her place of employment. Some tools she might deploy to remain anonymous include contacting journalists or watchdog organizations through Signal, Wire or WhatsApp .
Corruption involving large organizations. Antoine Deltour revealed hundreds of billions of euros tax evasion scandal https://en.wikipedia.org/wiki/Luxembourg_Leaks . Although the scandal implicates the state, it is unlikely that intelligence agencies are actively trying to prevent the documents from disclosure to the public. However, similar organizations often hire well funded private security agencies whose mission is to proactively prevent such leaks. For this reason, Antoine is strongly advised to:
- remove the battery of mobile when not using it https://ssd.eff.org/en/module/problem-mobile-phones
- encrypt your communications (Signal https://ssd.eff.org/en/module/how-use-signal-android https://ssd.eff.org/en/module/how-use-signal-ios, PGP (links to EFF guides), OTR (links to EFF guides) etc.)
- access the internet anonymously (tor links to EFF guides)
State actor wrongdoing. Edward Snowden made the world aware that the United States was spying on its own citizens without any evidence of wrongdoing. https://en.wikipedia.org/wiki/Edward_Snowden Intelligence agencies are eager to keep classified information secret, and may go to extraordinary lengths to identify and prosecute whistleblowers who expose state secrets. The precautions mentioned above in the case of corruption involving large organization apply, but situations involving nation states also require:
- use exclusively dedicated tooling to wipe out and avoid metadata trails
- communicate with journalists or lawyers with SecureDrop https://docs.securedrop.org/en/latest/source.html
- use devices that cannot be tracked back to you anonymous mobile phones https://blog.dachary.org/2017/12/17/howto-anonymous-mobile-in-paris/, buy retail hardware paid in cash, etc.
- use Operating Systems designed for privacy such as Tails https://tails.boum.org/ or Qubes https://www.qubes-os.org/
- avoid physical surveillance and trail
- sit back to the wall to avoid camera surveillance etc.
- do not talk over the phone where other people can hear you or in the range of recording devices such as mobile phones carried by other people etc.
- keep your hardware and USB keys with you at all times: when running errands, going to the bathroom etc.
Conclusion
These guidelines are meant to provide whistleblowers, lawyers and journalists a hint about the kind of tools they would need to effectively carry out their mission. If you feel you’re in between the above categories, for instance because you live in a country where the boundary between corporations and state actors is fuzzy, seek advice. There are many non profits and activists all over the world who are trustworthy and willing to devote their time to put an end to corruption and work daily to resist excessive online surveillance.