Chapter 3 |
LEGAL DISCLAIMER: The material in this e-course is provided for informational purposes only. Nothing in this email should be construed as legal advice. Before you act on any of the material in this guide, the authors STRONGLY urge you to seek legal counsel. |
Think first, click secondTechnology can be a useful tool for exposing wrongdoing, but it can also make it easier to expose your identity. The good news is that there are plenty of tools out there that can help maintain the anonymity of your conversations, your behavior, and your data. Overall, the digital security space is constantly evolving—what was secure even a couple of days ago may be vulnerable today—but here are a few general guidelines, tools to consider, and best practices to follow. REMEMBER: No system is foolproof. |
If the walls could talk… they would |
Your digital activities at work are very likely being monitored. And even if they aren't, it's better to assume anything you do on work time, networks, or equipment is being watched and logged. Even arguably innocuous activity—for example, reading about whistleblowing or leaking—could draw scrutiny, so it's best to use your personal devices outside of work hours to do research on whistleblowing or non-work-related tasks, whenever possible. |
Because of previous whistleblowers, including Edward Snowden, we know the government’s vast digital surveillance capabilities include collecting information about Americans’ communications. Many companies whose products you likely use in your daily life—for example, email providers, social networks, and internet providers—can collect not only the contents of your communications, but also other identifying data such as who you've contacted, sites you've visited, when you visited and how often, among other information.
While the government may not have direct access to this information, it may be able to use legal methods to compel companies to turn over any or all of the information they have on you.
Try to mitigate your risk by never using your personal equipment or your employer’s equipment to transmit information when you’re blowing the whistle. Consider using a distant public computer at a library or internet cafe that is not likely to be connected to or associated with you. You could also consider using the Tor Browser or Tails operating system described later in this chapter, which can help to better protect your digital activity.
It’s good practice to review your digital hygiene regularly in any case, so the more of these practices that you can implement, the better secured all of your information will be—and not just information that you could use to blow the whistle.
The strongest defenses against digital snooping at this time are technologies that incorporate strong encryption, both for communication and stored data.
(If you've never heard of encryption before, POGO's Andrea Peterson has a great write-up from her time at The Washington Post that's well worth a read.)
Always keep in mind that even the most advanced protection now may be weak or irrelevant in the near future, and that any time you use third-party applications or software you are trusting them with your data. Encryption does not stop the party you’re sharing the information with from sharing your information—accidentally or intentionally. Encryption mitigates risk, but does not eliminate it.
The current toolbox |
Below is a brief overview of some of the current best resources for digital security. We note, however, that many of these tools have at various times suffered security vulnerabilities, which is why you should always do research on your own to see what the current state of play is for these tools and what emerging alternatives are available. REMEMBER: In almost all cases, using a digital method will create some sort of trail. |
This is the most commonly recommended way of encrypting email, and relies on public key encryption. This method secures the content of email messages, but leaves the metadata (including the subject line, sender, the recipient, and the date) exposed. PGP has had some security vulnerabilities in its past, however, and its setup can be tricky for the average user to navigate.
Signal provides end-to-end encrypted messaging and voice calls, and is generally more user-friendly than PGP. Be sure to read up on Signal's basics, such as safety numbers, and its history, as the app has had some security problems before.
Tor is a network that masks your online activities by encrypting your traffic and routing it through different servers around the world to make tracking activity more difficult. The Tor Browser, based on Firefox, is one accessible way to use this network. Be aware that Tor has suffered some security failures in the past, and that some experts believe that using the Tor network can in and of itself raise flags for law enforcement or intelligence agencies.
Tails is an operating system (like, e.g., Windows) that is free, open source, and automatically incorporates encryption and other privacy-protecting tools. It can be run on most computers through a flash drive. It is worth brushing up on the developer's warnings about what Tails cannot protect against, however, as no system is perfect.
SecureDrop, managed by the Freedom of the Press Foundation, was designed to facilitate anonymous communication between sources and non-governmental organizations, like nonprofits or media outlets, and is generally considered to be the most secure method to contact those groups. SecureDrop requires users to install and send information through the Tor Browser.
In some cases, digital may not be the best or most secure way to share information. In-person meetings, for example, may be less risky. Some things to consider if you set up a face-to-face meeting:
In the ever-shifting landscape of digital security, what seems secure today may be revealed to have an open door—or even a backdoor—tomorrow.
For this reason, we highly recommend that you always research recent security news about a tool before deciding to use it for any sensitive information.
This is just the tip of the iceberg on digital security. For more detail on how to protect yourself, read our full survival guide, Caught Between Conscience and Career. Jump into Chapter 3 now.
Material for this e-course is pulled from Caught Between Conscience and Career, a joint effort of the Project On Government Oversight (POGO), Government Accountability Project, and Public Employees for Environmental Responsibiltiy (PEER).
The Project On Government Oversight (POGO) is a nonpartisan independent watchdog that investigates and exposes waste, corruption, abuse of power, and when the government fails to serve the public or silences those who report wrongdoing.
We champion reforms to achieve a more effective, ethical, and accountable federal government that safeguards constitutional principles.
Enjoying this course? Let us know here.