During this deadly pandemic, our medical professionals have all witnessed abuse and mismanagement that needs to be brought to public attention. Workers of all backgrounds are being asked to put their lives at risk for their employers. Likewise, many people in government and the private sector are feeling concerned that they or their colleagues may be required to do something unethical or illegal, and speaking up can lead to negative consequences for their livelihood or freedom.
Giving tips to journalists can be risky, and may violate previous legal agreements with your organization, such as a non-disclosure agreement or contract. But sometimes, it can also be an effective and courageous way to call attention to abuses.
This guide describes basic steps for minimizing potential risk when sharing sensitive information with a news organization. We want to be clear that no piece of software, nor security recommendation will be 100% effective, and the decision to blow the whistle may invite scrutiny or retaliation. At the same time, it may be a choice that drives necessary institutional change. Before reaching out to the press, think carefully about what you can do to minimize that risk, and stay as safe as possible.
Before moving ahead, do you have a strong tip?
A good tip requires clear evidence, and should be the basis for a story that the broader public should know about.
Whether or not you have evidence, the broader public might not need to know that a neighbor refuses to pick up after her dog on the morning walk. Allegations of corruption or illegality among public officials are certainly newsworthy, but those claims will not make it into a published story without verifiable evidence.
Who are you concerned about, and what can they do?
Think about the sensitivity of the information you’re sharing, and who might be willing to investigate the source of the leak. What are the organization’s capabilities? What resources (e.g., attention, legal, financial, technical resources) can they invest in discovering the source? And how likely do you think it is that they will actually investigate?
If you share information about a large, well-resourced organization that requires discretion from employees, such as a government agency, it may have enormous legal, financial, and technical resources available for investigating a leak. If you’re sharing information about a small organization, such as a local restaurant that muzzles workers, its resources are much more constrained and it may not have the capacity or willingness to investigate. Proceed accordingly.
Proceeding with caution
First, be cautious about behaviors that could make you readily identifiable as a source.
Keep all of your tipping activities outside the view of your organization. For essentially everyone, that means no calling from work, no emailing from a work email address, and staying off work devices for any leaking activities.
It's common for well-resourced organizations to keep logs of employees' activities on their devices and online activities. If you work at a large organization and you're reading this article on a workplace device or wi-fi network, chances are your workplace already has a log that you've accessed this page. Similarly, visiting a news organization's tip page (e.g., https://www.nytimes.com/tips) may be logged by your workplace. This is why it's so important to keep your leaking activities on devices and networks that your workplace doesn't control.
Has your workplace ever required you to install monitoring software (or software of any kind) on your device? If so, you probably don't want to use this device for any whistleblowing activities.
Be cautious about giving tips on anything that only you could know, or materials that only you could access. Only share these kinds of materials if you think the increased risk of being caught is worthwhile, or if you feel you have a strong moral obligation to do so.
If you are the only one at your organization surfacing a specific grievance, and information about that grievance is later reported by the press, it may give your organization a strong hint about who shared the information.
Don’t tell anyone about your leaking activities, except in cases where you may want legal advice from a practicing lawyer.
Tactics for minimizing risk
Minimize the risk of a tip being tied to you, and potentially in your continued communications with reporters. There are a lot of ways to do that.
- Send your materials through physical mail. You can mail electronic documents (e.g., on an SD card) or physical documents through ordinary mail. Be warned: the U.S. postal service takes pictures of the exterior of physical mail. So don’t use a return address that is associated with you, and mail it in from a sidewalk mailbox in a location you don’t usually frequent. If you have a particular reporter you want to look into your story, copy them on the envelope.
- Call from a phone number unconnected to you. For example, go to a business you don’t usually go to, and ask to use their phone. You can also buy a cheap cell phone and prepaid phone card that cannot be traced back to you, but know this involves several careful steps: You must pay with cash, and if your organization can have access to phone location records, it’s best to only turn on the phone in locations unassociated with you. That also means using the phone in locations separate from your permanent phone. If you can, remove the battery when it’s not in use.
- Use Signal for private messaging. Signal is a free and open source, secure messaging app for iPhones and Android devices. Signal gives you free end-to-end encrypted messages and phone calls. Signal only retains your phone number, your signup date, and when you were last active. Compare this to WhatsApp, which we do not recommend because the service keeps data about users' contacts. In Signal, you can also make messages self-destruct for everyone in the conversation automatically after a set amount of time. This makes it significantly harder (but not impossible) to eavesdrop on your conversations. If you want help getting started, read this beginner-friendly guide on using Signal.
Note that Signal requires both users to share their phone numbers. When reaching out to journalists, consider registering Signal with a number that your organization is unlikely to connect to you, and understand that Signal is not designed to facilitate complete anonymity.
- Before looking into news organizations, consider using the Tor Browser for greater privacy. Tor Browser is a modified version of Firefox. Tor encrypts and tunnels your web traffic within a global network of computers before connecting you to your final destination. When you access a website through Tor (e.g., Amazon.com) you will appear to connect from a remote location – likely another country. Again, don't use a work device or network for this kind of research.
- Use a whistleblower submission system. Tools such as SecureDrop can provide protection by allowing you to share documents and communications through an anonymous and encrypted dropbox.
More technical, but more secure: SecureDrop
A growing number of news organizations are using SecureDrop to allow sources to reach out and share files or communications anonymously (e.g., The New York Times, The Washington Post, The Intercept, The Guardian). With SecureDrop, not even the news organization knows who you are unless you choose to tell them.
You can access a news organization’s SecureDrop page through Tor Browser.
People on your network can’t see what you’re doing on Tor, but it’s still possible to tell that you’re using Tor. With that in mind, do not use it at work. For greater security, consider using Tor Browser only over a wi-fi network in a location that is not tied to you (e.g., a coffee shop you don’t normally visit) and pay with cash.
As opposed to a “.com” web address, you get to SecureDrop through a unique .onion web address, which can only be accessed through Tor.
Using SecureDrop is fairly easy
- Follow the directions to download the Tor Browser at torproject.org and install it.
- Launch the Tor Browser application.
- Click the shield icon in the top corner > Advanced Security Settings… > Safest
- Within Tor Browser, navigate to the SecureDrop directory and search for your preferred news organization: securedrop.org/directory.
- Find the .onion URL for your preferred publication (e.g., the New York Times: securedrop.org/directory/new-york-times), then copy and paste it into the address bar in Tor Browser.
- From here, you can leave messages and files that the news organization will check from time to time.
- You will be given a random “codename.” Keep this information safe, and don’t share it with anyone. If you lose your codename, they can’t reach you any more. Use this codename to have continued conversations with the news org.
(For more technically-adept users, consider accessing SecureDrop through an operating system designed for privacy and anonymity such as Tails.)
Reporters generally take their commitment to protecting your identity very seriously, and will do everything in their power to fight potential legal requests for identifying information about you. But often, it’s even safer not to give your identity if you don’t have to. Keep in mind that journalists prefer to have proof of your claims, and information to demonstrate your identity is a part of that.
Dealing with file metadata
Sharing information may be less risky than sharing documents, because they can be embedded with information about the file, which we call metadata. For example, if you create a .docx file, it may have identifying information about you embedded in the file. Consider carefully whether you really need to share files or just the information.
To deal with hidden metadata, rather than sending the file itself, consider taking a picture of a document with a traditional camera (not a smartphone), or take a screenshot of the document. On most operating systems, screenshots come with little useful metadata. For more technical users, you can find metadata removal tools here.
Where do you find a news organization's contact details?
First, be careful where you reach out.
The Freedom of the Press Foundation maintains a list of organizations that support the secure communications practices outlined above, and how you can contact them. This is becoming standard, and news organizations looking for great tips will follow suit.
Avoid tip pages that use unsecured HTTP instead of (secured) HTTPS. You might wonder, what’s the difference? With HTTP, network eavesdroppers can see which pages you’re visiting, while with HTTPS, they can’t.
The Freedom of the Press Foundation hosts a directory of SecureDrop and secure tip pages for dozens of news organizations around the world. Whether you want to reach out to the New York Times, the Washington Post, the Guardian, the Intercept, or others, you can find their information here: https://securedrop.org/directory (We would not recommend investigating this at work.)
Sharing information with the press is not always an easy decision, but your information can help to hold powerful people and institutions accountable. Move ahead with a strong understanding of your organization’s capabilities and how to share tips safely.