I was looking for leaders but I soon realized that leadership means to be the first one to act – Edward Snowden

SECURITY FOR THE WHISTLEBLOWER

Guidelines for your security as whistleblower.

When submitting sensitive information you must consider the risks related in taking that action in revealing the truth as you may be subject to retaliation by the parties that doesn’t like what you have to say.

When considering blowing the whistle you must keep in mind the possible risks associated with doing so. People not liking you speaking the truth, may retaliate against you.

For this reason you must take all the possible actions to preserve your anonymity.

You need to be aware of the social and technical risks and take the right countermeasures to protect yourself. The most applicable protection strategies depend on the scenario, especially those related to social risks.

Social Risks

Before submitting any information you should consider what will happen “after” the information has been sent and news about the related facts reaches public media attention.

Ask yourself these questions to understand your real risk context:

  • Are you the only person or one of the few people that have access to the information you are available to submit?
  • After the information reaches public attention, do know if someone will ask you something about it?
  • Do you feel capable of managing the “stress” of an internal or external investigation (someone asking you something) about the submission?

Only after you fully understand and have properly reflected on the previous points, you should consider submitting to a GlobaLeaks site.

Technological Risks

You must be aware of the fact that while using a computer and the internet to exchange information, most of the actions you do leave traces (computer logs) that could lead an investigator to identifying where you are and who you are.

For this reason you must take very specific precautions and risk mitigation strategies to avoid leaving technological traces about your actions.

You may leave computer’s traces while doing the following actions:

  • Researching on the information to be submitted
  • Acquiring the information to be submitted
  • Reading this web page
  • Submitting the information to us
  • Exchanging data with the receivers of your submission

All these actions may leave traces completely waiving your security, but with few technological protection steps you can minimize the risks.

Social Protection

From a social protection perspective you should take at least the following set of actions:

  • Before you make a submission, don’t tell your intention to anyone
  • After you make a submission, don’t tell what you have done to anyone
  • After the news about the submission gets out to public media, be really careful in expressing your opinion about it with anyone
  • Be sure that there’s no surveillance systems (cameras or other) in the place where you acquire and submit the information
  • Don’t look around on search engines or news media website for the information you submitted (this would reveal that you knew about it earlier)

These are just a set of social protection actions that you must consider.

Technological Protection

Technological protection actions could be the most tricky to be understood due to the underlying technical complexity of today’s computing and network systems.

To achieve a 100% guarantee of security from technical perspective you need to be computer-proficient enough to fully understand all the risks.

However by strictly following the procedures and tips reported below you should be safe enough:

  • Submit information using Anonymous Web Browsing software Tor Browser Bundle (it’s easy, use it!)
  • Don’t submit information from the personal computer provided to you by your employer (consider using a spare one)
  • Keep safe the Submission’s receipt and destroy this information after you don’t need it anymore
  • Don’t keep a copy of the information you submitted
  • While acquiring the information to be submitted, be sure that there’s no traces being left on the IT systems leading back to your identity (eg: collect files within your USB key, and when completed the submission, delete the files and fill the storage with something yours: movies, photos, mp3)
  • Be ware of the fact that “meta data information” may be present in some of the data you are submitting.
  • Consider cleaning up the Metadata by using tools such as MAT bundled with the TAILS linux live CD.
  • Consider converting all the data that you are sending us to standard PDF format

By applying the procedures describe above you should be safe enough.

Safe enough doesn’t means 100% safe.

To overall improve your digital security you should undergo reading the Security in a Box project, explaining most of the risks and related countermeasures.