SECURITY FOR WHISTLEBLOWERS AND SOURCES
When submitting sensitive information, you must consider the risks involved in taking that action to reveal the truth, as you may be subject to retaliation by parties that do not like what you have to say.
That is why you must take all possible actions to preserve your anonymity. You need to be aware of the social and technical risks, and take the right countermeasures to protect yourself. The most applicable protection strategies depend on the scenario, especially those related to social risks.
First of all, when you leak or share sensitive information, there are always some risks involved that could threaten your anonymity. When considering the information that you want to share, determine whether sending us that information in a Confidential fully encrypted way (via HTTPS) is enough. If it is not and you need stronger anonymity, we suggest you download and install the Tor Browser so that you are able to anonymously access the Internet and WildLeaks. Naturally, DO NOT submit sensitive information from your work site or with computers belonging to your employer. Do it from home and with a private computer, or from an Internet cafe.
It’s easy and quick to install the Tor Browser. Click here for the instructions.
The following risks overview and series of hints and tips will help you protect yourself:
The most important thing to consider is what can happen after your leak/submit information and it is used for an investigation or by the media. Please think about the following before submitting any information:
- Are you the only person who has access to the information that you have submitted?
- If the submitted information reaches public attention, will someone ask you something about it? Is the information directly traceable to you only?
- Are you aware that after the information is used for an investigation or published by the media, people around you may ask about the leaked information?
- Can you handle the psychological pressure of an internal or external investigation (someone asking you about the information) about the submission?
To better protect yourself you should, at the very least, take the following set of actions:
- Before you make a submission to WildLeaks, do not disclose your intention to anyone.
- After you make a submission, do not tell anyone about what you have done.
- If the news about the submission gets out to public media, be really careful when expressing your opinion or disclosing further information about it with anyone.
- Be sure that there’s no surveillance systems (cameras or other) in the place where you acquire and submit the information.
- Do not look around on search engines or news media websites for the information you submitted (this would reveal that you knew about it earlier).
These are just a set of social protection actions that you must consider as a whistleblower.
You must be aware of the fact that while using a computer and the Internet to exchange information, most of the actions you take leave traces (computer logs) that could lead an investigator to identify where you are and who you are.
For this reason you must consider risk mitigation strategies and adopt very specific precautions to avoid leaving technological traces about your actions.
You may leave computer’s traces while:
- Researching the information to be submitted
- Acquiring the information to be submitted
- Reading this web page
- Submitting the information to us
- Exchanging data with receivers of your submission
- Downloading software, including the Tor Browser
Technological protection actions could be the most tricky to understand due to the underlying technical complexity of today’s computing and networking systems. To achieve a 100% guarantee of security from a technical perspective, you need to be computer-proficient enough to fully understand all the risks.
However, by strictly following the procedures and tips reported below, you should be safe enough.
How can you protect yourself and improve your anonymity?
- Use the Tor Browser for “Anonymous Web Browsing.” Click here to download it
- Use BleachBit that removes many traces of your computer.
- Upload information from your personal computer, not the one at your employer/company
- Keep the receipt code that you receive from WildLeaks after uploading a submission in a safe place.
- Remove any information from your computer after the upload.
- If possible keep a copy of the uploaded information in a safe place not at work.
- After you upload the information make sure you leave no trace on the ICT systems and other devices, which can be used to understand your identity. For example, if you use a USB card/key, delete all the files that you uploaded and substitute them with other files like photos, videos and music.
- Please be aware of the metadata information that may be associated to the information that you have uploaded, such as author’s name, date of writing, etc. You can use programs to remove the metadata from your files.
By applying the above-described procedures you should be safe enough. But safe enough doesn’t mean 100% safe.
You can find additional information on how to protect yourself at Hints and Tips for Whistleblowers and at Security in a Box