How Whistleblowers Navigate a Security Minefield
Initial exposure is just the beginning. Beyond this — once Whistleblower Aid has contracted the client — it recommends using Signal for most messaging. “A lot of time is spent trying to keep our devices secure,” says Tye.
Not all whistleblowers are created equal and each whistleblower carries its own risks. For example, someone is calling on those who break the rules of Big Tech to face various possible threats to national security whistleblowers. Tye said Whistleblower Aid conducts threat modeling for each of its clients, assessing the risks they face and where or from whom those risks may come. One thing to consider, he said, is whether certain cloud computing services can be used – a service that can be more risky to use if it has a relationship with the government.
“For many customers, we give people special equipment that they only use with us,” says Tye. Most communication takes place over Signals. Sometimes, Whistleblower Aid phone use is not included baseband chip, control the radio signals emitted by the device, to reduce risk. “We come up with ways to isolate devices, we use them without the baseband chip. It’s one of the attack vectors that we’ve removed,” said Tye. In some cases, the organization uses a custom VPN setup; In others, phones are shipped in bags daily. “There are many ways that we can get devices into the hands of people, if they use them according to the instructions, there is no way to track any metadata about that person,” says Tye.
For whistleblowers, taking extra steps to try and keep their anonymity can be important. The European Commission’s whistleblower reporting system advises those using its own reporting tool not to include their name or any other personal information in the messages they send, and where possible, access its reporting tool “By copying or writing the URL” instead of clicking the link reduces the creation of more digital records.
It’s not just digital security that needs to be considered — in some cases, people’s physical security could be at stake as well. This may include national security issues or controversial topics. For example, officials at the FBI, CIA, and State Department have held Daily meetings figure out how to capture Edward Snowdencelebrities leaked a trove of documents detailing classified NSA surveillance programs.
“In the past five years, we have had two cases where armed guards were deployed for citizens, lawyers and clients,” says Tye. Sometimes this includes meeting customers in “unusual locations,” including booking Airbnbs for meetings — sometimes, third parties are used to make the reservation, hence the name other. Tye said: “It seems that we rent a place to meet someone that is not like that.
But in a world where we constantly being watched Through our devices and the signals they send out to the world, the best thing can be to keep the recordings offline. “People are the best,” said Tye. The nonprofit recommends holding meetings away from devices. “We even have a typewriter that we use for sensitive documents.”