The Internet User’s Brief Guide To Anonymous Whistleblowing

Basic steps to share information with journalists and other parties without divulging one’s identity

From time to time, those working within organizations might feel the need to divulge information to the media and other parties.

Whistleblowers may be those who have witnessed corporate malfeasance; those eager to shed light on abusive practices happening within their country; or those that know about industrial practices taking place that could wreak harm upon the local environment.

Often — due to concerns about their personal safety, keeping their jobs, or protecting themselves from various forms of retribution— whistleblowers will choose not to divulge their identity to those with whom they share information. This is particularly true of those leaking information anonymously to the press.

Whatever their motives, employing basic measures to protect one’s anonymity needn’t be complicated.

These are some basic protective measures that one concerned with anonymizing themselves can employ.

Use TOR

The Onion Router (TOR) works by routing a user’s internet packets through a series of nodes before connecting them to the target web server (and vice versa).

Imposing several random layers of anonymity between the end-user and the web server he/she is accessing effectively helps obfuscate his or her identity.

Unlike a VPN, Tor routes user’s traffic through multiple servers when connecting to the internet (an onion has layers and so does TOR). Also unlike a VPN, TOR routes traffic through a series of volunteer-operated nodes rather than servers controlled by a commercial entity (a VPN company).

No matter how much a VPN company pays lip service to privacy, ultimately you need to trust that they’re doing what they say they do in terms of privacy. With TOR, your traffic follows a randomized route to the internet.

Relative to using a VPN, using TOR has a disadvantage (it’s easier for a rogue entity to subversively operate a node) and an advantage (there isn’t a single point of vulnerability in the network design).

These concerns notwithstanding, one using TOR can be reasonably certain that their real IP address — an important clue to one’s identity — will be masked from the end server or person receiving the communication.

If you need to leak or whistleblow from a computer that you don’t own, then you can install Tails onto a live USB and run it virtually anywhere.

Although this will require a ;little bit more in the way of technical skills to set up, once you have it installed you’ll have more flexibility about where you can communicate from.

Decide Upon An Alias. Grab A Face.

If at any point you’re going to need to provide particulars to a service provider, you may wish to have some fake information at the ready.

Of course, whether or not this is illegal will depend upon in what context you use it.

You could invent:

  • An alias. Like gray goose.

You could also use an AI face generator, like this one, to popular a Zoom account or other service with an artificial face that doesn’t belong to a real person.

This is Dave. He’s got some interesting info to share. Source: ThisPersonDoesNotExist.com.

This is something that wasn’t available to your average person just a few short years ago.

Sign Up For A Protonmail Address (Or Start Using PGP)

Firstly, let me flag an important clause in Protonmail’s terms of service (TOS) agreement, which exists at the time of writing at least: “You agree to not use this Service for any unlawful or prohibited activities.” So don’t use Protonmail for anything illegal.

Protonmail is an open source end to end (E2E) encrypted email service. It is typically accessed through a web browser although premium users can access it through a desktop client (Protonmail Bridge).

Protonmail provides you with access to the Pretty Good Privacy (PGP) key associated with your account.

By sharing your public PGP key with any PGP email user (including one that doesn’t use Protonmail) you can exchange email that is enveloped in end to end encryption.

By signing up for a Protonmail account through TOR you hide your real IP from the service provider.

In order to keep the account secure, you should also enable two factor authentication (2FA). There’s a security option in the user menu that you can enable in order to generate a 2FA credential.

Note: You can also use the TOR network while connected to a regular desktop email client and you can configure PGP on any email address, not only a Protonmail email.

Set Up A Dropbox For Easy File Sharing

(The following may contravene Dropbox’s TOS. They can be found at the link below).

Once you have an email address set up, you should be able to sign up for most other online services (at least those that don’t require that you also verify a phone number).

Signup up for a Dropbox account will allow you an easy way to upload large batches of documents or other information to be shared with third parties.

You can also create a file request in order to create a folder into which another anonymous source can drop documents or other files:

Note: If you don’t want to sign up for another service, you can simply Google ‘anonymous file sharing’ to find various pastebins and filesharing sites that don’t require that users even have an account. Although for the sake of convenience’s sake having an account you can frequently access may be more useful.

Set Up Zoom And Calendly Accounts

What if you want to actually speak with somebody to whom you are whistleblowing?

Firstly you may wish to install a voice modifier on your computer that will take the input from your microphone and modify it to an output device, like a program on your computer.

Specifically, you’re looking for a real time voice changer. Note: basic pitch modulation isn’t necessarily a foolproof way to anonymize your voice. Although how concerned you’re likely to be about that will depend upon your level of risk tolerance.

In order to anonymously create a way to speak with our leakees (note: I don’t think this is a real world) we could:

  • Configure a virtual number and fund its payment with cryptocurrency. Vulnerability: the number operator will know a real credential, your actual number.
  • Set up Zoom and Calendly accounts, integrate the two, and then send the link out to our correspondents by email.
Accessing Calendly via TOR

Note: some web application firewalls (WAFs) will block users attempting to access their sites via TOR and/or enforce stricter security requirements due to TOR’s tendency to be used to facilitate nefarious ends (TOR is the main interface for accessing the dark web).

Once you have both Zoom and Calendly set up, integrating the two is as easy as navigating to the right page in the integrations library:

Another option: If you don’t require synchronous communication, then you could do something a little strange and use a text to speech (TTS) generator to synthesize a voice to provide your side of the conversation while you hurriedly type in.

Scrub and Rescrub Metadata

If you’re thinking about sharing documents with a reporter / other person, then the user data that programs automatically append to the files you create is your number one enemy:

  • Metadata created by smartphone camera apps can reveal what phone you use, where you took a photo, and what aperture you used at the time of taking it.
  • Metadata associated with documents can include your name and organization if you have these settings configured in your Word processor.
Be very careful of leaking metadata. Here’s an image I ran through MetaPicz.com, an online metadata viewer.

How to remove metadata from your files will vary upon:

  • The operating system (OS) you are using
  • What type of files you need to scrub

There are both desktop-based and cloud-based metadata scrubbing tools.

Find one that you trust and clean up any files before sharing them. Remember to double-check that the files are “clean” using a metadata checker.

Get Ready To Share

The above are some basic tips for anonymously sharing information with third parties.

There are many more ways to achieve all of the above ends, including using more secure applications.

But the tips shared here were designed to strike a balance between usability and security.

Naturally it should be pointed out that whistleblowing and leaking information may or may not be illegal depending upon the nature of what you have to disclose.

Marketing communications consultant interested in tech, Linux, ADHD, beer, async, and remote work (in no particular order). RosehillMarcom.com