

 / Blog / Digital freedom / Whistleblowing guide: How to stay anonymous when blowing the whistle

Whistleblowing guide: How to stay

anonymous when blowing the whistle
If you are a whistleblower, it's important to protect your identity. They will
come after you. Here's how to leak data and stay anonymous.
• 5 min read

Lexie
Hi, I'm Lexie! I write about information security, Bitcoin, and privacy.
June 16, 2017





** This is part two of ExpressVPN’s whistleblowing guide. **

Part 1: Whistleblowing guide: Blowing the whistle is tough

Part 3: Whistleblowing guide: How to protect your sources
Part 4: Whistleblowing guide: Why you should remove the metadata

Just want the tl;dr?

Keeping your anonymity while blowing the whistle is hard to achieve.

A million things could go wrong and lead to your demasking, and it becomes exponentially
more difficult the larger and more powerful the organization is that you’re up against.

Live Chat
Large corporations could put a lot of funds aside for the surveillance of employees they
suspect of “sabotage,” and governments might have near infinite resources. 
As such, this is not a complete guide to anonymity. The circumstances will be different in
each case, and surveillance capabilities differ between organizations and countries.

7 ways to leak documents and communicate in secret

The most difficult part of whistleblowing the whistle is how to communicate. You must
establish a secure channel to extract documents from your organization.

1. Computers serve their owners, not their users

There’s no way to tell what your computer does and which information it will log unless you
are sure nobody has ever tampered with the operating system. Ideally, you should install an
 yourself on a computer you own or use the live operating system, TAILS,
operating system
from a USB stick.


Moving documents or information from a computer you do not own carries an enormous
risk of discovery. Sometimes it might be better to photograph files with your own, private
smartphone or write down critical information on a piece of paper—although that, too, also
carries a significant risk.

Try not to deviate from your usual patterns and only access information as you usually
would. When communicating with others, only do so on devices you own and exclusively
control.

2. Networks log all information

An organization might record all keystrokes, screenshots, or programs on your computer, or
even implement complete network monitoring. The network could timestamp and record
Live Chat
abnormal traffic patterns or any piece of data. Furthermore, if you have access to a network
hard drive, the system or the drive will log every access by every user. 
Some networks go so far as to break the TLS encryption in a man-in-the-middle attack and
place their root certificate on the company computers.

Using a VPN or the Tor Network (for example, through TAILS) can help, but on heavily
monitored networks the operators might take suspicion at any traffic they cannot decipher.

Always use the Tor Network and a VPN to communicate, and use networks not
controlled by the company.

3. Printers and scanners record everything

Similar to network drives, most printers, scanners, and photocopiers will at least maintain a
register of every
 document they print—including a timestamp and which user made the
instruction. Some printers even keep a digital copy of the document in their internal hard

drive.

More importantly, printers will leave digital tracks on every paper they print, which makes it
possible to trace a document back to an individual printer. These tracking features were
implemented initially to catch people printing bank notes at home but are one of the most
serious hurdles to printing documents privately.

Don’t scan or print documents. Rather, leak printed documents in physical form and
electronic documents in electronic form. For maximum security, transcribing documents
by hand and back into a text document (.txt) is a good option, though of course, you will
have to destroy the handwritten notes.

4. Phones are unencrypted and will disclose your location

Live Chat
Your company might log the location of its phones, but even if it doesn’t, the location can
be traced by your telecommunications provider and anybody who has access to it. 
Phone tracking can give away sensitive information, such as your visits to a regulator or
the press.

All phone calls and text messages are unencrypted, as is some of your online browsing and
app data, and some of the data (and all of the metadata) is stored for a long time.

Do not talk or text on the phone. Leave your phone at home or work when meeting
others. Only use encrypted messengers, preferably Signal. If you do need a phone, buy
a used one with cash. If you can, don’t activate it with a SIM card at all, or get a prepaid
SIM card with cash and only turn the phone on when you need it, ideally far away from
your home.

5. Money 
leaves a trail

Your debit and credit cards leave a trail of where you are at what time which can prompt
 to check security footage and other transaction logs for a bigger overall
your adversaries
picture of your actions and accomplices.

Similarly, your electronic public transportation ticket might reveal where you have been,
and whether this was an unusual destination.

Pay for everything with cash when meeting those you are informing. Find a place where
cash transactions are common, or somewhere free, such as a public park.

Pay with cash if you can, and use gift cards or Bitcoin if you have to make a purchase
online.

6. Everything leaves metadata

Live Chat
It’s not necessary to surveil the entire contents of your emails, chats, or phone calls to find
out what you’re up to. The mere fact of you are in contact with a journalist or regulator 
might be enough to prompt a further and deeper investigation.

Be aware that everything you do or say will leave metadata. Every click, every google
search, print, text message, credit card swipe, or bus ride leaves a tiny piece of information
that might identify you. Even paper mail is scanned and has it’s delivery origin and
destination recorded.

Metadata means everything, and even changes in your daily pattern might seem
suspicious. If you regularly stay at home, leave your phone at home and turn on the TV to
give the impression your life is as usual. If you’re outgoing and enjoy hanging out in bars,
it’s safe to meet somebody there, rather than suddenly hanging out in a park.

Be aware of your digital footprint and try to keep any changes to it at a minimum. Use
software to find and remove metadata from files you send. Consider file types that don’t
have as much metadata, such as .txt and .png.




7. Is digital the best option?
The internet provides many opportunities for privacy and anonymity, more so than any
other technology. If you’re savvy, you can virtually disappear online and safely
communicate with others without risk of detection.

This is not true for every situation, though. It might be far easier to anonymously mail
documents to a local newspaper than to find a reporter who’s able to protect you
electronically.

Anonymous whistleblowing TL;DR

Use your own devices

Use your own networks

Don’t print or scan

Don’t use phones

Don’t use credit cards

Don’t change your habits

Minimize your digital footprint Live Chat

 Be careful, and thank you for standing up for ethics and principles!

Like what you've read?
Clap for this post. Or share your thoughts!

  

Lexie
Lexie is the blog's resident tech expert and gets excited about empowerment through technology, space
travel, and pancakes with blueberries.

Related posts More from the author

 





PwC audits ExpressVPN servers to confirm essential privacy protections

ExpressVPN • July 9, 2019 • 2 min read

Live Chat
 

8 apps to protect your privacy online

Osman H. • July 4, 2019 • 4 min read





Why should I use two-factor authentication?

ExpressVPN • July 3, 2019 • 4 min read

Live Chat
 

7 privacy and security takeaways in Mary Meeker’s Internet Trends Report

Jamie • June 28, 2019 • 3 min read





5 ways to protect your online finances… In the physical world

ExpressVPN • June 25, 2019 • 3 min read

Live Chat
 

Why you shouldn’t ignore ‘Update Your Device’ messages

Osman H. • June 19, 2019 • 4 min read





ExpressVPN survey reveals Americans do care about privacy after all

Lexie • June 13, 2019 • 3 min read

Live Chat
 

Why do I need a VPN?

Johnny 5 • June 10, 2019 • 3 min read





Google is using Gmail to track your purchases. No one knows why.

Jamie • June 6, 2019 • 2 min read

Live Chat
 
Products

VPN for Mac

VPN for Windows
VPN for iPhone and iPad
VPN for Android
VPN for Linux
VPN for Routers
VPN Chrome Extension
VPN Firefox Extension
VPN Server Locations
Get ExpressVPN

Learn More
What Is VPN?
Top 5 VPN Uses
How-To Privacy Guides
Stream Live Events
Stream Sports
Blog

Tools 
What Is My IP?

DNS Leak Test
WebRTC Leak Test 
Password Generator
10-Step Security Check

About ExpressVPN

Plans and Pricing

Features
Press
Careers
Terms of Service
Money-Back Guarantee

Programs
Refer a Friend
Affiliates
$5,000 Scholarship

Help

Support Center
VPN Setup Tutorials
FAQ
Live Chat
Contact Us
 Manage My Account

Sign In 
© 2019 ExpressVPN. All rights reserved.
  





Live Chat