First contact is just the beginning. Apart from this – once Whistleblower Help has signed up with customers – it recommends using Signal for most messages. “A lot of time is spent securing our secure devices,” says Tye.
Not all whistleblowers are created equal and each whistleblower has their own risks. For example, someone who sues Big Tech malpractice faces several potential threats to a national security whistleblower. Tye says Whistleblower Aid does threat modeling for each of its clients, assessing the risks they face and where or from whom those risks may originate. One consideration, he says, is whether certain cloud computing services can be used — a service can be riskier to use if it has a relationship with a government.
“At many customers, we give people special devices that they only use with us,” says Tye. Most communication takes place through Signal. Sometimes Whistleblower Service uses phones that do not contain baseband chips, which monitor the radio signals emitted by the device to reduce the risk. “We come up with ways to isolate the devices, we use them without baseband chips. That’s an attack vector that we eliminated,” says Tye. In some cases, the organization uses custom VPN configurations; in others, phones are carried in Faraday bags. “There are ways we can get devices to people who, if they use them according to the instructions, won’t be able to trace metadata back to that person,” Tye says.
For whistleblowers, it can be critical to take extra steps to maintain their anonymity. The European Commission’s Whistleblower Reporting System advises people using its own reporting tool not to include their name or personal information in the messages they send and, if possible, to access the reporting tool “by copying the URL address or to write” instead of clicking on a link to reduce the creation of additional digital documents.
Not only must digital security be taken into account, in some cases the physical security of people can also be at risk. These can be national security issues or controversial topics. For example, FBI, CIA and State Department officials once held daily meetings to devise ways to arrest Edward Snowden, who famously leaked a wealth of documents detailing NSA surveillance programs.
“In five years, we’ve had two cases where we’ve had to deploy armed guards to people, lawyers, and clients,” Tye says. Sometimes this includes meeting clients in ‘unusual locations’, including booking Airbnbs for meetings – sometimes third parties are used to make the booking so it’s in a different name. “It doesn’t even look like we’re renting the place to meet anyone,” Tye says.
But in a world where we’re constantly being tracked through our devices and the signals they send out to the world, it’s best to track data offline. “Personal is best,” Tye says. The nonprofit advises against holding meetings on devices. “We even have a typewriter that we use for sensitive documents.”