A Small Guide for Whistleblowers: Rules to Live By

Updated: 25 February 2021
Updated: 25 February 2021

Fact-checked by

There may come a time in your career, working in a corporate environment or for your government, when you realize that something’s not right. You may find out that who you’re working for is betraying the principles they espouse when there were other more honorable ways to achieve their means. All of your colleagues are too afraid to speak up, so the question comes to your mind: Are you ready to be the one to blow the whistle?

Before You Even Think About It...

If you’re reading this, perhaps you’ve already answered “yes” to this question, or you’re unsure and want some reassurance that everything will be alright. It won’t. To quote a phrase from Field Marshal Helmut von Moltke the Elder’s musings, “No plan of operations extends with any certainty beyond the first contact with the [enemy].”

This guide isn’t here to provide any reassurances, but only paint a realistic picture of what you can expect to happen and how you can mitigate its effects.

In most of the developed world, there are pieces of legislation in place to ensure your protection, such as EU directive 2019/1937 and 5 USC 1201 (a.k.a. Whistleblower Protection Act of 1989). Although the law may protect you, other circumstances surrounding your particular case may provide a number of other social consequences.

The above is particularly true if what you’re blowing the whistle on is a political organization, rather than a corporation which can only do so much to make your life difficult.

To cut this short, it’s natural and perfectly normal to be nervous about blowing the whistle, even with all the laws in place that may protect you depending on where you live. And if you aren’t, you’re probably not aware of how difficult life can be for you once you’ve decided to ring the proverbial bell.

This introduction is made to serve as a warning that you should be vigilant and understand that blowing the whistle is very likely going to haunt you in some form or another. To what extent your life is negatively affected by what you do depends on the decisions you make.


Ingredients For A Plan

If you’re committed to your task, it’s time to enter the planning stage. As simple as Hollywood makes it out to be, whistleblowing can be a very challenging task. In general, three ingredients are required to properly execute it:

  • Veritable proof of your claims that can be vetted by a journalist or government authorities,
  • A means of communicating that is sufficiently protected (which we will discuss in detail further on),
  • Situational awareness (i.e., knowledge of what legislation is available to protect you, how strong this legislation is in relation to your specific circumstances, and any collateral damage you may cause to others in the process).

Generally, how you plan this should take all three points into account. You need to be able to back up your claims with evidence, protect yourself from unsavory consequences, and understand what you’re getting into.

Remember, just speaking up about something is not enough. And even if you’re cautious, consequences will happen in one way or another. If you plan to blow the whistle on something, it should mean that you’ve determined that getting this information out there is more important than your personal or financial safety.

In other words, if you’re not ready to commit to some form of sacrifice or are unsure of what you may come across in terms of consequences, you’re likely not ready for this. It’s never as simple as just talking and just letting the system fix things.

We can cite the case of Frederic Whitehurst, a chemist who worked for the FBI and blew the whistle on a colleague who gave misleading testimony in a criminal case.

Whitehurst ended up losing a major portion of his life savings, was subjected to several internal investigations from the FBI, and had to undergo a long and drawn-out fight with the organization he worked for.

A Word On Government Whistleblowing

Although corporate whistleblowing is often a straightforward process and the legal system usually works the way it should to protect you, government whistleblowing is a completely different matter.

If the country you’re working in has inherent and well-known issues with corruption, you may need to take more precautions than most guides tell you to. In almost all cases, you’ll need an “escape vector,” a way to escape consequences you may not be ready to face.

Also, once again, remember the possibility of your actions hurting your family or friends. Sometimes it’s better not to undergo anything until you know you and those close to you are safe from all the consequences of what you’re about to do. In a number of cases, it’s impossible to guarantee this, and you may have to weigh the risks yourself to ensure that at least the people around you are protected.

Even if you’re not in a country that has an extensive level of corruption, if you plan to blow the whistle on a government organization, make sure you seek legal advice!!!

Find someone who understands the legal framework in your country that you can trust with full confidence and involve this person in your planning process. In all of these cases, you have to ensure that you’ve “covered your ass” from every direction possible.

When you poke your government, it will try to bite you, discredit you, or perhaps even seek to imprison you. Some governments can have far worse consequences prepared for you. Prepare yourself legally.

In particularly sensitive areas, your only escape might be to pre-emptively leave the country and blow the whistle from your destination. In that case, do your homework and make sure there’s no extradition treaty between the country you’re leaving and the one you’re arriving at.

How To Communicate

Once you’ve sought legal advice and become aware of all the consequences you could face, if you’re still up for the task, there are ways to securely communicate your information to appropriate individuals. Generally, if you can’t blow the whistle through your own government’s institutions, you’ll have to seek some way to get this information out to the public.

The best way to do this is the old-fashioned way: Just attend a trade show for journalists, get a few business cards from people who write columns in papers that are relevant to your particular case, and set up a face-to-face meeting.

Generally, journalists are very attentive to the needs of their sources, but remember that they’re not your friends. They’re trying to do a job that involves getting information from you, but you are ultimately in charge of your own protection.

If for some reason you can’t set up a face-to-face meeting, you will have to venture into the online world. This may seem straightforward, but with governments able to subpoena organizations that store your data and messages, you’re going to have to do something a bit more crafty than send a simple email.

From this point on, you should familiarize yourself with the onion routing (OR, or “Tor”) network. While most people use the Tor Browser for this, if you’re a more advanced user looking for something more portable and far more flexible, you can use Advanced Onion Router (AdvOR). Despite not receiving many updates recently (the last version came out in May 2017 as of this writing), the latter continues to be the most advanced piece of software with which to make use of the onion routing network through any browser.

Once you have onion routing set up, you’re going to have to use hidden services to communicate. The links described below will only work in the onion routing network, so if you try to open them in your regular browser, they will not work.

If I may humbly be permitted to offer personal suggestions, I would advise using ProtonMail’s hidden service to communicate through email as they have end-to-end encryption through the entire message transmission and storage process (which means that the mail service literally cannot respond to a subpoena for your messages and trying to decrypt them is usually more trouble than it’s worth).

Aside from email messages, you may also want to serve digitized documents to your contacts. Fortunately, the Freedom of the Press Foundation has a wonderful resource for you to use.

Known as Secure Drop, this hidden service contains a directory of a number of press organizations’ own private communications channels. The level of security here anonymizes you further than any email communication could.

In essence, you just click on the news organization you want to share information with, go to the onion address of the organization’s landing page (as shown in the directory page for that organization), and then click “Get Started.”

You’ll be given a codename that you must write down or memorize. This will be your identifier. No names have to be involved.

Once you’re ready to submit, there will be a field with which you can upload a document and write a personal message. After you’ve submitted your document, you can always come back and check for replies from the newsroom staff by logging back in using your codename.

This is probably the easiest way to blow the whistle on something, as it separates your identity from the process for the most part.

Of course, if you’re the only known person to have access to the information you’re distributing, it wouldn’t be hard for the organization you’re blowing the whistle on to put two and two together. Remember, in the end, you’re the only person you can depend on for protection.

And whatever you do, try to minimize the use of your phone as much as possible. Smartphones tend to have location tracking mechanisms that could be used against you. Even if you’re just making regular phone calls from a throwaway “dumb” phone, it’s inadvisable to have lengthy conversations about this subject with your contact.

Phone calls should be kept to a minimum and be as straightforward as possible (e.g., setting up meetings, announcing delays, or cancelling plans). Avoid any discussions about the information you want to deliver to your contact by any means necessary.

Some Parting Words

If all of this makes you nervous, you should be. Through a process like this, there’s really no one who can truly hold your hand or empathize with what you’re going through. However, if you’re having second thoughts right now, perhaps you should ask yourself if it’s truly worth it to go through with this.

On the other hand, if you have the conviction that what you’re doing is right, good luck and godspeed. Hopefully, this guide will help provide a framework with which you can execute your plan carefully.

Remember to create as much separation as you possibly can between the information you’re putting out there and your own identity. This is the key to mitigating as many of the consequences that may be waiting for you.

Before you go on, take the time to read this guide again. Absorb the advice provided here and ensure that you’re ready to embark on your journey. Involve as little trust as possible, reveal as little as possible to those who aren’t relevant to your case, and proceed as if though you’re walking on glass.

With any luck, you might get through this with some dignity!

Written by: Miguel Gomez

Connect with the author:

Old-school programmer, cybersecurity expert, analyst. Miguel is a corporate consultant who often spends his time educating people and companies on cybersecurity-related subjects and breaking down complex themes into bite-sized and easily-digestible nibblets. He speaks with over 11 years of experience doing market and cybersecurity research, as well as nearly 15 years of experience developing software, behind him.

Leave a Reply

Your email address will not be published.