A Small Guide for Whistleblowers: Rules to Live By

Miguel Gomez

By Miguel Gomez . 8 August 2022

Cybersecurity Expert

There may come a time in your career, working in a corporate environment or for your government, when you realize that something’s not right.

You may find out who you’re working for is betraying the principles they espouse when there were other more honorable ways to achieve their means.

All of your colleagues are too afraid to speak up, so the question comes to your mind: Are you ready to be the one to blow the whistle?

Before You Even Think About It...

If you’re reading this, perhaps you’ve already answered “yes” to this question, or you’re unsure and want some reassurance that everything will be alright. It won’t. To quote a phrase from Field Marshal Helmut von Moltke the Elder’s musings, “No plan of operations extends with any certainty beyond the first contact with the [enemy].”

This guide isn’t here to provide any reassurances but only to paint a realistic picture of what you can expect to happen and how you can mitigate its effects.

In most of the developed world, there are pieces of legislation in place to ensure your protection, such as EU directive 2019/1937 and 5 USC 1201 (a.k.a. Whistleblower Protection Act of 1989). Although the law may protect you, other circumstances surrounding your particular case may provide a number of other social consequences.

The above is particularly true if what you’re blowing the whistle on is a political organization rather than a corporation that can only do so much to make your life difficult.

To cut this short, it’s natural and perfectly normal to be nervous about blowing the whistle, even with all the laws that may protect you, depending on where you live. And if you aren’t, you’re probably unaware of how difficult life can be for you once you’ve decided to ring the proverbial bell.

This introduction serves as a warning that you should be vigilant and understand that blowing the whistle will likely haunt you in some form or another. To what extent your life is negatively affected by what you do depends on your decisions.

 

Ingredients For A Plan

If you’re committed to your task, it’s time to enter the planning stage. As simple as Hollywood makes it, whistleblowing can be a very challenging task. In general, three ingredients are required to execute it properly:

  • Veritable proof of your claims that can be vetted by a journalist or government authorities,
  • A means of communicating that is sufficiently protected (which we will discuss in detail further on),
  • Situational awareness (i.e., knowledge of what legislation is available to protect you, how strong this legislation is about your specific circumstances, and any collateral damage you may cause to others in the process).

Generally, how you plan this should take all three points into account. You need to be able to back up your claims with evidence, protect yourself from unsavory consequences, and understand what you’re getting into.

Remember, just speaking up about something is not enough. And even if you’re cautious, consequences will happen in one way or another. If you plan to blow the whistle on something, it should mean that you’ve determined that getting this information out there is more important than your personal or financial safety.

In other words, if you’re not ready to commit to some form of sacrifice or are unsure of what you may come across regarding consequences, you’re likely not prepared for this. It’s never as simple as just talking and letting the system fix things.

We can cite the case of Frederic Whitehurst, a chemist who worked for the FBI and blew the whistle on a colleague who gave misleading testimony in a criminal case.

Whitehurst lost a major portion of his life savings, was subjected to several internal investigations from the FBI, and had to undergo a long and drawn-out fight with the organization he worked for.

A Word On Government Whistleblowing

Although corporate whistleblowing is often a straightforward process and the legal system usually works the way it should protect you; government whistleblowing is a completely different matter.

If the country you’re working in has inherent and well-known issues with corruption, you may need to take more precautions than most guides tell you to. In almost all cases, you’ll need an “escape vector,” a way to escape consequences you may not be ready to face.

Also, remember the possibility of your actions hurting your family or friends. In several cases, it’s impossible to guarantee this, and you may have to weigh the risks yourself to ensure that at least the people around you are protected. Sometimes it’s better not to undergo anything until you know you and those close to you are safe from the consequences of what you’re about to do.

Even if you’re not in a country with an extensive level of corruption, if you plan to blow the whistle on a government organization, make sure you seek legal advice!!!

Find someone who understands the legal framework in your country that you can trust with full confidence and involve this person in your planning process. In all of these cases, you must ensure that you’ve “covered your ass” from every direction possible.

When you poke your government, it will try to bite you, discredit you, or perhaps even seek to imprison you. Some governments can have far worse consequences prepared for you. Prepare yourself legally.

In particularly sensitive areas, your only escape might be pre-emptively leaving the country and blowing the whistle from your destination. In that case, do your homework and make sure there’s no extradition treaty between the country you’re leaving and the one you’re arriving at.

How To Communicate

Once you’ve sought legal advice and become aware of all the consequences you could face, if you’re still up for the task, there are ways to communicate your information to appropriate individuals securely. Generally, if you can’t blow the whistle through your government’s institutions, you’ll have to seek some way to get this information out to the public.

The best way to do this is the old-fashioned way: Attend a trade show for journalists, get a few business cards from people who write columns in papers relevant to your particular case, and set up a face-to-face meeting.

Generally, journalists are very attentive to the needs of their sources, but remember that they’re not your friends. They’re trying to do a job that involves getting information from you, but you are ultimately in charge of your protection.

If for some reason you can’t set up a face-to-face meeting, you will have to venture into the online world. This may seem straightforward, but with governments able to subpoena organizations that store your data and messages, you will have to do something more crafty than sending a simple email.

From this point on, you should familiarize yourself with the onion routing (OR, or “Tor”) network. While most people use the Tor Browser for this, if you’re a more advanced user looking for something more portable and far more flexible, you can use Advanced Onion Router (AdvOR). Despite not receiving many updates recently (the last version came out in May 2017 as of this writing), the latter continues to be the most advanced piece of software to make use of the onion routing network through any browser.

Once you have onion routing set up, you will have to use hidden services to communicate. The links described below will only work in the onion routing network, so if you try to open them in your regular browser, they will not work.

If I may humbly be permitted to offer personal suggestions, I would advise using ProtonMail’s secret service to communicate through email as they have end-to-end encryption through the entire message transmission and storage process (which means that the mail service literally cannot respond to a subpoena for your messages and trying to decrypt them is usually more trouble than it’s worth).

Aside from email messages, you may also want to serve digitized documents to your contacts. Fortunately, the Freedom of the Press Foundation has a wonderful resource for you to use.

Known as Secure Drop, this hidden service contains a directory of a number of press organizations’ own private communications channels. The level of security here anonymizes you further than any email communication could.

In essence, you click on the news organization you want to share information with, go to the onion address of the organization’s landing page (as shown in the directory page for that organization), and then click “Get Started.”

You’ll be given a codename that you must write down or memorize. This will be your identifier. No names have to be involved.

Once you’re ready to submit, there will be a field with which you can upload a document and write a personal message. After you’ve submitted your paper, you can always come back and check for replies from the newsroom staff by logging back in using your codename.

This is probably the easiest way to blow the whistle on something, as it separates your identity from the process for the most part.

Of course, if you’re the only known person to have access to the information you’re distributing, it wouldn’t be hard for the organization you’re blowing the whistle on to put two and two together. Remember, in the end; you’re the only person you can depend on for protection.

And whatever you do, try to minimize the use of your phone as much as possible. Smartphones tend to have location tracking mechanisms that could be used against you. Even if you’re making regular phone calls from a throwaway “dumb” phone, it’s inadvisable to have lengthy conversations about this subject with your contact.

Phone calls should be kept to a minimum and be as straightforward as possible (e.g., setting up meetings, announcing delays, or canceling plans). Avoid any discussions about the information you want to deliver to your contact by any means necessary.

Some Parting Words

If all of this makes you nervous, you should be. Through this process, no one can truly hold your hand or empathize with what you’re going through. However, if you’re having second thoughts right now, perhaps you should ask yourself if it’s truly worth it to go through this.

On the other hand, if you have the conviction that what you’re doing is right, good luck and godspeed. Hopefully, this guide will help provide a framework with which you can execute your plan carefully.

Remember to create as much separation as possible between the information you’re putting out there and your own identity. This is the key to mitigating many consequences that may be waiting for you.

Before you go on, take the time to read this guide again. Absorb the advice provided here and ensure you’re ready to embark on your journey. Involve as little trust as possible, reveal as little as possible to those who aren’t relevant to your case, and proceed as though you’re walking on glass.

With any luck, you might get through this with some dignity!

Leave a Comment