
The first contact is just the beginning. Beyond that — once Whistleblower Aid signs up with customers — it recommends using Signal for most messaging. “We spend a lot of time keeping our safety equipment safe,” Tye said.
Not all whistleblowers are created equal, and every whistleblower carries their own risks. Those accusing Big Tech of wrongdoing, for example, would face different possible threats to national security whistleblowers. Whistleblower Aid does threat modeling for each of its customers, assessing the risks they face and where or who those risks might come from, Tye said. One consideration, he said, is whether certain cloud computing services can be used — if a service has a relationship with the government, it may be more risky to use it.
“For many of our customers, we provide people with special equipment that only we can use,” Tye said. Most communication is through Signal. Whistleblower Aid sometimes uses a cell phone that doesn’t contain a baseband chip to control the radio signals emitted by the device to reduce risk. “We figured out ways to isolate the devices, and we use them without the baseband chip. That’s an attack vector that we’ve eliminated,” Tye said. In some cases, organizations use custom VPN settings; in other cases, phones are shipped in Faraday bags. “There are a number of ways we can give devices to people, and if they use them as instructed, there’s no way to trace any metadata back to that person,” Tye said.
It is crucial for whistleblowers to take extra steps to try to remain anonymous. The European Commission’s whistleblower reporting system advises those using their own whistleblowing tool not to include their name or any personal information in the messages they send, and, if possible, to reduce by “copying or writing the URL address” rather than clicking Create Links to additional digital records.
It’s not just digital security that needs to be considered – in some cases, people’s physical safety can also be at risk. This may include national security issues or controversial topics. For example, officials from the FBI, CIA and State Department used to meet daily to find ways to capture Edward Snowden, who was known for leaking a trove of documents detailing the NSA’s surveillance programs.
“In five years, we’ve had two cases where we had to have armed guards on people, lawyers and clients,” Tye said. Sometimes this includes meeting clients in “unusual locations”, including booking Airbnb for meetings – sometimes a third party is used to make the booking, hence another name. “It doesn’t even look like we’re renting the place to meet someone,” Tye said.
But in a world where we’re constantly being tracked through our devices and the signals they broadcast to the world, the best thing to do is to keep records offline. “Face-to-face is best,” says Tye. The nonprofit recommends meeting away from devices. “We even had a typewriter for sensitive documents.”