Being a whistleblower is all the rage now. To paraphrase the old saying, “Leak it if you’ve got it.” Some who reveal secret documents might be attention-seekers craving validation; others are genuinely waking to the realization that we have a serious surveillance problem in our society, along with corruption and other issues that should have light shone on them. Whatever the cause, there’s a whole lot of leaking going on.
There’s a right way and a wrong way to leak information, however, and today we’re going to talk about the wrong way using a real-life example. Names and certain details have been changed to protect the leaker involved, not necessarily because we want to protect him, but because no one in their right mind should want to be associated with this level of failure.
Our example, who we’ll call Jim, works for Facebook, we’ll say. Jim is a closet freedomista, and one day at work he’s told about new responsibilities he’ll have soon as part of his job. Those duties involve using advanced capabilities to spy on users in ways never done before, and if the public knew about it, a scandal would ensue that could not only affect the company’s financial stability, but could result in a massive boycott of the social media giant, peripheral effects to data mining companies and clients, and more. Jim is sitting on seriously important information, and he’s got the proof in hardcopy.
What could Jim do with that information? Well, any number of things.
- Send it via an encrypted drop to various media outlets; many of them maintain drops on the dark web for just that reason.
- Release it on social media, with a fake account.
- Make hundreds of copies of the proof and leave it all over the place.
- Plenty more ideas; get creative.
Before Jim does anything, however, he should sit down to think and plan.
Jim, unfortunately, is about to do everything wrong.
If he wanted to leak his information in the right way — effectively and with the least danger to himself — he would answer the following questions:
- What exactly do I have?
- How credible is it? (An email with Jim’s boss’ name, email address, and date/timestamp that says, “Yes, we’re going to spy on people through their webcams, then sell the film,”* is in a higher league of credibility than Jim contacting The Intercept and saying, “I heard my boss talking about spying on people through their webcams a few months ago.”
- How dangerous is it to possess the information? For me? For recipients?
- What do I want to see happen here? (Is Jim looking to get people arrested? Start a boycott? Etc.)
- Whom could I give it to?
- What consequences could I suffer if I get caught releasing it — and am I willing to deal with those consequences?
- What kind of protection do I need to mitigate those risks?
- Do I have a plan for release, and am I skilled enough or able to follow through with that plan?
- Am I the right person to release this information?
That last question is a doozy, isn’t it? Whistleblowing isn’t a “finders keepers” situation. If you’re honest with yourself and put the objective first, you might have to admit you’re NOT the right person to release information. Perhaps you can’t do it without outing yourself as the source of the leak. Maybe you understand you don’t have the connections or ability to get it where it can do the most good–but you know someone who can. That’s what all of this planning is for.
If you do decide the information should be leaked and you’re the right person to do it, it becomes your duty to release it with a high level of security. How high depends on how dangerous the information is. But serious leaks are made using encryption, dark web sites, computers and Internet connections that can’t be traced to the leaker, and other covert methods (some described above). This protects both the leaker and recipients.
But let’s get back to Jim. We know he did virtually no evaluating or planning. What did he do instead?
- Went to an online community and talked about the information in vague terms, offering to give it to anyone who contacted him on the side via an insecure method.
- Openly stated that he worked for Facebook.
- Explained the information and how he obtained it to several people he didn’t know except by their online handles.
- Dismissed advice and offers of help from security-conscious members of the community.
While the list above would certainly count as more than a three-strike rule, Jim also made perhaps the most amateur mistake of all:
He left the only copy of his evidence in the pocket of his pants, which went through the washer.
What can Jim do now? Nothing. No one will believe him, he’s already all but outed himself in multiple places, and he’s discussed his information on insecure media via computers and internet connections he’s used from home, to visit sites he typically goes to. He has also shown that he’s what we call in our book an Unteachable, a person who refuses to learn from others. Therefore, even if additional damning information falls into his hands in the future, he’ll mishandle that, too.
Jim–and his information–are dead in the water.
In his case, the worst that’s likely to happen is that he’ll be fired and/or sued for violating confidentiality. Had he leaked government information so sloppily, he could have been imprisoned for decades. Equally tragically, because of his failure to observe best practices, the global public will now live with a new level of privacy abuse until a more competent whistleblower steps up.
* Hypothetical example only. This is not really happening — as far as we know.