Welcome to the third installment of ExpressVPN’s whistleblowing guide. In this segment, we delve into the critical aspect of safeguarding your sources. As a journalist, regulator, or watchdog, it’s not just a responsibility but a duty to ensure the protection of those who provide valuable information. Join us as we explore various strategies, tools, and considerations to keep your sources secure and maintain the integrity of your work.
Understanding Legal Protections for Sources
Before we dive into the technical aspects, let’s address the legal landscape. While sources may be granted legal protection in certain sectors or countries, it’s essential to recognize that these protections might not cover every instance. Knowing the specific laws related to whistleblowing in your area is crucial. The difference in legal frameworks could mean the contrast between a source’s freedom and potential repercussions.
Weighing the Worth of Legal Protections
Despite legal safeguards, it’s prudent to remember that they might not be foolproof. In addition to our information security advice, understanding the intricacies of whistleblowing laws is paramount. A misstep in how you communicate or handle documents could have far-reaching consequences for your source.
Making Yourself Reachable to a Source
Establishing open communication with your sources is fundamental. Recognize that each potential source will have a different level of understanding regarding technology, the law, and your organization. Your role is not just to be a passive receiver of information but an active participant in making yourself reachable and educating your sources about secure communications.
The Gold Standard: SecureDrop
SecureDrop, developed by Aaron Swartz and Kevin Poulson, stands out as a digital mailbox for sensitive material. It’s utilized by numerous news organizations globally for its secure and anonymous file submissions. Here’s how it works:
- The whistleblower uses the Tor Browser to access SecureDrop’s .onion address.
- Documents are uploaded, and the source receives a passcode for checking replies.
- Files are encrypted with your PGP key, ensuring only you can access them.
While considered the gold standard, setting up SecureDrop can be challenging for individuals. Using a laptop with the TAILS operating system for document inspection adds an extra layer of security.
Free india vpn
Jabber/XMPP with OTR Encryption
Jabber, or XMPP, offers an alternative. Despite being less common, it’s relatively easy to set up anonymously, especially when routed through the Tor network. Here’s a brief overview:
- Create anonymous Jabber accounts communicating through Tor with OTR encryption.
- Low chance of discovery, even through metadata.
- Not widely used, challenging on mobile devices.
Signal: Encrypted Messaging
Signal, an encrypted messaging app, provides a secure platform for exchanging messages with minimal metadata. Here’s what you need to know:
- Available for Android and iOS.
- Allows encrypted voice calls.
- Widely endorsed by the information security community.
Postal Address: Traditional but Effective
Sending physical mail might seem outdated, but it’s still a viable option. Here are some considerations:
- Physical mail can be sent anonymously.
- Be cautious with hand-written envelopes.
- Legal protections still exist for mail.
Telephone and E-mail: Use with Caution
While email and telephone communication are easy, they can be intercepted. Here are some precautions:
- Encrypted emails with PGP leave metadata.
- Be mindful of vast metadata production.
Ensuring Source Verification
Making sure your sources can verify your identity is crucial for trust-building. Consider these steps:
Send Pictures of Yourself
In case of in-person meetings, provide your source with pictures to prevent impostors.
Use Cryptographic Keys
Utilize your social media presence to host your public keys, making it easier to verify your identity.
Be Available on Reputable, Encrypted Channels
Make your correspondence easily verifiable by being present on secure communication channels.
Securing your sources is not just about technology; it’s a holistic approach that involves legal awareness, technical proficiency, and personal connections. By understanding the legal landscape, adopting secure communication tools, and ensuring source verification, you not only protect your sources but also uphold the integrity of your work.
- What legal protections exist for whistleblowers?
- Legal protections vary by country and sector. It’s crucial to research and understand the specific laws applicable to your situation.
- How do I set up SecureDrop for individual use?
- While SecureDrop is robust, it can be challenging for individuals. Consider seeking technical assistance or exploring alternative secure communication methods.
- Is physical mail still a secure option?
- Yes, physical mail can be a secure option, especially when sent anonymously. However, be aware of potential risks and legal considerations.
- Why is metadata important in secure communication?
- Metadata can reveal information about communication patterns, potentially compromising the anonymity of sources. It’s crucial to minimize metadata exposure.
- How can I ensure source verification in online communications?
- Utilize cryptographic keys, share pictures of yourself, and be present on reputable, encrypted channels to ensure source verification.