Sep 13, 2022 7:00 AM
How Whistleblowers Navigate a Security Minefield
It’s been three weeks since Twitter’s former security boss, Peiter “Mudge” Zatko, revealed explosive claims about the company’s security practices. Among the allegations, Zatko said Twitter wasn’t taking steps to fix multiple security problems and that India had forced Twitter to put a government agent on its payroll. Twitter denies the claims.
Since then, Zatko has been entwined in Elon Musk’s effort to not-buy Twitter for $44 billion, with Musk deposing the Twitter whistleblower ahead of his October showdown with the company. Today, Zatko will appear before the Senate Judiciary Committee, which is interested in the potentially “dangerous data privacy and security risks” detailed in his 84-page whistleblower complaint.
Blowing the whistle against Big Tech has become increasingly popular in the last few years. As WIRED’s Steven Levy notes, this often involves prominent whistleblowers turning to nonprofit Whistleblower Aid. Meta whistleblower Frances Haugen, who exposed the Facebook Papers, and Gary Miller, who blew the whistle on Israeli spyware maker NSO Group, both worked with the nonprofit. Zatko made contact with Whistleblower Aid in March.
But blowing the whistle isn’t easy and carries an array of risks. Any whistleblower or potential whistleblower is faced with legal concerns and potential ramifications that come with exposing a company or government’s wrongdoing, of course. But that part is predictable. There’s also the risk of being targeted or publicly smeared as a result of the allegations, the mental and emotional pressure of whistleblowing, and unemployment. Lawyers representing whistleblowers and journalists writing about their claims can also be tracked or monitored.
While there are multiple laws in the US that protect whistleblowers, it’s not uncommon for businesses, including the likes of Google and Meta, to have internal teams that look for threats coming from within their own walls. Because of this, potential whistleblowers need to know to avoid trying to out wrongdoing using their work devices or systems, including email. “Due to advanced surveillance techniques … communication through your personal devices may also not be secure,” the House of Representatives whistleblower ombuds advises. It recommends using the anonymity service Tor, encrypted messaging app Signal, or SecureDrop for whistleblowing. The latter is an open-source platform that uses Tor to allow people to send journalists files securely. (The operating system Tails can also provide extra protection.)
For someone who decides to blow the whistle with Whistleblower Aid’s help, the first step is to contact the organization—which isn’t exactly straightforward. “We don’t have insecure methods to contact us,” says Tye. There are no cookies or trackers on its website and it doesn’t list any emails or postal addresses where potential whistleblowers can get in touch with it. Instead, potential whistleblowers can get in touch through either Signal or its SecureDrop instance, according to John Tye, cofounder of Whistleblower Aid, who spoke with WIRED about its security practices ahead of Zatko’s Senate appearance. (Tye says people can use its SecureDrop to send only messages and not files, as it doesn’t want to receive classified files.)
Initial contact is just the start. Beyond this—once Whistleblower Aid has signed on clients—it recommends using Signal for most messaging. “A lot of time is spent trying to keep our secure devices secure,” Tye says.
Not all whistleblowing is the same, and every whistleblower has their own set of risks. Someone who is calling out Big Tech malpractices will face different possible threats to a national security whistleblower, for example. Tye says Whistleblower Aid conducts threat modeling for each of its clients, assessing the risks they face and where or who those risks may come from. One consideration, he says, is whether certain cloud computing services can be used—a service may be riskier to use if it has a relationship with a government.
“With many clients, we give people special devices that they use with only us,” Tye says. Most communication happens over Signal. Sometimes, Whistleblower Aid uses phones that don’t include baseband chips, which control radio signals emitted from the device, to reduce risk. “We come up with ways to isolate the devices, we use them without baseband chips. That’s one attack vector that we’ve eliminated,” Tye says. In some cases, the organization uses custom VPN setups; in others, phones are transported in faraday bags. “There are ways that we can get devices to people that, if they use them according to the instructions, there’s no way to trace any metadata back to that person,” Tye says.
For whistleblowers, taking extra steps to try and keep their anonymity can be crucial. The European Commission’s whistleblower reporting system advises people using its own reporting tool to not include their names or any personal information in the messages they send, and, if possible, access its reporting tool “by copying or writing the URL address” rather than clicking on a link to reduce the creation of additional digital records.
There’s not only digital security that needs to be considered—in some cases, people’s physical security can also be put at risk. This could include national security issues or controversial topics. For instance, officials at the FBI, CIA, and State Department once held daily meetings working out ways to capture Edward Snowden, who famously leaked a trove of documents detailing classified NSA surveillance programs.
“In five years, we’ve had two cases where we’ve had to put armed guards on people, lawyers, and clients,” Tye says. Sometimes, this includes meeting clients in “unusual locations,” including booking Airbnbs for meetings—occasionally, third parties are used to make the booking so it is in another name. “It doesn’t even look like us renting the place to meet with somebody,” Tye says.
But in a world where we’re constantly being tracked through our devices and the signals they broadcast to the world, the best thing can be to keep records offline. “In person is the best,” Tye says. The nonprofit advises having meetings away from devices. “We even have a typewriter that we use for sensitive documents.”
More Great WIRED Stories
Lily Hay Newman
Credit belongs to : www.wired.com