Session

Session — How to safely tip off using secure communications technology

How to make an anonymous tip — and stay safe

Whistleblowers are needed to make sure that information which is in the public interest reaches the public. Whistleblowers have been critical in uncovering major stories like the Panama Papers, Watergate, and the Pentagon Papers. But, whistleblowers have long been plagued with the first contact problem. Most of the time, if you get in touch with a journalist, they will know how to secure and anonymise your communications. But, by the time you get in touch with a journalist, it’s possible that a lot of information has already leaked. Potentially, enough info to ID a whistleblower. 

If you have a tip, there are some things you should do before you even think about contacting a journalist. 

Do not!

Caution: Identifying data. Handle with care.

  1. Call or text. Calls and texts are unsecured lines of communication. As soon as you text or call a journalist, you have created a direct and unsecured line of communication, and it is easy to connect you to a leak. 
  2. Send an email. By default, emails are unsecured. Even if you do use encrypted email, it most likely uses PGP — meaning the email’s subject line and the name of the sender are visible. Once again, this creates a direct line of communication between you and the journalist.
  3. Drop a letter off at the post office. If you really want to send a letter or package to a news organisation in the mail, use a post box. This will help you stay anonymous. 

Every step of the way: anonymous tips

Would you be suss if Jim from accounting suddenly started surfing the darknet?

Remember, no system is guaranteed to be one hundred per cent secure. Nearly all digital communications can leave some kind of trail. What we are outlining is for situations where it is essential that you stay anonymous. In a lot of cases, you might only need to follow a few of these steps to make your tip and stay safe. 

  1. You have a tip. Make sure you keep it to yourself. 
  2. Get a VPN. Getting a VPN — a virtual private network — is a fairly run of the mill thing to do. It shouldn’t raise any flags for you to sign up to a VPN — but make sure you get a reputable provider. Some VPNs may log or store your information, largely defeating the purpose of getting one in the first place. For extra security, use a public internet connection — like one at a library — to sign up for the service. This way it will be hard to even prove that you got a VPN at all. 
  3. Get an onion router. Onion routers help you stay anonymous on the internet. They are a little complicated, so check out our article on onion routing for more info on this one. Make sure that whenever you’re researching or downloading onion routing technology, you are using your VPN. 
  4. Make the drop. Once you are using an onion router, you are as safe as you’ll ever be to actually make contact with a journalist. If you use a service like SecureDrop, you can strip messages and files of metadata and then share them with a journalist.

Extra things to consider

No, a tin foil hat is not one of them

The steps above will help to limit the trail you leave behind when you’re online, but sometimes there is more to consider. 

  1. The device you use. You might want to get a device that isn’t associated with your identity. Your work and personal devices probably have information on them that will tell anyone looking at it that it’s your device. Getting a burner device to make the tip, and getting rid of it after you’re done is one option. But, if you don’t want to go to those lengths, you can still delete any files that connect you to the leak as soon as possible. 
  2. The operating system you use. Some operating systems respect your privacy more than others. Using an operating system like Tails, which is private by default, can help prevent your operating system from accidentally leaking data. 
  3. Use a metadata scrubber. Metadata scrubbers are programs that remove metadata from files. This way, you can remove metadata from your files before you upload them or send them to anyone else. This is safer than relying on metadata to be removed or obfuscated after you’ve already uploaded it to the internet. Some operating systems — like Tails — include metadata scrubbers. 
  4. Switch to a private messenger. Sending messages back and forth over SecureDrop might not be convenient. Instead, you could leave a point of contact — like your Session ID — to enable secure and anonymous communication.