Whistleblower? How to Disclose Information Without Being Identified

You may know that the encrypted communication software, Signal, uses a protocol (formerly TextSecure) based on elliptic curve cryptography Curve25519, HMAC-SHA256, and AES-256. It’s supposed to be quite secure, but is it really sufficient to protect a whistleblower against modern surveillance capabilities? Well, probably not if your “opponent” has governmental resources.

So, if you’re one of those technicians, engineers, or enthusiasts who want to understand the actual security mechanisms and not just follow simplistic advice, let’s delve together into the subtle art of secure communication.

In a recent article for Nieman Lab, Laura Hazard Owen explores in detail how whistleblowers can communicate securely with journalists. Her analysis comes at a timely moment, as the second Trump administration shakes Washington and many federal employees find themselves laid off or furloughed. In this context, the media is naturally strengthening its protocols to protect its sources.

Signal has thus emerged as the preferred option for sensitive communications because, unlike WhatsApp (which is owned by Meta), it only retains your phone number, your sign-up date, and your last connection. No communication metadata is stored, and the app also allows for self-destructing messages that disappear from both the sender’s and recipient’s phones after a predefined time. But of course, no method currently available to individuals is entirely secure…

So, before even thinking about which tool to use as a whistleblower, let’s discuss the rookie mistakes that could get you noticed in less than 24 hours.

First and foremost, an absolute rule: NEVER use your professional equipment or corporate network. Modern companies use software like Teramind or ActivTrak that literally record every click. Even in private browsing, network logs will betray you. Next-generation firewalls analyze traffic in-depth, and corporate VPNs create a false sense of security, so keep in mind that sending documents from work computers, through professional email addresses, or over corporate Wi-Fi networks can introduce additional risks.

The documents you wish to relay are also genuine treasure troves of information for those who want to identify you. Word files contain your computer’s unique identifier, PDFs keep a history of modifications, and even screenshots can include identifiable information. Let’s not forget the case of Reality Winner, a former NSA contractor arrested after printing documents that contained invisible “microdots” identifying the printer used. So if you absolutely must use a printer, be aware that nearly all modern printers add microscopic yellow dots encoding the serial number and date/time of the print.

Another formidable technique employed by organizations to trap their employees is the “canary trap.” This involves creating slightly different versions of the same document, distributed to different people, to identify the source in case of a leak.

So, how should you proceed concretely?

According to experts consulted by Owen, here is a robust protocol to minimize risks. First, start by buying a prepaid phone in cash, far from your home and workplace. Also, use a prepaid SIM card purchased separately, and never activate this phone near your personal phone to prevent cell triangulation. Next, install only Signal and set it up with a username to mask your number. And make sure to always enable ephemeral messages.

Then, to find the journalist you will send your information to, use a public computer, like in a library, and check the journalist’s history of source protection to see if it’s solid. Major media outlets like The Guardian or the New York Times have dedicated pages for secure communications. For the first contact, move to a public place with an anonymous public Wi-Fi network, far from your home and workplace. You can then send a brief message like, “I have information about [insert deliberately vague topic]. Can we establish a secure protocol?” And above all, do not include any details that could identify you in this first message.

Amanda Becker, a Washington correspondent for The 19th, notes that a journalist will always need to confirm your identity, even if you want to remain anonymous in the article, as information from someone whose identity cannot be confirmed is not very useful in most cases. Propose an indirect verification method that leaves no digital trace, and clearly establish the terms: complete anonymity, “source within the organization,” etc.

For document transfer, exclusively use Signal’s built-in camera, which does not save photos in your gallery. Photograph the documents from an angle that does not reveal your location. Unfortunately, for large files (>100MB), Signal is not suitable, and Owen recommends OnionShare. Her advice is to ask the journalist to recreate the documents instead of using your captures directly to eliminate any digital trace that could identify you. So, take screenshots of your screenshots, or simply rewrite the document in a brand-new Word file…

One might argue that using Signal, Telegram, WhatsApp, or any other app is foolish, and that it’s a shame GPG/PGP has been forgotten because yes, a more technical alternative like GPG, created by Phil Zimmerman in 1991, offers a public/private key encryption system that allows for highly secure asynchronous communications. But the problem lies in its complexity, which has unfortunately led to its gradual abandonment, even by knowledgeable users.

Now, for truly sensitive situations, it’s possible to go beyond digital solutions by using old-fashioned techniques like predetermined meeting points in public places, communication via physical notes or USB drives, and even visual signals to indicate the safety of a location—this way, there’s no digital trace.

And after transmitting your information, maintain your habits. Be normal, do not obsessively check the article published by the journalist, and do not discuss it with anyone, even your loved ones. Also, permanently disable the phone used, physically destroy the SIM card, and never reuse the same device or phone number.

A good piece of advice for a potential whistleblower is to consider the public benefits as much as the risks associated with disclosing information, as your leak can encourage others to come forward…

In short, whether you choose Signal, SecureDrop, or a more old-school approach, never forget the golden rule: No system is infallible! Human error remains the weak link in any security chain, so before embarking on the risky adventure of whistleblowing, ask yourself the right questions.

Namely: Is this information really worth disclosing? Are the personal risks proportional to the potential impact? And if the answer is yes, then scrupulously follow the protocols I have just detailed.