Wednesday, September 26, 2007

How to be a whistleblower

Nobody wants to be party to coverups, outright lies and the other scandalous behavior sometimes exposed in the worlds of big government and big business. But what should you do if you discover something you think is unethical or potentially criminal? Something totally nefarious and evil? Here's our guide to snitching on the bad guys without getting caught.

Understand the Consequences
Going up against the evil corporations or the Big Bad Fed can have serious repercussions -- whistleblowers have been ostracized, fired, threatened, jailed, and worse.

Still, from Deep Throat to Big Tobacco, whistleblowers have a distinguished legacy of helping the public good. Stephen M. Kohn, President of the National Whistleblower Center in Washington DC says "The majority of all civil fraud recoveries in the U.S. are based on whistleblower disclosures," which means it could be up to you to point out wrongdoings.

In the end, most whistleblowers do end up exposed out of necessity, whether for legal testimony or simply due to accidental exposure. Most get fired, but many whistleblowers have also sued their former employers and won their cases. Legal protection for whistleblowers varies from country to country, and Wired can't provide you with legal advice, but you should understand that the choice to blow the whistle is ultimately fraught with risk.

Here are some tips that might help you remain anonymous -- and possibly evade detection long enough to get the word out.

Surf Anonymously
One tool explicitly designed with whistleblowers in mind is Tor (surf to https://tor.eff.org/). Tor is a free networking software program and allows you to use the internet anonymously. Need to log in to that GMail account you used to contact the press, but you're stuck at work? Tor can help cover your tracks.

When you log into to Tor you join a network of machines scattered around the world that pass internet traffic randomly amongst themselves before it emerges at its destination. The process is somewhat like a ball bouncing around inside a sealed box. Every now and then a ball comes out of the box, but it's impossible to tell who put it in the box to begin with.

The process is called "onion routing," and it was first developed at the Naval Research Laboratory. Tor uses a layered encryption protocol, which is where the onionskin analogy comes from. Tor is designed to defeat one specific type of digital eavesdropping known as traffic analysis, a form of network surveillance that tracks who is talking to whom over a public network.

Without Tor, a malicious employer can easily detect any outgoing traffic announcing your whistleblowing intentions.

Use Encryption
Tor alone isn't enough to hide you from the snoops. To use our earlier example, if you login to Gmail via Tor and send your whistleblowing message, the company might not be able to trace where it can from, but they can read it the minute it leaves Tor.

In other words, anonymity is not the same as security.

It's important to recognize that Tor does not encrypt traffic once it emerges from the Tor network. Thus, there's the possibility your data is going to be exposed unless you've bothered to encrypt it.

To learn more about encrypting your e-mail, see the Wired How To Wiki entry: Keep Your E-mail Private, Secret and Secure.

But if you're collecting whistleblowing data you'll likely want to encrypt more than just your e-mail.

Lock Down Your Files
Protect those contact lists and secret documents with some hefty crypto if you don't want to get caught.

Encrypting a file in Windows XP is easy as long as your hard drive is formatted as NTFS. The FAT32 filesystems doesn't natively support encryption, but if you're running NTFS, the process is simple. Just select the files or folder in Windows Explorer, right click and choose "Properties." In the "Attributes" section at the bottom, click "Advanced" and check the "encrypt contents to secure data" box. Click OK twice.

There are a couple of caveats here. First, the encryption is useless if someone else knows your login password (which is often assigned by the IT department). Second, if you encrypt a folder, anyone can still read the file names. They just can't open the files. So, changing the names to something obfuscated is a good start.

A better option is to use GPG4win, an open source encryption program for Windows. It encrypts files with a private key, always the strongest type of file encryption. Again, if anyone else has access to your account, the security provided is ruined because they will have access to your GPG key.

If you find yourself in a situation where you can't control access to your computer, you might consider investing in an encrypted USB thumb drive, though there could be some record of accessing it on your computer that leaves you vulnerable.

Source: Wired.

No comments: