How to be a whistleblower and keep your job
The Reg guide to protecting our sources
Ever wonder why The Reg continually comes up with scoops and insider information when our rivals seem content with rewriting press releases? Quite simple really. Trusted sources and, more and more frequently, from readers.
However, while we have always been discreet and careful to keep our sources anonymous, recent changes in UK law makes this task more difficult. We're talking of course about the RIP Act. Under the Act, police, security services and the like are legally entitled to monitor any information moving about within the UK. This is no great concern in itself - IT stories are, let's be frank, rarely threatening to the security of the nation.
However, the new law has given employers extensive rights to read and monitor employee email and phone calls. Also, big companies are more tech-literate than ever. Because of these two changes in mindset, it is crucially important for whistleblowers and sources of confidential information to be aware of what can be done to trace suspected leaks.
Hence this brief guide to keeping out of the eye of powerful companies - it's not perfect or foolproof but it's a damn sight better than not doing it.
If you are contacting us for the first time with the intention of handing over some damaging and/or confidential information, for God's sake don't do it at work. Unless you want to fork out £50 for a phone scrambler (and subsequently draw attention to yourself), DO NOT call direct from work. Telephone logs are easily produced and checked and if only one person has called our phone number, then he or she is likely to face serious problems.
Email is also easily checked. Hotmail will not give you any security - network surveillance tools are way beyond that now. Again, the point is not that you will send a message and the boys in black will arrive at your desk five minutes later, it's that if a company becomes suspicious it will launch an enquiry and work backwards through email logs.
Private keys - PGP etc (www.pgp.com) - will stop a company being able to tell WHAT you've written but not the fact that you have sent us an email. If you really have to have to send us an email from work, the best thing to do is use a Hushmail account. We have set up a secure email address: email@example.com for just this purpose.
This is a fairly obscure email address and if you set up a Hushmail account (www.hushmail.com or www.cyber-rights.net), then the message will be indecipherable. However, again, retrospective analysis by a company will put anyone using a secure email tool under suspicion - until, that is, everyone uses it (which won't happen anytime soon). We also get a few network managers reading the site, so the address won't exactly be top secret either.
Plus, if your company is really paranoid it will have software on your network that will be able to read every keystroke you make, so all of this is academic.
So, the basic lesson is: if you think you could get reprimanded/sacked for the information you plan to send us, send it to us from your home PC. The level of security you choose to use from there is up to you.
And for those really dangerous secrets
Let's suppose you have some top secret information which will mean immediate dismissal and loss of livelihood but you feel strongly enough to blow the whistle you'd be wise to take some extra precautions - especially if it could be deemed illegal (which is not difficult under the new RIP laws).
We would recommend buying a copy of Freedom (www.freedom.net). It'll cost you $49.95 but then that's nothing compared to loss of a salary. Freedom will basically mask your identity while you are on the Net. The company behind it - Zero Knowledge Systems - basically pings your IP packets through loads of anonymous servers and makes it nigh on impossible for anyone but the most determined investigator to track you down. That said, use Freedom and your profile will be raised.
Equally, if you're just paranoid/sick of spam, you may find $50 a fair price to pay for privacy.
They're onto you
If you are British, or to be more precise if you live in Britain, your home is a risky place to store or send confidential information. Your employer, should it suspect that you are the mole, can seek an Anton Pillar order against you. Rarely used, because the legislation is so draconian, Anton Pillar orders are obtained in secret, and give companies the power to raid suspects' homes (it's the police what does the raiding) and seize anything they consider relevant to their case. The PC and the filing cabinet will be the first things to go in the back of the police van for inspection.
Smell the coffee
Alternatively, go to a cyber café (but watch out for those cameras) and use a machine there. This isn't a bad method - after all, when 15-year-old maths prodigy Sufiah Yusof disappeared for a few weeks, contacting regularly her parents via email, the police were unable to track her down. It was eventually her continual appearance at the Click N' Link Internet café in Bournemouth and the fact that her face was all over the national newspapers which led the café owner to contact the police.
You, of course, will be using the café far less frequently and will go to different cafes if the correspondence stretches on.
Chatrooms - just say no
Don't go badmouthing your employer/ex-employer in Internet chatrooms. You'll get mad - but chances are they'll get even when they subpoena AOL, MSN, Yahoo! etc. for your name, address etc. If you have to vent steam in public, at very least, use a free email account, and give a false name and address, won't you. There is little reason, except for your own recklessness, why the audit trail should reach you.
Remember too, that Yahoo! (Nazi memorabila, Yeah!) and the like may spout all they like about freedom of speech. But they do not really believe in this guff. They are content aggregators - not content providers- and they will sell you down the river as soon as spit.
On the other hand, newspapers (Americans are particularly good at this) and publications like The Register will do their utmost to protect their sources. Because that's part of the deal.
And for Colombian drug dealers?
Not that you'd want to call us anyway - The Reg maintains the media's blatantly hypocritical attitude towards drugs - do as I say -
Well, we suggest you set up your own ISP offshore (£40,000 should do it). Then use heavily encrypted messages under different codenames. For vocal communication, attach a phone scrambler to a totally unsuspected phone line and make sure there's another one at the other end, or perhaps buy a pay-as-you-go phone and use it exclusively and for a limited time to make contact.
That should cover it.
Alternatively, of course, you could get a pen, piece of paper, envelope and stamp. Snail mail is the way forward, we tell you.
Remember kids: just because you're not paranoid doesn't mean they're not out to get you. ®
Sponsored: Virtualization security practical guide