How to securely leak information to a SecureDrop or GlobaLeaks whistleblower platform

Hash: SHA256

Your number one priority in sharing truth is to preserve your anonymity. Highly secure platforms for secure disclosure of information like SecureDrop and GlobaLeaks go as far as technically possible to protect your identity and to protect the transfer and dissemination of your information to the world.

However you need to take the right countermeasures to protect yourself long before you arrive at the point of sending information.

These mandatory considerations can be grouped in three categories: Social Risks, Social Responsibilities, Technological Risks

Social Risks

After a piece information has been liberated, and when the news about the facts related to the info you submitted reaches public media attention, yo uneed to understand the process that will take place around you. You need to have a clear understanding of how submitted information can be a risk to you even if your identity is protected.

  • Who else knows you has access to, or knows you have access to this information
  • Are ready to cope with all the “stress” of an internal or external investigation?

Social Responsibilities

After a piece information has been liberated, pressure will come on all who could have potentially disclosed the confidential information.

  • Will your anonymous disclosing bring undue persecution on others who will fall under heavy scrutiny along with yourself?
  • Will your anonymous disclosing cause further persecution on victims that would rather remain anonymous?

You should consider submitting to a SecureDrop or GlobaLeaks platform only after a full understanding these points.

Technological Risks

You must be aware of the fact that while using a computer and the internet to exchange information, most of the actions you do leave traces (computer logs) that could lead an investigator to identify where you are and who you are.

You may leave computer traces while:

  • Researching the information to be submitted
  • Acquiring the information to be submitted
  • Reading even this web page
  • Submitting the information to us
  • Exchanging data with receivers of your submission

All these actions may leave traces that compromise your security, but with a few technological protection steps, you can minimise the risks.

Social Protection

  • Don’t ever tell your intention to anyone before you make a submission
  • Don’t ever tell your intention to anyone after you make a submission
  • Don’t ever tell your intention to anyone after the news about the submission gets out to public media
  • Be sure that there’s no surveillance systems ( cameras or other ) in the place where you acquire and submit the information
  • Don’t look around on search engines or news media website for the information you submitted ( this would reveal that you knew about it earlier )

Technological Protection

To achieve a 100% guarantee of security from technical perspective, you need to be computer-proficient enough to fully understand all the risks.

However, by strictly following the procedures and tips reported below, you should be safe enough:

  • Submit information using Anonymous Web Browsing software Tor Browser Bundle
  • Don’t submit information from the personal computer provided to you by your employer
  • Keep the Submission’s Receipt ( GlobaLeaks ) or Diceware Phrase ( SecureDrop ) safe, and destroy this information after you don’t need it anymore
  • Don’t keep a copy of the information you submitted!
  • While acquiring the information to be submitted, be sure that there’s no traces being left leading back to your identity ( eg: store files using Veracrypt within your USB key, and when the submission process is completed, grind the USB key down to powder using a file or hand grinder )
  • Be aware of the fact that “meta data information” may be present in some of the data you are submitting.
  • Consider cleaning up the Metadata by using tools such as ExifTool, Exiv2, Exif Jpeg header manipulation tool, and/or MAT bundled with the TAILS linux live CD.
  • Consider converting all the data that you are sending us into standard PDF format.

By applying the above described procedures, you will be safe enough.

Safe enough doesn’t means 100% safe.

To overall improve your digital security you should undergo reading of the Security-in-a-Box project, which explains most of the risks and related countermeasures.

Security of the Hokioi Security Secure Submission Platform

Hokioi Security Secure Submission Platform is implemented using the GlobaLeaks Software, and anonymity for the confidential source is provided thanks to Tor software.

Tor is the state-of-the-art when it comes to digitally protect anonymity and has received a lot of attention from both the academic research community and experts in the IT security field.

GlobaLeaks is the first opensource, secure and anonymous confidential source platform designed by the Hermes Center for Transparency and Digital Human Rights.

Tor is already integrated in GlobaLeaks; that way, the Site Owner does not obtain any kind of traces or information about the Confidential Source’s identity or location.

Complete security can never be guaranteed; however, we have designed this technology taking into account scenarios where a confidential source’s life and liberty may be at stake.

Having read all that, the Tor accessible website address of the Hokioi Security Secure Submission Platform is:

Other Secure Submission Platforms of note:

Version: GnuPG v2