So you've decided to become a leaker.
Be it government corruption, corporate malfeasance, evidence of Russian hacking, or just some garden-variety, messed up shit someone wants to stay under wraps—a secret caught your eye, and you've decided it needs to be exposed.
But how to do it without getting burned in the process?
In an age when practically every waking moment is captured, analyzed, and logged for posterity, leaking anonymously is far from a simple task.
And the stakes are high. On one hand, you have the public's right to know something that is presumably in the public interest, and on the other, you're possibly looking at a lost job, or even jail time.
With that in mind, the first thing you should do before leaking is weigh the possible benefits against the potential costs. Definitely sleep on it. Maybe even speak with a lawyer. And if you still want to get the word out? Here's how.
The Lead Up
When your employers realizes their secret's been let loose into the world, they're going to try and find out who set it free. Also, needless to say, they're gonna be pissed. Expect an internal audit of everyone with access to the data or documents in question, as well as possible police involvement. That means your computer, search history, corporate email account, file access requests, printer logs, call history, and possibly even logged keystrokes are all going under a microscope.
What'll they find?
Your job is to make sure it's nothing out of the ordinary. For example, are you reading this article at work? Or maybe at home, but on your work laptop? That's a problem. You had access to the data in question and read an article about leaking anonymously? While that's far from conclusive evidence, it's a big red flag that might point investigators in your direction.
Another key piece of common leaking wisdom, identified by The Intercept, is that you should never attempt to contact the press from work. Ironically, Reality Leigh Winner, the 25-year-old woman accused of leaking an NSA report to that very same publication, allegedly had some form of email contact with The Intercept from her job.
Don't make the same mistake. Do all your prep work—learning how to leak, and who to leak to—away from the office, and on a personal device. Download and use Tor for your web browsing, learn to use PGP encryption, and create throwaway email accounts (10MinuteMail is good) if email is needed for some reason.
If you want to get serious, and if your liberty is potentially on the line, you should consider buying an inexpensive laptop (in cash) and using it only on public Wi-Fi networks. Reformat it and get rid of it as soon as you're done.
Getting the Data
So you've researched how to get your bombshell to the press (more on that later), and hopefully not left digital tracks in your wake. Now, time to figure out how to actually get the data out of your workplace without being discovered.
This is tricky. The information may be access-controlled, and merely looking at it could leave a digital fingerprint. Consider how many other people have access to the data, and how frequently it's viewed. Is it opened 100 times a day by staff across the company? If so, you doing the same may not fly a huge flag (unless you've got no business doing so in the first place). If it's an old, obscure doc, then you may be the only person who's looked at it in the last month—a fact that won't help keep you anonymous.
These are the kind of things investigators will check, so, 'better think about them now.
If you decide to print out the damning information, chances are that the printer and network will log that fact. What's more, laser printers leave secret codes on documents that can help lead investigators back to the source. Neither of these are good for you.
Copy it to a flash drive? Many companies have physically plugged up USB ports on computers, and, even if not, the act of copying data will almost certainly be logged by the system. Again, though, if many people have access to and copy this data on a semi-regular basis, then you may stand a chance of being just one suspect of many—unless, of course, the system embeds the file with metadata specifically tying it to you.
Is that a risk you're willing to take?
What about taking a screenshot? Maybe, but then, how do you get that off your computer? Emailing it to yourself is a no-no. And anyway, there's a chance that a record will be kept of the fact that you screengrabbed the very same file that, days later, gets splashed across your press outlet of choice.
One potential option is to take a physical picture of the computer screen or document with a burner device (not your work phone!), and then, manually transfer that to the aforementioned cheap laptop you bought just for this occasion. Make sure your computer's webcam is covered (it should be anyway), and do this in a place where you're free from prying eyes—human or digital.
Many cameras log metadata when you take pictures—your location, the time, the device used, etc. You'll want to get around this problem by turning off what's known as EXIF data.
Of course, you're going to have a lot of explaining to do if someone sees you taking pictures of your computer screen. Keep that in mind.
If you go this route, take a moment to strip any extraneous details from the photo itself. Can you see your work station? How about the time displayed on the computer screen? What about the toolbar of the program you're using to read the file, or your login credentials? Crop these out.
Once you've transferred the files from your burner camera to your burner laptop, now you can attempt to anonymously send it to a reporter.
Send It Off
There are myriad ways to get information to the press, and each comes with its own set of risks. As you research options, remember, do your research using public Wi-Fi—definitely not your personal or your work Wi-Fi. Go with something like a coffee shop or library you don't frequent.
One approach is SecureDrop, "an open-source whistleblower submission system." Find out if your media outlet of choice uses it, and, if so, digitally send the goods their way.
If the information you liberated is a physical object, like a piece of paper, consider mailing it to the media outlet in question. If you go that route, consider putting a real return address that isn't yours on the envelope.
Why is this important? As The New York Times reported in 2013, under the Mail Isolation Control and Tracking program, every single piece of mail that goes through the US Postal Service is photographed—and that data's made available to law enforcement on request. What's more, as The San Diego Union Tribune notes, is that fake return addresses are considered a red flag—as are listed names not associated with the return address.
If time isn't of the essence, consider using a remailer service. A remailer is a company that allows you to mail it something, and then for a small fee, it turns around, and mails it back out to its final intended destination in a different envelope.
Congratulations, you've just leaked to the press.
So, now you've done the deed, and the world will presumably be a better place because of it. But the clock's ticking, and you need to move fast, or risk getting caught. Get rid of the camera, laptop, and definitely the flash drive you've used if you decided to go that route.
Keep in mind: A reporter will likely approach your employer with the information you leaked, either to ask for comment, or to confirm its authenticity. They may even show your boss the document itself—something The Intercept is alleged to have done in the case of Reality Winner. Is there anything on that file that could tie it to you? It's your responsibility to make sure the answer is "no."
Importantly, we have to note: This isn't an exhaustive or foolproof list. Anyone risking their job or jail time should do more research than just reading one article. Because if history is any indication, leaking controversial or secret material isn't going to make you any friends—so take great pains to cover your tracks.
- Foxconn led Consortium Backed by Apple, Dell, and Potentially Google to Bid for Toshiba’s Chips
- Apple shares fall in premarket trade after Mizuho downgrade
- The Best watchOS 4 Features
- U.S. banks launching answer to peer-to-peer payment app Venmo
- Alleged iPhone 8, iPhone 7s, and iPhone 7s Plus Molds Leaked