Bonum Certa Men Certa

How to Securely Provide Techrights With Information, Documents

The key is anonymity

A lock



Summary: Advice for potential whistleblowers, or sources with evidence of abuse that they wish to anonymously share with the world (via Techrights)

OVER the years Techrights has received critical information from dozens of sources, all of which remained safe (unexposed). But this does not mean that all of them did this safely. This article provides advice for those who wish to pass to us information in the safest of ways, without having to do a lot of complicated things.



Why Not Off-the-shelf, Self-contained Secure Software?



Over the past 6 months or so we have looked into various bits of Free/libre software, e.g. Briefkasten (no longer actively maintained, as of 2013) and SecureDrop, which is too big a project (massive also in the source code sense compared to Briefkasten, not to mention difficult to set up). After much effort we decided to settle for something which is simpler to use and is much faster to use. To facilitate leaking of sensitive documents (e.g. evidence of misconduct) we mostly require anonymity, as the content of the material does not -- in its own right -- do much (if anything) to expose the source.

Typically, whole frameworks are built for distributed and de-centralised leaking. This requires quite a bit of hardware, which in turn needs to be set up and properly configured. It's complicated for both sides (source and receiver) and it's usually developed for large teams of journalists, for constant interaction with sources, or a regular flow of material. We do not require something this advanced. In practice, a one-time document drop is usually enough.

Our Proposed Solution



We have decided that the following method would be good enough given the nature of leaks we normally receive. They are typically about technology, rather than some military or surveillance apparatus such as the CIA's assassination (by drones) programme or the NSA's mass surveillance programme.

For extra security, we kindly ask people to ensure anonymity/privacy tools are used, notably Tor. Without it, privacy/anonymity cannot be assured to a high degree. It's possible, but it would not be unbreakable (meaning too great an effort and a challenge for spies to take on).

Establishing a Secure (Anonymous) Session



Follow the following steps, with (1) for extra assurance of anonymity.

  1. Install Tails or prepare a Tails device (e.g. Live CD) to boot on a laptop, in order to simplify session creation with Tor (for those who insist on using Windows we have this guide [PDF]).
  2. Irrespective of (1), seek public wireless/wired access in something like a mall (preferably not a sit-down like a coffee shop, where cameras are operated and situated in a way that makes it easy to track individuals by faces, payment with debit/credit cards and so on). The idea is to seek a place -- any place -- where it is hard to know the identity of the connected party, even by association (e.g. friend or family). Do not use a portable telephone (these are notoriously not secure and regularly broadcast location).
  3. Refrain from doing any browsing that can help identify patterns or affiliations of the user (e.g. session cookies). In fact, unless Tails is used, it might be worth installing a new browser (Opera for instance) and doing nothing on it prior to the sending of material. This reduces the cookie trail/footprint.


Send the material



Once logged in anonymously, anonymously (do not log in) submit text through Pastebin and take the resultant URL for later pasting. Do not pass PDFs for non-textual material. Instead take shots of them, to reduce/eliminate metadata which is often being passed along with them. Then submit to Anonmgur and make a note of the resultant URL for later pasting.

This is typically a one-way communication channel, so add any context which is necessary, then link to the above material as follows:



Caveats



While not impenetrable, it would take an enormous amount of effort (and connections in several high places) to unmask a source who follows the steps above. Unless it's a high-profile political leak, such an unmasking effort would be well beyond what's worth pursuing (expensive and complicated). MAC address-level spying often assumes access to very high places (and deep into back rooms), so therein lies no significant danger, especially when the best anonymity tools are properly used and the incentive to unmask isn't great enough at high places (usually the political or military establishments).

Recent Techrights' Posts

People's Understanding of the History of GNU/Linux is Changing
RMS is not a radical, he's just clever enough to see and foresee what's going on
Microsofters Were Scheming to Take Over This Entire Web Site (in Their Own Words!)
Money gets spent censoring/deplatforming people who speak about real issues; no money gets spent actually tackling those underlying issues
Bicycles for the Minds and the Story Harrison Bergeron
"The goal of having people in charge of the tools they use and that the tools should amplify ability" has long been abandoned
[Video] Cory Doctorow Explains DMCA: DRM in the Browser (or Webapp) Will "Make It a Felony to Protect Your Privacy While You Use It."
Pycon US Keynote Speaker Cory Doctorow
 
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Thursday, May 29, 2025
IRC logs for Thursday, May 29, 2025
Links 29/05/2025: Chinese Cracking Against EU Institutions (Prague), More Assaults on Media and Its Funding Sources
Links for the day
EPO Workers Caution That the Officials Are Still Illegally Trying to Replace Staff With Slop (to Lower Quality and Validity of European Patents)
Nobody in Europe voted for any of this
Links 29/05/2025: US Health Deficit and Malware Disguised as Slop Generator
Links for the day
Links 29/05/2025: Turtle Roadkill, Modern 'Tech' as a Sting
Links for the day
Thanks for All the Fish, Linux Format
people who once wrote for it (or for other magazines) comment on the importance of this news
Links 29/05/2025: YouTube Problem and Giant Privacy Hole in Microsoft OneDrive
Links for the day
United States Courts With Sworn Testimonies Are on Our Side, We'll Present the Same Here
Chronicling what happened is a moral imperative
Serial Sloppers Ruin and Lessen the Incentive to Cover "Linux"
The Serial Sloppers (SSs) ought to be named and shamed, but almost nobody does this
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Wednesday, May 28, 2025
IRC logs for Wednesday, May 28, 2025
Links 28/05/2025: 'Emulation Layers' (Measurements and Linguistics), Libraries, and Discomfort
Links for the day
Links 28/05/2025: More Arrests for Bitcoin-Connected Torture and Prosecutions for Dieselgate-Linked Executives
Links for the day
Even Microsoft (MSN) Covers Richard Stallman's Public Talk in Milan 2 Days Ago
He spoke in Spanish earlier this month (Alicante)
Gemini Links 28/05/2025: Techo-authoritarianism With Slop Plagiarism and "No Online June" (Going Offline)
Links for the day
Links 28/05/2025: GitHub MCP Exploited and MathWorks Discovers Huge Windows TCO
Links for the day
Very High Attendance Level at Richard Stallman's Talk Shows People Can Relate to His Message
Smear campaigns have their limits
Gemini Links 28/05/2025: Celsius-Fahrenheit, Endless Scrolling/Infinite Scrolling, and Trapping LLM Slop Bots
Links for the day
Prison gate backdrop to baptism by Fr Sean O'Connell, St Paul's, Coburg
Reprinted with permission from Daniel Pocock
More Photos From This Week's Milan Talk by Richard Stallman
The posts are in Italian, not English
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Tuesday, May 27, 2025
IRC logs for Tuesday, May 27, 2025