The Threat Model to Think About First in Whistleblowing
In whistleblowing, create a threat model first.
A threat model is a way to organize who you are protecting against, what you are protecting, and through which paths leaks may happen.
In whistleblowing, the other party is often not an external attacker, but the organization you belong to. The organization may have material distribution destinations, viewing logs, device management, entry and exit records, and email history.
That is why you need to think more carefully than with ordinary anonymous posting.
Who to Protect Against
First, think about who may try to identify the whistleblower.
Supervisors, legal, information systems departments, audit departments, executives, external investigation firms, and in some cases investigative authorities. The information each can see differs.
Actor
Information they can see
Direct supervisor
Work content, working hours, who was dissatisfied
Information systems department
Device logs, access history, email, cloud history
Legal and audit departments
Distributed materials, people involved, investigation records
Interviews, log analysis, investigation of people involved
If you act while keeping the other party vague, you will misjudge the strength of the countermeasures.
In whistleblowing, the other party is not merely a reader. They may be able to use internal organizational authority, logs, interviews, audits, and legal responses. A direct supervisor knows relationships and dissatisfaction. Information systems departments may be able to see device and cloud histories. Legal and audit teams investigate material distribution destinations and people involved.
If you underestimate the other party's capabilities, countermeasures will be insufficient. Conversely, if you treat every case as involving a nation-state-level actor, you will be unable to do anything. It is necessary to separate realistic actors and capabilities.
What to Protect
What you protect is not only your name.
Access to the material, send time, the fact that you consulted, document creator information, relationship to a department, and reactions after publication are also things to protect.
Asset to protect
Concrete examples
Identity
Name, department, job type, workplace
Fact of access
Records of opening, printing, or downloading material
Fact of contact
Whom you consulted and when
Origin of material
Document creator, distribution scope, version
Timeline of behavior
When it was seen, when it was sent, and when it was published
In whistleblowing, "who could act at that timing" can matter more than "who had it."
If you protect only your real name, you will overlook important risks. The fact of accessing material, the fact of consulting, the time of printing, the history of opening files, and reactions after publication are also things to protect. The organization may look not for the name itself, but for "the person who touched this information."
In whistleblowing, protect identity, behavior, material, timeline, and people involved separately. If any one of them leaks, it connects with other information and narrows the candidates.
Where It Can Leak From
Think by separating places where leaks occur.
Internal systems, devices, cloud services, documents, communication, submission destinations, and post-publication articles. Every stage has clues.
In whistleblowing, stages before submission can become dangerous.
This is because records remain when you search for, open, copy, or print material.
Leak paths are not only submission routes. Search history from looking for material, viewing on a file server, cloud downloads, printer use, photographing with a smartphone, syncing to a personal cloud, and saving consultation notes all become clues.
Leaks also happen after publication. The specificity of articles or reports, publication timing, additional information, and reactions at work become material for looking for the whistleblower. In a threat model, separate before action, during submission, and after publication.
Separate the Size of the Risk
Whistleblowing spans a wide range.
Light internal consultation, labor problems, legal violations, accounting fraud, serious public-interest whistleblowing, and information close to state secrets have completely different risks.
Risk
Situation
Way to think
Low
Ordinary workplace consultation
Check where to seek advice and how records are handled
Medium
Labor problems or harassment
Look at evidence preservation, advice options, and retaliation risk
Legal advice and submission destination selection are important
Very high
Involving the state, public safety, or serious secrets
Do not act without a specialist
The higher the risk, the more important it becomes to find a trusted place to seek advice before touching anonymous tools.
The size of the risk changes not only with the content handled, but also with the whistleblower's position. Permanent employee or non-regular worker, student, foreign national, whether family may be affected, whether isolated at work, whether there has been retaliation in the past. Even with the same information, the harm suffered differs depending on position.
In high-risk cases, it is important not to act alone. Look for a place to seek advice that fits the situation, such as a lawyer, support group, or news organization experienced in source protection.
Questions for Building a Threat Model
Before acting, answer the following questions.
Question
Purpose
How many people know this information?
Check how small the candidate pool is
Are records of access to this material left?
See the internal log risk
Can the submission destination be trusted?
Think about recipient-side handling
Who will be suspected if it is published?
Anticipate retaliation after publication
Is there a legal or safety advice option?
Reduce the danger of acting alone
If there are many items you cannot answer, you are not yet at the sending stage.
You should check first.
A threat model becomes easier to organize if you write it out on paper. However, be careful with that note itself. If you leave details on a workplace device, real-name cloud, or shared folder, it becomes a new trace. Organize only the minimum necessary information in a safe environment.
Decide Countermeasures From the Threat Model
A threat model is not only for thinking. From it, decide countermeasures.
What you learned
Next countermeasure
Few people accessed the material
Adjust the content or publication time
Workplace device logs are strong
Look for a place to seek advice without increasing device operations
The submission destination is unclear
Confirm the operator and log policy before sending
Legal risk is large
Consult a lawyer or specialized intake point
Family or coworkers may be affected
Review publication scope and content
A threat model is not only for stopping action. It is a tool for deciding what to check first, what to reduce, and whom to consult.
Summary
In whistleblowing, create a threat model first.
Organize who you are protecting against, what you are protecting, where leaks can occur, and how large the risk is.
Organizations may have logs for material access, device operations, cloud services, email, entry and exit, printing, and similar records.
Before using anonymous tools, check the source of the information, the submission destination, post-publication inference, and legal or safety advice options.
A threat model is the first risk map to create in whistleblowing.
Related tools
Whistleblower submission
SecureDrop
An external resource related to this article. Open it only when it fits your situation and threat model.
Why it is listed: It can help with the article topic, but it is outside Anonymity Sense and should be checked before use.