Government whistleblowing is harder than just downloading an app. Earlier this month, California Congressman Ted Lieu shared an article on Twitter, detailing options for federal employees who want to leak unclassified information, including the use of encrypted messaging apps like Signal, WhatsApp, and Telegram.
But disclosing sensitive information to the press may be risky, particularly for a federal employee. The decision to blow the whistle could cost them their livelihood, freedom, or worse.
At the Freedom of the Press Foundation, we build software to support whistleblowers, conduct newsroom security trainings, and organize security resources for journalists. So when we see risky security information aimed at journalists and whistleblowers, especially coming from people in positions of authority, our hair grays.
We had some thoughts.
Encrypted chat apps might provide sufficient protection if you’re blowing the whistle on a small, under-resourced organization, but U.S. agencies have deep pockets and the legal and technical resources to investigate these conversations. Extra caution may be necessary, especially given the current and previous administrations’ aggressive approach to prosecuting sources to the press.
Lieu doesn’t recommend leaking classified information, and much of his guide is accurate and important, particularly on whistleblower rights. But unfortunately, federal employees face unique dangers when talking to the press — including the threat of prosecution — and should know all the facts before choosing which tool, if any, to contact the press. Talking to a practicing lawyer about federal whistleblower protections may be a good idea, too.
How recordkeeping exposes whistleblowers
The idea behind encrypted chat apps like WhatsApp is to keep our conversations private and provide more protection than traditional text messages or phone calls. When done right, these apps use end-to-end encryption. This just means that no one but the sender and receiver can read the messages — not even the service provider.
However, just like the postal mail includes information about the sender, receiver, and a postage date, our electronic messages include information about who spoke to whom, when, and how long they spoke for. This metadata is at least as revealing as the conversation itself.
Many encrypted messengers, including Signal, WhatsApp, and Telegram, use a phone number to register an account, which investigators may use to identify subscribers by name.
With over 1.5 billion users, WhatsApp is perhaps the world’s most popular messenger. Using the same encryption as Signal, which is considered the gold standard in the security community, WhatsApp boasts strong end-to-end encryption. This means that even its parent company, Facebook, can’t read your messages. However, Facebook does retain some important information, including users’ address books, members in conversation groups, and IP addresses. As a U.S. company, Facebook may be compelled to provide their data to investigating U.S. agencies.
The company says they do not store messages or transaction logs once a message is delivered, but we have seen cases of compelled surveillance of users’ records while their metadata traverses the server.
According to court documents, this kind of metadata was one piece of evidence used against Treasury Department employee Natalie Edwards in a leak investigation.
Can investigators read the messages themselves?
In specific circumstances, yes.
WhatsApp encourages users to backup and access your human-readable messages from multiple devices with services like iCloud or Google Drive. You can opt out, but this is tricky because your conversational partners need to opt out too, or they could leave copies of your messages in the cloud. Even if the initial message was encrypted end-to-end, investigators may issue a legal order to Apple or Google for a human-readable backup.
Security experts have long expressed concern with Telegram’s encryption, though we are not aware of a breach that reveals the content of messages, and the company says they have disclosed “0 bytes” of user data to third parties. Perhaps more worryingly, encrypted chat is turned off by default.
Likewise, through physical seizure or by hacking in, U.S. agencies sometimes gather human-readable conversations on targeted devices.
Deleting the metadata doesn’t necessarily mean you’re invisible
The Signal messaging app is generally considered the strongest choice within the security community for its hardened encryption, conservative approach to metadata, and the fact that it’s an open source project, meaning third parties can check out the code. We often recommend Signal to journalists.
When Signal received a U.S. grand jury subpoena for targeted user data, they showed us everything they keep: a registration phone number, registration time, and the last time the user was connected.
All messengers necessarily produce information about who spoke to whom and when, including Signal. Signal does not log metadata on its servers, and Signal is even starting to offer some extra protection for this information. Signal keeps the bare minimum they can, which is great, but it doesn’t mean the conversation will be completely anonymous.
My colleagues at the Freedom of the Press Foundation maintain a tool called SecureDrop, designed to better facilitate anonymity by bouncing the user’s encrypted connection through multiple servers around the world, masking the user’s IP, before reaching a newsroom’s anonymous “dropbox.” Even with SecureDrop, federal employees need to be extra cautious. We always recommend using SecureDrop from a public Wi-Fi network, since any use on a device or network controlled by their workplace could reveal activity.
Enabling a culture that respects whistleblowing
Whistleblowing can be vital for our democracy, but any app, no matter how secure, will never fully protect the rights of federal employees who want to expose wrongdoing to the press. While providing whistleblowers more tools to communicate securely is a laudable goal, we should also build a culture where legitimate whistleblowing activities are protected in the first place, without fear of retaliation.
Government whistleblowing is becoming more risky, not less. Look no further than the current and past administrations’ use of the Espionage Act to prosecute alleged leaks. This 1917 law was penned to prosecute individuals sharing data with foreign governments, not citizens speaking to the U.S. press about matters in the public interest. The draconian law prevents a leaker from even telling a jury why they alerted the public to a potentially illegal or corrupt act by the government.
While most workplaces have established channels for calling attention to employees’ concerns, the sanctioned channels sometimes fail to produce change. Talking to the press may not be an easy decision, but it is one of the most important ways we can hold powerful institutions to account.