Digital Security

Blowing the whistle in the digital era brings nuanced challenges in cybersecurity and data protection.

You need to ensure that your identity and personal information — and that of your loved ones — are safeguarded online. Every whistleblower should take the following cybersecurity steps before going public:

  • Understand your data rights. Data literacy, especially when speaking out against a tech company, is essential for whistleblowers to protect themselves. Organizations like Own Your Data — founded by Cambridge Analytica whistleblower Brittany Kaiser — provide information on current data policies and regulations, data literacy training opportunities, and resources for protecting online privacy.

  • Scrub your social media. A key step in getting ahead of online retaliation when whistleblowing is assessing your social media accounts to be certain that no personally identifying or damning information can fall into the hands of a corporation’s legal team or potential online harassers. 

Example: Before Amazon whistleblower Chris Smalls tapped social media to garner support for his labor organization efforts, he deleted or archived all personal information and photos from his Instagram page. He said,

“I knew Amazon would try to look… Once I found out they were trying to smear me, I was like, oh, let me take off these pictures from the club last year.”

This instruction to scrub social media accounts also applies to close family and friends who may get caught in the crosshairs of whistleblowing retaliation. 

  • Strengthen passwords. The most common way whistleblowers (or anyone online) fall victim to harmful doxing is through insecure log-in credentials, including weak passwords that give online trolls an open door to personal information. Strengthening online passwords for all accounts — not just those used in the whistleblowing process — is a must to avoid doxing.

  • Use multi-factor authentication (MFA). Along with securing log-in credentials, using MFA adds an extra layer of protection to online accounts and activity by requiring users to provide two or more verification factors to gain access. MFA is becoming an increasingly common feature across email providers.

  • Clean up. Whenever any sensitive information has been shared online, promptly eliminate any evidence of the communication. Delete related documents from the computer, delete the search history, and log out of any channels that could trace activity back to you.

Be sure to avoid these common pitfalls when communicating secure information:

  • DO NOT share the information over social media.
  • DO NOT use a device owned by your employer.
  • DO NOT engage in any identifying activities online. 

 

Notes: “Identifying activity” in any part of a browsing session is enough to identify the entire session in a new tab. Additionally, deleting documents, history, and logs will not completely remove evidence in the event of a forensic examination of your device.