• Media

Digital Security

  • Written By: Lioness

Blowing the whistle in the digital era brings nuanced challenges in cybersecurity and data protection.

You need to ensure that your identity and personal information — and that of your loved ones — are safeguarded online. Every whistleblower should take the following cybersecurity steps before going public:

  • Understand your data rights. Data literacy, especially when speaking out against a tech company, is essential for whistleblowers to protect themselves. Organizations like Own Your Data — founded by Cambridge Analytica whistleblower Brittany Kaiser — provide information on current data policies and regulations, data literacy training opportunities, and resources for protecting online privacy.

  • Scrub your social media. A key step in getting ahead of online retaliation when whistleblowing is assessing your social media accounts to be certain that no personally identifying or damning information can fall into the hands of a corporation’s legal team or potential online harassers. 

Example: Before Amazon whistleblower Chris Smalls tapped social media to garner support for his labor organization efforts, he deleted or archived all personal information and photos from his Instagram page. He said,

“I knew Amazon would try to look… Once I found out they were trying to smear me, I was like, oh, let me take off these pictures from the club last year.”

This instruction to scrub social media accounts also applies to close family and friends who may get caught in the crosshairs of whistleblowing retaliation. 

  • Strengthen passwords. The most common way whistleblowers (or anyone online) fall victim to harmful doxing is through insecure log-in credentials, including weak passwords that give online trolls an open door to personal information. Strengthening online passwords for all accounts — not just those used in the whistleblowing process — is a must to avoid doxing.

  • Use multi-factor authentication (MFA). Along with securing log-in credentials, using MFA adds an extra layer of protection to online accounts and activity by requiring users to provide two or more verification factors to gain access. MFA is becoming an increasingly common feature across email providers.

  • Clean up. Whenever any sensitive information has been shared online, promptly eliminate any evidence of the communication. Delete related documents from the computer, delete the search history, and log out of any channels that could trace activity back to you.

Be sure to avoid these common pitfalls when communicating secure information:

  • DO NOT share the information over social media.
  • DO NOT use a device owned by your employer.
  • DO NOT engage in any identifying activities online. 

 

Notes: “Identifying activity” in any part of a browsing session is enough to identify the entire session in a new tab. Additionally, deleting documents, history, and logs will not completely remove evidence in the event of a forensic examination of your device. 

Statement of transparency

This entire project is worthless if the tech workers who come to it cannot trust where the information is from, who is behind its creation, and who manages the site. For that reason, I have identified every organization and individual who has been instrumental in its development.

The time and resources required to put together the Handbook were funded by Omidyar Network. This is a wholly independent project owned and managed by me. No identifying data will ever be collected or shared about who accesses this site — with anyone. That said, I do NOT advise accessing this from a company device. Your employer can, and will likely, track visits to a resource like this Handbook. 

You can find a list of the data WordPress automatically collects about site visits here.

 

— Ifeoma Ozoma, Founder of Earthseed, Creator of the Tech Worker Handbook