A whistleblower’s story is only as good as the proof that backs it up — which makes documentation a fundamentally important part of the whistleblowing process.
“Documentation when you’re fighting discrimination, harassment, and retaliation is critical. But [whistleblowers] are so often told along the way to not document for a variety of reasons . . . So it was a decision which was very scary that I made completely solo.” Google whistleblower Chelsey Glasson
What should I/should I not document?
To support a whistleblower or retaliation claim, it is important to document evidence and observations of any wrongdoing by an employer or others at the company, including the date and time the wrongdoing occurred.
However, lawyers and HR departments may advise against documentation for the following reasons:
- Company policy — It is common for an employment contract to prohibit the sharing of proprietary or internal information with anyone outside of the organization, including legal or government officials. Be sure to review and understand the terms of any applicable contracts, and the implications of breaking those contracts, before copying or sharing internal documents or information.
- Attorney–client privilege — If a whistleblower works with a lawyer in sharing their story publicly, that whistleblower will be granted attorney–client privilege, which protects confidentiality of communications between an attorney and their client. However, any documentation that may have been shared outside of this relationship, either intentionally or inadvertently, may not qualify for privilege. For details on legal matters, see Journalists Cannot Provide Legal Advice; The Outcome.
How can I document information?
Documentation used in whistleblowing comes in many forms:
- Self-documented notes (handwritten, typed, or voice memos) of incidents or conversations are useful for a whistleblower to keep tabs on issues or concerns that arise internally, and then reference later when getting their story straight for the media.
- Copies of company documents may include employee contracts, nondisclosure agreements (NDAs), internal memos, internal databases, and other documents containing proprietary information. As noted above, be sure to review and understand the terms of any applicable contracts, and the implications of breaking those contracts, before copying or sharing internal documents or information.
- Copies of e-mails or text messages from either internal or external subjects are often saved in the form of screenshots.
- Audio or video recordings may include recordings of internal company meetings, in-person conversations, and phone calls.
Wiretapping and recording statutes vary by state and often center on the question of consent:
- One-party consent — Most states require consent of only one party (including the whistleblower) for lawful recording. If you follow one-party consent, you are not required to tell the other parties the conversation is being recorded.
- Two-party consent — A handful of states require consent from all parties in a conversation, known as “two-party consent,” for lawful recording; despite its phrasing, this applies to conversations that include two or more parties. (Some states do refer to this as “all-party consent.”)
- Multi-state calls — The legality of recording with parties across multiple states can be challenging to discern and varies by state. In some cases, courts refer to the law of where the incident of concern took place; that is, the state where the employer’s office building is located. In other cases, courts refer to federal law, which follows one-party consent.
- Special considerations — Some states have “mixed” rules that primarily follow either one- or two-party consent, with special provisions for certain situations. For example, Hawaii typically requires one-party consent, but requires two-party consent if the recording device is installed in a place where a person has a reasonable expectation of privacy.
Be sure to review the laws in your respective state before recording any phone calls or conversations. Source: Recording Law
How can I safely share documentation and information?
Whistleblowers can share documents and sensitive information with the media in a number of ways, but it is important to consider data protection before doing so:
- Snail mail — This old-school method of document-sharing is beneficial when handling sensitive information, as it significantly lowers the risk of the information landing in the wrong hands, whether due to an online hack or an e-mail forwarded without your consent or knowledge. It is best practice to use a public mailbox, without including a return address, to avoid having sensitive materials traced back to your home or workplace — and keep in mind that the US Postal Service keeps a record of all mail for law enforcement use.
- E-mail — Although this may be the easiest way to share documents with the media, it is not advised for sensitive materials or information, as e-mail servers record exchanges. Private accounts may also be subject to records requests under the Freedom of Information Act when they involve a public agency. Tip: Some media outlets provide their reporters with unique PGP public keys for encrypted messaging. To send an encrypted e-mail, first download OpenPGP software and follow instructions for creating a public key and sending the secure message.
- Protonmail — Protonmail, the world’s largest secure e-mail service, offers an easy and accessible alternative to standard email. E-mail sent via Protonmail is end-to-end encrypted, even if the recipient does not have a Protonmail account. Users can access most of the security benefits for free, and can upgrade to paid versions to expand storage and organizational tools.
- SecureDrop — Managed by the Freedom of the Press Foundation, SecureDrop is an open-source document submission system designed to allow whistleblowers to securely share files with media outlets. More than 50 news organizations reportedly use SecureDrop, including The New York Times, the Intercept, and The Washington Post.
- Signal — This free secure messaging app, available on iOS and Android, offers end-to-end encrypted messaging and phone calls. Signal is growing in popularity among journalists and privacy advocates as a way to safely share information. It even has a “self-destruct” feature to make messages disappear.
For more guidance on digital security and privacy, see Digital Security.