Introduction

In 1965, 28-year-old Peter Buxtun was hired by the U.S. Public Health Service in San Francisco as a venereal disease investigator. Shortly after starting his job, Buxtun began hearing about a little-known, ongoing study on African-American males with syphilis. To Buxtun’s ears, this didn’t sound right — by the late 1940s, penicillin had been shown to be an effective drug against syphilis. How could there be an ongoing study of people with a disease that had become rare, thanks to a cheap and effective treatment that was discovered 20 years ago?

Though distracted by a return to school and a law degree, Buxtun continued to follow the trail, contacting the Centers for Disease Control and gathering documentation on the under the radar study. He continued to share the story with those around him, but no one he spoke with knew what to do. Was the study illegal? Surely it was unethical, but would it be possible to do anything about it?

Finally, in 1972, Buxtun found a partner who was interested. He sat down with a reporter from the Associated Press and delivered the information he had gathered. On July 26, 1972, the front page of the New York Times carried the headline: “Syphilis Victims in U.S. Study Went Untreated for 40 Years.” The public was outraged, and this was the start to the end of the federally sponsored Tuskegee Study. A class-action lawsuit was filed against the U.S. government. Congress passed the National Research Act in 1974, leading to the creation of the Office for Human Research Protections.

Though it was a long time coming, President Bill Clinton eventually offered a formal apology to the survivors in 1997: “The United States government did something that was wrong — deeply, profoundly, morally wrong,” said Clinton in his speech to survivors. “It is not only in remembering that shameful past that we can make amends and repair our nation, but it is in remembering that past that we can build a better present and a better future.”

The shameful story of the Tuskegee study might never have come to light if someone hadn’t decided to speak up and disclose information about the deeply racist experiment. Buxtun listened to his internal moral compass and did something about it. And he wasn’t alone: Buxtun had a partner who helped him amplify and contextualize the information for the public.

Unethical acts — not just illegal ones — need to be revealed. Society can only evolve when individuals stand up and shine a light on unethical practices. If you see something that doesn’t seem right, speak up. Trust your gut.

The past few years saw a wave of revelations as a result of the #MeToo movement and its cascading disclosures by strong individuals who decided to speak up and reveal the truth. Sexual harassment and assault are rampant around the world, and because these individuals brought this to the forefront of our awareness, others have been able to better identify harassment and understand the actions they can take to do something about it. Our thanks are merited to those who have stood up to harassers and organizations that have allowed illegal or immoral behavior to go unchecked, especially to those who didn’t have a clear and safe way to report the harassment. Your work is creating new pathways, hopefully making it easier for those who follow in your footsteps.

This book is for those who want to use information to stand up and shine a light on unethical or illegal practices. The goal is to help people prepare for challenging situations that they might face in the future, and to gain a better understanding of their options and the implications. If you see something you think is wrong but don’t know how to do anything about it, let this book be your guide. Challenge systemic issues, point out threats to the public, and disclose fraud, waste, and abuse. Do so by safely releasing information. But there is no reason that you need to lose all you’ve worked for in your life or go through years of mental anguish and stress because someone else did something wrong. Speak up, but be safe about it!

If you do, you will be joining the ranks of those who have spoken up around the world about sexual harassment, corporate fraud, civil rights violations, mistreatment of animals, medical malpractice, bribery schemes, unethical policing, and anything else that wrongdoers want to keep secret.

Of course, there will be challenges. In 2018, the Global Business Ethics Survey found that employees who reported corruption suffered retaliation 44 percent of the time. Combine this with the fact that we are constantly tracked, leaving a digital trail that reveals where we’ve been, what we’ve looked at, and with whom we’ve communicated, and the odds of disclosing information without retaliation or consequences are slim. But we can increase your chances.

In this book, we offer an alternative solution to this quandary: anonymous research and disclosure. By remaining anonymous, you can stay in control of your identity while planning how to best disclose sensitive information, all while limiting how you can be tracked and attacked by those who might want to stop you. We’ll show how to be methodical and how to do research before sending a document to the press. Your first instincts may be your worst option.

Chances are that this will be your first and only time disclosing information — blowing the whistle, as it’s known. This isn’t something that makes a career. If you screw up — and sometimes even if you don’t — there will be consequences. Instead of attempting this process alone, you can partner with someone who can help you navigate the legal, technical, and even emotional challenges that you will face. Whom you choose as your partner will depend on your circumstances and goals. It might be a lawyer, a journalist, or someone who works at a public advocacy organization. No matter with whom you decide to work, you should focus on building trust. Do this by being open, by setting and meeting expectations, and by discussing the best ways to work together. By doing this, you will have much better chances of success and reduce the likelihood of retaliation.

Also, stay up to date. Technology is changing all the time, so researching the technological recommendations in this book on your own is critical. Though these are the best practices at the time of this writing, they may not be by the time you are reading this, though many of the general strategies will hopefully still apply. Do your homework.

For instance, before you start searching for things such as “how to disclose information safely” in your favorite online search engine, read the recommendations in this book. A record of that search could be a piece of data that makes it easy to identify you later on. By the time you have finished reading the chapter on anonymous research, you should be ready to learn more on your own. Until that point, stick with the printed words here. Though you may not realize it, the printed word is likely more secure than anything you could learn on your smartphone or computer. If you can, purchase this book anonymously or gift it to a friend anonymously.

If you do choose to disclose information, it will be hard. Realize this before you start.

You almost certainly won’t win an award. Nobody is going to make a movie about you. It will be uncomfortable for your personal life. If you’re identified, you will likely be retaliated against. But it is the right thing to do. If the information that you have is eating you up inside and you must tell the world, be sure to do it safely. In many cases you need to be willing to win the fight completely anonymously, without even one other person in the world knowing that it was you who pointed out what was wrong.

To those who take on these risks and speak up for the public and the voiceless — thank you. Only through your help exposing unethical and illegal practices can we make the world a better place. Good luck, and be safe.

Your Data Will Be Used Against You

You are your data.

That might sound like a broad statement, unless you consider how much data you produce with digital devices every day or even every minute. Who can gain access to that data? Anybody who wants to know about you and who has the power to tap into all that information. As someone attempting to disclose information, you will have many adversaries. Some will try to stop you. Some will be poised to retaliate against you. You need to understand the data trails that you leave behind, how the data is collected, and who has access to it. Only then can you be more strategic with respect to your digital habits and disclosure techniques.

In this section we will consider who might tap into your data and how. The point of this exercise isn’t to make you stop using technology. On the contrary, it is to help you develop enough of an understanding that you can make smart choices about how and when you use digital technology. You must protect yourself, and to do that you must protect your data.

I could write a whole book exploring the landscape of the digital data that you produce, along with the many surveillance techniques used to collect this data. Fortunately, many others have already worked on this topic. Bruce Schneier’s book Data and Goliath is particularly useful for thinking through these issues and offers a number of possible solutions. If you want to dig deeper on data, that book is a great resource. However, the easiest and most logical place to start thinking about data trails and tracking is likely within your arm’s reach right now: your smartphone.

These marvelous devices have reshaped our relationship with information. They’re ubiquitous computers that fit in our pockets, are always with us, and are always connected. They maximize connectivity with a minimum of effort. We have our friends, families, jobs, and the information of the world at our fingertips. But, of course, with constant connection comes constant tracking.

These devices hold more personal information than a filing cabinet ever could. Yet most people are quite relaxed with their smartphones’ security, either because they choose not to care or they don’t know how to secure them. Think about it. We are armed with powerful digital devices in our pockets. They have relaxed security features that leak data constantly. And plenty of corporations, governments, and even individuals are happy to sit on the other end of the internet, hoovering up our data. When they are our adversaries, they can use this data against us.

The device manufacturers (e.g., Apple), application providers (e.g., Facebook), and internet service providers (e.g., AT&T) gather your data from these devices and monetize it. A smartphone has so many sources of information that it’s hard to list them all. But consider that a phone has microphones, cameras, and location chips and is used for many modes of communication — email, text, phone calls, and more. If gathered and put together, the data moving in and out of our smartphones reveals a detailed, frighteningly detailed picture of who we are and probably even what we think. Regardless of whether you believe that the value proposition of trading data access for free software is fair or ethical, it is the world we live in today. Your data is being vacuumed up, stored, and sold.

You should be wary of your smartphone and the ways that it can be tracked. One example of smartphone data tracking comes from Malte Spitz, a member of the German Green Party. He requested and received six months of his location metadata that was collected and stored at T-Mobile. This data wasn’t being collected by some illegal spyware, but rather was gathered under the EU Data Retention Directive that was in place from 2006 until 2014. That directive required telecommunications companies to save the IP address and time stamp of every email, text message, or phone call sent or received by a user. Malte’s six months of information included 35,830 individual data points. When mapped, these data points produced a finely detailed view of his life.

Perhaps an even more important treasure trove of information is the actual audio and video that can be captured by your phone, potentially without your knowledge. Phones have been hacked, either by installing software on them directly or by convincing individuals to click on links that compromise their devices. By compromising your device, then listening directly to conversations or remotely watching videos taken surreptitiously from your phone, a nefarious third party can potentially learn almost everything about you — except perhaps the thoughts you hold secret in your head. Actually, sometimes what we do on the internet unwittingly reveals our innermost thoughts, fears, and desires. As early as 2006, the FBI was remotely turning on cell phone microphones to eavesdrop on conversations. In recent years, software available online can be installed on someone else’s phone, allowing remote listening, viewing, and tracking.

Sometimes the data recorded is used for more banal purposes than direct monetization. Consider the log files of your IP address, which offer a record of when you connect to a company server. This information would seem to be valueless data for a company, except to be able to debug a problem with your software. But this type of boring metadata can still have consequences for an individual: an IP address can be geolocated, and if the data is timestamped, it can reveal the user’s physical location at a certain time. When a corporation or someone else who can look at this type of data is your adversary, they can track your movements.

Let’s say you’re browsing the web on a laptop. You might think that as long as you don’t log in to any services, and as long as you use a web browser in incognito mode or with private browsing

enabled, it will be difficult to track your identity on the web. On the contrary, enough variables are transmitted to a server by your web browser alone to make your laptop unique and in effect fingerprintable. When you visit a webpage, your browser shares such variables as the fonts you have installed, your screen size, the dimensions of your browser window, any plugins you have installed, the exact browser version you have installed, and much more. The variables transmitted to the server make every computer browser close to mathematically unique. You can even be tracked as you browse the web, regardless of whether you use a VPN (Virtual Private Network) to mask your IP address. Go see how unique your browser is and what you can do about it with the Electronic Frontier Foundation’s Panopticlick website.

No matter the type of disclosure you are attempting or the context you find yourself in, if you use digital technology (i.e., if you’re basically anyone besides Vladimir Putin), you should consider digital technology corporations as your adversaries. Corporations — not nonprofits, and generally not governments — are the controllers of the devices and services that we rely on. Think of the applications on your phone. Almost all of them were likely created by various companies. Our reliance on these organizations means that we are interacting with them constantly, thereby giving them data about us. If you are going to try to disclose information safely, you need to understand not only your own process of disclosure, but also how third parties might track you or otherwise gather data about you.

Tim Schwartz co-organizes the digital training organization Los Angeles Cryptoparty, a member of the Electronic Frontier Alliance. He is a digital strategist at Alley, a digital agency that builds websites and digital systems for the media, nonprofits, and others. After developing technology to reunite missing people affected by the earthquake in Haiti in 2010, he began organizing the Missing Persons Community of Interest, which develops technology for reunifying families after disasters. He lives in Los Angeles. Publisher Credit: Reprinted with permission of the author and publisher from A Public Service: Whistleblowing, Disclosure and Anonymity (OR Books, 2019).