Anglican Watch

A whistleblower’s guide to online privacy and secure communication

Leave a comment
A field guide for church whistleblowers

It’s no secret that Anglican Watch sources much of its information from whistleblowers. Given the general importance of whistleblowers to accountability, good governance, and national security, we thought this might be a good time to share some best practices on information/operational security and how to communicate safely with a media outlet.

  • Anonymous and pseudonymous speech enjoys a long and honorable history and in many cases is protected by the First Amendment.
  • There are numerous resources out there to support whistleblowers. Consider contacting one or more, or a whistleblowing attorney, before you disclose.
  • Know that, while the Episcopal Church has a whistleblower policy, it applies ONLY to employees at church headquarters. We have never yet seen a situation in which the spirit or the letter or the policy is honored. As for anti-retaliation provisions in the Title IV clergy disciplinary process, all we can say is if you believe those work, you really are a trusting soul.
  • Know your outlet or reporter. Even the best reporters sometimes have interface issues with editors or other staff. So, be sure your reporter can and will protect your identity. And if you’re not sure, ask. For the record, we absolutely protect our sources, and silo information internally so that others in the organization don’t know the identity of sources.
  • In-person is always your best bet. Just know that many public locations retain security camera footage for weeks or months—and many retailers now scan license plates in their parking lots and use facial recognition inside their stores.
  • Email is almost never as secure as Signal, Threema, or other secure messaging apps.
  • Establish ground rules early on. The default for reporters is everything is on the record, and we have seen situations in other publications where sources were way too candid, only to be startled when their comments appeared in print. That said, our policy is to presume all information is on deep background unless specifically stated otherwise, meaning that we never identify a source absent express authorization. We 100 percent protect our sources.
  • Don’t use an employer’s equipment, including laptops, cellphones, or internet connections. Even using a relatively secure, end-to-end encrypted communications medium won’t do you much good if it’s clear that you were in contact with a journalist, or if messages are exchanged at the almost exactly the same time.
  • Relatedly, access to a physical device may compromise your security. Thus, an abusive spouse, for example, who can access your cell phone, may be able to access otherwise secure data.
  • If you face risks to your physical safety, consider communicating through a trusted third party. This is especially true for victims of abuse.
  • Consider using their Tails operating system from a thumb drive. Once you remove the thumb drive from your laptop or desktop, it will leave no traces.
  • To anonymize your online activities, use Tor, a VPN, or a Wi-Fi access point somewhere you don’t typically visit. If you’re using a VPN, make sure you use a reputable one—free ones often DO retain access logs. (We use several, including ExpressVPN, ProtonVPN, Mullvad and others All of the ones we use have verified no-log policies.)
  • Keep in mind that you often can layer protections. For example, public Wi-Fi access points are notoriously insecure. But using one with, for example, a VPN makes it very difficult to correlate usage with your identity.
  • Prefer private secure channels versus public ones. Many journalists (us included) have public-facing communications channels, like our “official” phone, email, and Signal accounts. We also have secondary accounts, available on an as-needed basis, that omit our name, phone number, and other identifying information, making it harder for anyone to know that you contacted us or for someone to send us phishing messages.
  • Use a secure online dropbox if available. Some outlets, like The Washington Post, publicize their address; we make ours available on request.
  • Use end-to-end encrypted communications (E2EE). Signal and Threema, for example, use encryption in which only the end user can decrypt messages. That contrasts with other services, in which providers can and do retain the ability to decrypt messages.
  • Consider using a burner phone. Specifically, it’s possible to use Signal, Threema, or other secure messaging app from a disposable phone, making it that much harder to connect you with a reporter or media outlet.
  • Be mindful of data retention policies. Signal, for example, allows users to set messages to self-destruct after a specified period. If one user has a two-week retention period policy, and the other user has a shorter time, the shorter time prevails. (Hint: For really sensitive stuff, we set retention times for a few minutes.)
  • Use safety numbers. Hackers sometimes access Signal by pretending to be someone they’re not. So, if you want to be sure that someone is who they say they are, use their safety number to verify their identity.

If all the information above hasn’t nerded you out, we’d add: Beware of metadata. Some providers, like Hushmail, encrypt messages with E2EE but transmit and retain so much metadata (like the IP addresses of sender and receiver, their geolocation, email headers, subject lines, and more) that there’s little real privacy. The same’s true for PDFs, Word documents, and photos. (One person sent us a death threat via a document in PDF, but forgot to remove meta-data. Yes, we forwarded her name and identity to law enforcement.)

We hope this information is helpful. Feel free to contact us if we can help with related issues.

Leave a Reply

Your email address will not be published. Required fields are marked *