soberania_tecnologica_v2/en/content/10leaks.md

# Whistleblowing

## A double edged sword

Whistleblowing is an ancient practice that has been called many names and is
not ethically bound.  It can be the link between the source and the
journalist, or between the snitch and the military.  In both cases, a reserved
information goes in the hands of a person considered trustworthy, which
transforms this information into an action.  Wikileaks and Snowden have made
whistleblowing come back full powered, showing how digital communication can
simplify the process and protect the integrity of communications between
sources and recipients.  Anonymity and encrypted storage technologies have
propelled this revolutionary framing.

I say framing because whistleblowing does not have an ethical value per se,
what identifies its nature is the political cause that motivates it.  So if
you are a single person going up against a powerful organisation, like the US
state department, the intelligence community, the financial system, or the
Vatican, you might be remembered for your heroic behaviour, like Chelsea
Manning [^1], Bill Binney [^2], Herve Falciani [^3], Paolo Gabriele and Claudio
Sciarpelletti [^4].  Although becoming famous in this field often means you
have been caught, denounced or that you are in the run, hopefully those
outcomes do not apply to all whistleblowers, as we will see.

Your informations can empower the citizen in understanding the power dynamics
in play, but institutions themselves can also take advantage of those.  If the
ultimate goal of whistleblowing is making society more transparent in the
interest of society itself, this might sound fascinating if you want a
revolution, but it can be also very irresponsible for other reasons.  Nobody
really wants a society in which everyone can be a spy or an anonymous snitch.

Such a society would just strengthen the currently established institutions in
power.  Regimes in which a person can be economically rewarded for snitching
on other citizens exemplify such misuse.  Added to that, any structure with
some type of power, even your small NGO or political team, benefits from
agreements and contracts which are kept private because they require some
level of confidentiality.  No resistance would be possible without well kept
secrets.

Transparency for the State (or for “who has enough power to shape our
reality”) and privacy for the rest of us?  This could work as a nice
simplification, but then we should respect this separation in all our
political actions and never, ever, expose any private information of other
citizens.

I worked with the globaleaks.org team on the creation of its software
platform.  Our dream, was to create a “portable wikileaks” that could be
unleashed in every city, media and public company.  After all, white collar
crime and other corporate misbehaviour can’t be detected, neither understood,
without an insider.  My experience comes from deploying it for different
groups with different needs.  Departing from the made up story below, we will
see how digital whistleblowing can enhance your political actions and what you
should take into account when planning your leak initiative.

## Once upon a time...

There was a river getting heavily polluted.  Some facility operates nearby and
it is clear they are disposing chemical waste.  There are rules, periodic
checks, policies – but at the end of the day, flora and fauna are getting
poisoned.  Someone inside must know, but you don’t know anybody who works at
the facility.

Your team creates a campaign and solicit sources, but criticism starts because
your Wordpress blog for receiving the leaks is not very secure.  Therefore,
you set-up a proper platform (SecureDrop or GlobaLeaks [^5]) that can guarantee
anonymity for the source, and encryption for the information exchanged.  Even
a seizure of the server can’t compromise the security of sources nor your
active investigations.  This is a privacy by design setup.  However, despite
the platform pick, you know that your initiative is shaking some established
power and you fear retaliation.  You develop a mitigation plan based on
splitting responsibilities among a larger group composed of environmental
lawyers, local journalists and some foreign analyst who also receives the
leaks.  This way, if a person get stopped, the initiative will keep running.
However, despite all this security management, after two months you have
received zero leaks.

Sadly, we are closed in our bubble, our circles.  We try to communicate with
our intended audience, but despite our efforts at the end of the day we talk
only to persons similar to us.  So, nobody working at the facility was in your
comfort zone.  You’ve to hunt these sources, advertise them personally or
massively.  In the beginnings, nobody understands why your cause is important.
Then you re-frame your message, making clear why it matters for the
environment, why their role is important, and after some weeks, the first
timid source might arrive.

This is just the beginning and when the first article is published, you know
this story will be read by facility employees because they talk about their
company.  And then you explain again why their role matters, how they can send
anonymous tip-offs, that they are not the first and can do it safely.
Gradually, step by step, gaining trust from persons with different values and
knowledge, you are getting the flow of information that might be transformed
in political outrage, strength, actions.  After a while, society takes action
and the facility has to take responsibility for its environmental impact.

This example can take place in different contexts in which abuses happen.  But
let's see if all the outcomes of leaking are positive and corrective or if
they can be damaging as well? 

## Practical steps

Suppose you are lucky enough to receive an anonymous document detailing a
lobbyist plan to influence the new policy about environmental preservation.
The first urge might be to publish it immediately.  Let citizens make their
own mind, and check if the information contained in the document fits their
own knowledge.  Some readers might confirm, deny, or integrate new information
within the original source.

But this is not journalism and it is not information, it is just a naive
action of unmediated radical transparency.  Ten years ago, WikiLeaks used to
work that way.  It was a platform in which sources could upload documents and
have other readers perform its analysis, investigation and publication.  In
2007, it was a common way of doing things, until Buzzfeed [^6] does the same in
2017, publishing an unvalidated report about Russians and Donald Trump.

However, such release methods are dangerous and extra tempting if you are
operating in the information ecosystem.  The speed of messages does not let
people evaluate the information in its context, nor understand how much of it
is plausible and which are the parties involved.  Nowadays only the title, the
subtitle, and maybe a small percentage of the actual content is actually
spread.  It is impossible to ask for a public revision and when unvalidated
news goes viral, the effect is to split the audience into two polarized
groups.

Trust is key because a leak might not lead to changes.  It can be ignored,
silenced, accepted as daily life.  An anonymous document should be published,
but it is expected that a trustworthy person, such as a mainstream media
journalist, a visible activist or human rights defender states: “I know the
source, I vouch for the source, I’m protecting the source”.

Leaks are information you might use as accountable tools for transparency.
They can also be legitimate research tools for civil society.  Results can
feed into scientific or political processes.  Change is not something that can
be implemented by technology.  On top of technically defined properties, you
need to implement your political and ethical values.

## Whistleblowing powered campaigns as processes

The best validation method we have seen so far is independent research.  If
the investigation hasn’t lead anywhere, then the leak has to be considered
unconfirmed.  You might also need to interact with the source in order to get
leads.  Luckily, some platforms can keep sources in the loop in order to
confirm their submission, request updates, or answer questions raised during
the investigation.  On the one hand, you can ask for more details.  On the
other, you will still have to evaluate the proofs, because you cannot rely
only on the source.  Publishing leaks without understanding the agenda and
motivations of the sources can mean being instrumentalised by them.  Keep in
mind that leaking has been used many times for organising smear campaigns.

Having trustworthy partners among the recipients also greatly helps the
initiative.  It ensures that the revision, source management and outreach will
not be done by only one group, but will be shared through partnerships with
local lawyers, journalists, policy makers, researchers.  Then your group has
to transform investigated and validated leaks into stories.  Passionate and
understandable stories to engage people and create mass mobilization.  Think
about the process applied to the Edward Snowden leaks where for three years
now there is constant journalistic revision and gradual publications.

One key factor for a successful campaign is to remain focused on a subject, a
topic, a challenge.  Do not vaguely call for evidence about corruption at
large.  Frame your specificities in your landing page and targeted towards
your audience.  Confirmed content should be clearly marked and more visible.
And every time you have the opportunity to write for the media, remind to the
readers that a safe box for tip-offs is available, because articles are
generally read by people involved in the issue.

It is useful to measure what is happening as much as possible.  Keep track of
the event and monitor its social media presence in order to understand how to
improve your campaign based on results collected earlier.  By sharing these
measurements, you will help other initiatives like yours.  Don’t be afraid of
your enemy and keep building open data on how your organisation works.  Do not
address the people, but the numbers, concentrate on the results, achievements
and statistics.

## Dangerous paths where you should be cautious

An initiative has a time window of existence, it has to define what it is
aiming for, what is its next milestone and how it is going.  Having
unmaintained initiatives might confound future potential sources.  If your
activity stops, make it very clear, because nothing sounds more sketchy and
worrying than a whistleblowing initiative that accepts tips but fails to
publish them.

Putting a source at risk is irresponsible, and this can happen if a story
contains too many identifiable details.  Files need to be sanitized and
metadata need to be cleaned, but you also need to ask the source about how
many other persons got access to the same information.  Depending on the
amount (two, twenty or two-hundred) aware of the same secret, different
justifications will need to be made up.

It is easy, when you're part of a conflict and you are facing an adversary, to
assume that all the persons collaborating with it are your adversaries too.
That is a dangerous path.  Do not aim at leaking personal information about
“low-rank” workers, for instance, because you might just expose innocents to
responsibilities they don't own.  Just imagine if similar actions were used
from an established power to treat a minority or a marginalised group.  If you
are looking for social justice, spreading whistle-blowing as a way to solve
political struggles might just backfire against your agenda.

Attacking an individual is a fascist behaviour, and it has to be stigmatized
despite the political reason sustaining the initiative.  What has to be
exposed is the corruption of a system, not the misery of life.  Whoever does
the release has the mission also to protect low ranked individuals from public
exposure.  Otherwise, whistleblowing will just enable a "Kompromat" [^7], a set
of information that might embarrass someone or be used for blackmailing
individuals.  Every faction in play can make use of it, so it is better to
share strong ethical values in order to judge the democratic quality of
initiatives.

In theory, a whistleblowing initiative is intended to empower a weak group to
shed light ona secretive oppressive organisation.  But what defines power,
oppression and secrets depends on contextual and subjective evaluations and
thus can be rarely used as an assessment and evaluation criteria.

As a conclusion, I really believe whistleblowing can address and make good use
of lot of disgruntled employees and the ethical remorse that some ex-workers
experience.  Being able to empower these voices and transform their stories
into changes is a vector of leverage we have to explore, maybe now more than
ever.

## Successful cases of GlobaLeaks adoption

Interesting experiments have been created by communities around the world.
Since 2012, the GlobaLeaks team is keeping track of a list [^8] but some of the
most notable are the submissions collected by WildLeaks, a platform against
animal poaching [^9]; the Italian Investigative Reporting Project Italy
collecting evidence of public officers on Couch-surfing raping their guests
[^10].  I mention this just because there are so many corruption cases.  The
Spanish X-Net [^11] was able to prove the complicity of bankrupt bankers and
the state and made a theater play out of it.  PubLeaks, with the participation
of the biggest Dutch media, made a book with all the revelations received in 4
years, and MexicoLeaks [^12], was apparently so frightening that journalists
were fired even before the leaks began to flow.  And now is up to you.  What’s
the Pandora’s box you want to open?

## References

[^1]: The most inspiring whistleblower of the last years perhaps? https://en.wikipedia.org/wiki/Chelsea_Manning

[^2]: https://en.wikipedia.org/wiki/William_Binney_(U.S._intelligence_official)

[^3]: https://www.theguardian.com/news/2015/nov/27/hsbc-whistleblower-jailed-five-years-herve-falciani

[^4]: In 2012, Paolo Gabriele and Claudio Sciarpelletti, working for the Pope, fed journalists with internal and reserved documents about the Vatican management.  This lead to Pope Benedict XVI to step down (an event that was not happening since 600 years).

[^5]: GlobaLeaks https://globaleaks.org and SecureDrop https://securedrop.org

[^6]: https://www.washingtonpost.com/blogs/erik-wemple/wp/2017/01/10/buzzfeeds-ridiculous-rationale-for-publishing-the-trump-russia-dossier

[^7]: https://en.wikipedia.org/wiki/Kompromat

[^8]: https://www.globaleaks.org/implementations

[^9]: https://wildleaks.org/leaks-and-reports/

[^10]: https://www.theguardian.com/world/2015/may/29/couchsurfing-rapist-dino-maglio-italian-police-officer-rape-padua

[^11]: https://www.thenation.com/article/simona-levi/

[^12]: https://www.occrp.org/en/daily/3776-mexicoleaks-journalists-fired-after-joining-whistleblowing-alliance