my_research/us_govt_whistleblower_guide.html

2025-09-09

US Govt Whistleblower Guide

Disclaimer

• Incomplete. Work-in-progress.

Why this guide?

• I continue to think there isn't a single whistleblower guide on the internet that's good enough for this scenario. Some guides avoid talking about important details due to chilling effects. Other guides prioritise interests of journalists or lawyers.

Summary of the guide

• If you are not leaking US classified information but only an overview of the situation based on your own word, your best choice is probably coming out publicly in the US with a legal defence and requesting donations to fund it.
  • Why?
    • Historically, a majority of such people did not end up in prison.
• If you are leaking US classified information, your best choice is probably flying to Russia like Snowden did, obtaining asylum and then coming out publicly as a whistleblower. Your best choice is probably not improving your opsec and hoping to stay anonymous in the US.
  • Why?
    • The sysadmins working for the NSA leadership track every document downloaded from central DB to client machines, so your opsec being good isn't enough to protect you.
    • Almost every person who stayed in a country within US sphere of influence after leaking classified info has been imprisoned.
  • How? (Mindset)
    • Security mindset is hard to quickly convey. (I don't yet have good resources for this.)
    • You should be familiar with concepts like bits of anonymity and security through obscurity. Every word, expression and action reduces bits of anonymity, as long as there's a physical trail, a digital trail or a person who observed it. Example of an action that reduces bits of anonymity: Leaving your house sparkling clean when you otherwise leave it somewhat messy.
    • You should be aware law enforcement has also read all the guides you're reading including this one.
    • You should probably avoid thinking of ad-hoc methods and stick to tried-and-tested methods instead.
    • The reason you might succeed at this plan is not because you're more intelligent or knowledgible than law enforcement, it's because of physics/engineering constraints that make whistleblowing easier than catching whistleblowers. Assume by default that they're more intelligent and knowledgible than you.
  • How? (Methods)
    • Preliminary research
      • You should do all your preliminary research on a dedicated TAILS setup only. This is a separate computer dedicated for this purpose.
      • Do not create any accounts or write stuff to the internet. Only read content.
      • Do not use a mobile phone for whistleblowing-related work, all phones are insecure.
    • Mental health
      • If you are struggling: Read Secret life of secrets by Michael Slepian. Read about other cases from the whistleblower database, such as Snowden's case. Read about activists working in your field of interest, for example AI risk. Decide that you are morally correct in accepting the negative consequences on yourself and your loved ones. Accept that people around you will probably understand, but that there are no guarantees. Once your conscience is clear, the rest is just execution. Taking a month or two longer to take a clear decision is better than botching up execution due to mental health reasons.
      • Do not contact a mental health practitioner.
    • Acquiring documents safely.
      • You will likely have to smuggle an SD card multiple times, at your workplace, residence, airport, and so on. Remember that buildings may contain scanners that reliably detect this.
      • Remember that your work computer that contains the files may log when a file is copied to external device or displayed on the monitor.
    • You should probably leave no digital trail.
      • You should probably redact documents yourself using GIMP on an airgapped TAILS setup, inspect the raw bytes for steganography and metadata, and create a single tarball of everything. Redacting audio/video correctly is hard, I would recommend sticking to plaintext and images if possible. .BMP is a good image format as it contains almost no metadata, allowing you to inspect the raw bytes more easily.
      • If there is too much material to redact, my current recommendation is to not try to leak it. (This is a weak opinion. Do your own research, or wait for me to do mine.)
      • There is no safe way to erase a disk using a firmware or software tool. It is ideal to process data in RAM only using TAILS, and avoid using any disk. If you absolutely must use a disk, use a fresh SD card or an HDD. Do not use an SSD or a USB drive. This ensures you can physically shred it into small pieces using a hammer or power drill you already own. Do not leave behind a suspicious purchase record. Unfortunately you will have to boot TAILS on a USB drive, which is difficult to destroy.
      • I do not currently recommend building a faraday cage as that leaves behind a suspicious purchase record. I would recommend using no wireless connection, and using absence/presence of wired connection as a de-facto airgap.
    • You should probably leave no unusual items in your physical trail.
      • This includes but is not limited to every item at your residence (electronic, paper, other), every purchase you make and every roadside camera you pass.
      • Generate as little physical trash as possible (electronic, paper, other), as there is no easy-to-use completely secure way of disposing trash that can't be connected back to you. Assume every garbage dump you visit will be thoroughly searched.
      • Assume your location is trackable at all times. Do not visit places you wouldn't have visited previous to your plan to whistleblow.
    • Trusted people
      • While in the US you should probably have zero people in-the-loop, while outside the US geopolitical sphere you should probably have one lawyer and zero other people in-the-loop. "People" here includes immediate family members, psychiatrists, journalists, etc. You should probably trust zero people to help you commit the action, but trust a few people to support you after you have committed the action.
    • Sending to journalists
      • (I am yet to make up my mind on whether it is better to send documents to journalists before or after you leave the US. Sending documents after leaving the US is safer if you can successfully smuggle an SD card past airport security. Do your own research, or wait for me to do mine.)
      • If you redact documents yourself, you should ideally not require trusting any journalists with any sensitive info such as your identity.
      • You should probably send documents to as many journalists as possible, but trust none of them.
      • If you rely on journalists to publish the documents for you, there's some probability they'll help cover up mistakes you made while doing redaction. On the other hand there's also some probability they'll act against your interests or simply refuse to publish your documents. Predicting their behaviour is hard and I don't recommend trusting your predictions of how they'll behave.
      • Most SecureDrop servers provide journalist's PGP pubkeys. You should ideally manually PGP encrypt the tarball before you send it via any channel (be it securedrop or protonmail or something else).
      • I do not currently recommend uploading an encrypted tarball of the documents to the internet, with the intention of revealing your key at a later date. The only time your documents should touch an internet-connected computer is when they are being directly sent to a journalist.
    • Country of asylum, Lawyer
      • Russia has good historical track record for this scenario. It is very important to make the right choice on which country you fly to. You may use a connecting flight through a third country to reduce suspicion.
      • It is important you are present in this final destination immediately after sending the documents, every day of delay makes a difference.
      • Once you're in the final destination, you should contact a lawyer. Until you have reached till this step, almost no lawyer is likely to actively help you as they will themselves be risking imprisonment if they do. Remember your lawyer will be a target of investigation just as you are.
      • Do not expect to be granted asylum by any country before you are physically present on their soil. There is almost no historical precedent for this, and you lack bargaining power.
    • Advanced users only: Self-publish the documents
      • If you publish the documents yourself, you have to do redaction correctly. But you can guarantee publishing without trusting anyone.
      • You can send the documents to multiple social media sites that allow anonymous submissions over Tor.
      • You can acquire ETH anonymously and publish your tarball directly to ethereum blobdata. This ensures mirroring to multiple nuclear states. The same goes for purchasing BTC anonymously and publishing to bitcoin blockchain.
      • The best method to obtain BTC or ETH anonymously is to CPU mine XMR, then swap to BTC or ETH using a trusted bridge. The second best method is use some imperfect method like cash or gift cards to buy BTC or ETH, then swap to XMR via a trusted bridge for mixing purposes, then swap back to BTC or ETH via a trusted bridge. Either method should be done using TAILS only (not airgapped).
    • Failure
      • If you are approached by law enforcement, contact a lawyer and don't say anything. If you are approached, assume you are probably going to be imprisoned, because you are unlikely to be approached unless there is enough accumulated evidence to imprison you.
  • Evidence, full guide
    • Maybe a useful reference, but do not blindly trust it as it is work-in-progress and an older version. Some of it is incorrect, as I have studied more about this topic since then. Link: https://www.lesswrong.com/posts/jKehN6uTYF7Z4WFKW/us-govt-whistleblower-guide-incomplete-draft
    • Some of this is currently my personal opinion. I would much rather back everything in the guide with empirical evidence from previous cases, than rely on my opinion.

Subscribe / Comment

Enter email to subscribe, or enter comment to post comment