my_research/us_govt_whistleblower_guide.html

2025-07-23

US Govt Whistleblower guide

Disclaimer

• Incomplete
• I deleted the full version as I'm still working on it. Will update once ready.

Why this guide?

• I continue to think there isn't a single whistleblower guide on the internet that's good enough for this scenario. Some guides avoid talking about important details due to chilling effects. Other guides prioritise interests of journalists or lawyers.

Summary of the guide

• If you are not leaking US classified information but only an overview of the situation based on your own word, your best choice is probably coming out publicly in the US with a legal defence and requesting donations to fund it.
  • Why?
    • Historically, a majority of such people did not end up in prison.
• If you are leaking US classified information, your best choice is probably flying to Russia like Snowden did. It is probably not improving your opsec and hoping to stay anonymous in the US.
  • Why?
    • The sysadmins working for the NSA leadership track every document downloaded from central DB to client machines, so your opsec being good isn't enough to protect you.
    • Almost every person who stayed in a country within US sphere of influence after leaking classified info has been imprisoned.
  • How? (Mindset)
    • Security mindset is hard to quickly convey. (I don't yet have good resources for this.)
    • You should be familiar with concepts like bits of anonymity and security through obscurity. Every word, expression and action reduces bits of anonymity, as long as there's a physical trail, a digital trail or a person who observed it. Example of an action that reduces bits: Leaving your house sparkling clean when you otherwise leave it somewhat messy.
    • You should be aware law enforcement has also read all the guides you're reading including this one.
    • You should probably avoid thinking of ad-hoc methods and stick to tried-and-tested methods instead.
    • The reason you might succeed at this plan is not because you're more intelligent or knowledgible than law enforcement, it's because of physics/engineering constraints that make whistleblowing easier than catching whistleblowers. Assume by default that they're more intelligent and knowledgible than you.
  • How? (Methods)
    • You should probably leave no digital trail.
      • You should probably redact documents yourself using GIMP on an airgapped tails setup, inspect bytes for steganography and metadata, and create a single tarball of everything. Redacting audio/video correctly is hard, I would recommend sticking to plaintext and images if possible.
      • There is no safe way to erase a disk using a hardware (firmware) or software tool. You you must physically shred all disks used and process data in RAM otherwise.
      • I do not currently recommend building a faraday cage as that leaves behind a suspicious purchase record. I would recommend using no wireless connection, and using absence/presence of wired connection as a de-facto airgap.
    • You should probably leave no unusual items in your physical trail.
      • This includes but is not limited to every item in your house (electronic, paper, etc), every purchase you make and every roadside camera you pass.
    • Trusted people
      • While in the US you should probably have zero people in-the-loop, while outside the US geopolitical sphere you should probably have one lawyer and zero other people in-the-loop. "People" here includes immediate family members, psychiatrists, journalists, etc. You should probably trust zero people to help you commit the action, but trust a few people to support you after you have committed the action.
    • Sending to journalists
      • If you redact documents yourself, you should ideally not require trusting any journalists with any sensitive info such as your identity.
      • You should probably send documents to as many journalists as possible, but trust none of them.
      • Most SecureDrop servers provide journalist's PGP pubkeys. You should ideally manually PGP encrypt the tarball before you send it via any channel (be it securedrop or protonmail or something else).
      • (I am yet to make up my mind on whether it is better to send documents before or after you leave the US. Sending documents after leaving the US is safer if you can successfully smuggle an SD card past airport security. Do your own research, or wait for me to do mine.)
    • Country of asylum
      • Russia has good historical track record for this scenario. It is very important to make the right choice on which country you fly to. You may use a connecting flight through a third country to reduce suspicion.
      • It is important you are present in this final destination immediately after sending the documents, every day of delay makes a difference.
    • Advanced users only:
      • If you rely on journalists to publish the documents for you, there's some probability they'll help cover up mistakes you made while doing redaction. On the other hand there's also some probability they'll act against your interests or simply refuse to publish your documents. Predicting their behaviour is hard and I don't recommend trusting your predictions of how they'll behave.
      • If you publish the documents yourself, you have to do redaction correctly. But you can guarantee publishing without trusting anyone.
      • You can send the documents to multiple social media sites that allow anonymous submissions over Tor.
      • You can acquire ETH anonymously and publish your tarball directly to ethereum blobdata. This ensures mirroring to multiple nuclear states. The same goes for purchasing BTC anonymously and publishing to bitcoin blockchain.
      • There's two methods to acquire ETH anonymously, the first method is to CPU mine XMR and then swap it for ETH using a trusted bridge, the second is use some imperfect method like cash or gift cards to buy ETH, but then use Tornado to wash it. Both methods should be done using tails only (not airgapped).
  • Evidence, full guide
    • Maybe a useful reference, but do not blindly trust it as it is work-in-progress: https://www.lesswrong.com/posts/jKehN6uTYF7Z4WFKW/us-govt-whistleblower-guide-incomplete-draft
    • Some of this is currently my personal opinion. I would much rather back everything in the guide with empirical evidence from previous cases, than rely on my opinion.

Subscribe / Comment

Enter email to subscribe, or enter comment to post comment