The Impact of OSINT in Whistleblowing
Balancing transparency, confidentiality, and ethics in investigations that concern whistleblowing.
Authors: Paul Wright and Neal Ysart (The Coalition of Cyber Investigators)
Open source intelligence (OSINT) has opened new avenues for journalists and investigators to uncover and verify critical information from publicly available sources. When handled carefully, OSINT can substantially aid transparency, uncover essential facts, and combat disinformation. However, whistleblowers—key actors in exposing corporate misconduct—face significant risks when their identities are exposed and deserve urgent protection. Misusing OSINT techniques can compromise confidentiality, potentially placing whistleblowers in danger of identity exposure and physical harm.
This article explores preventative measures OSINT practitioners and whistleblowing system managers can adopt to minimise these risks.
OSINT Risks for Whistleblowers
Once identified, whistleblowers are vulnerable to various forms of retaliation:
- Professional Retaliation: Workplace retaliation may manifest as demotion, ostracism, or termination, creating a culture of fear where others are afraid to speak out.
- Harassment and Social Ostracism: Hostility within and outside workplaces often isolates whistleblowers.
- Psychological Stress and Financial Strain: Emotional anguish and legal battles can harm mental health and financial stability.
- Relationship Damage: Exposing unethical practices can strain personal and professional relationships, further isolating whistleblowers.
Safeguarding Confidentiality in OSINT Practices
Protecting whistleblowers requires balancing transparency with confidentiality through robust ethical practices and technical safeguards:
- Minimising Data Collection: Avoid unnecessarily gathering personal information that could reveal a whistleblower's identity.
- Secure Reporting Channels: Ensure whistleblowers can report anonymously and securely.
- Promoting Best Practices: Ethical OSINT use enhances accountability without compromising privacy so that whistleblowers can expose misconduct without fear.
For further insights, see resources such as the Armed Forces Communications and Electronics Association International’s (AFCEA) discussions on privacy concerns and Whistlelink’s exploration of whistleblower protections.
Loss of Confidence in Whistleblowing Systems
When OSINT techniques are misused to identify whistleblowers, they undermine the confidentiality crucial to whistleblowing systems, including ISO 37002 Whistleblowing Management Systems Guidelines. The same methods that investigators use to investigate crime and support legitimate investigations can pose risks to whistleblower anonymity when misapplied:
- Digital Footprint Analysis: Examines online activity, potentially exposing whistleblowers.
- Social Network Mapping: Reveals relationships that could link whistleblowers to disclosures.
- Metadata Examination: Exposes hidden information within documents or communications.
- Pattern-of-Life Analysis: Identifies behaviours that might reveal a whistleblower's identity.
If a corporate whistleblowing system does not have adequate protections, numerous characteristics could identify someone making a disclosure, such as name, place of work, role, gender, associations with parties connected to the disclosure, or the depth of knowledge and nature of the information provided.
Protective Measures for OSINT Practitioners
There is still no universally recognised ethical framework for OSINT practitioners to follow, although the Coalition of Cyber Investigators are strong advocates for the development of one. In the case of whistleblowers, careful consideration is critical when deploying OSINT techniques. OSINT practitioners can adopt measures to protect whistleblowers:
Ethical Guidelines
- Establish protocols for handling sensitive information, including "stop rules" when investigations risk exposing identities.
- Develop policies, a code of conduct, and mandatory ethical training for all OSINT practitioners.
Technical Controls
- Implement data minimisation practices.
- Securely store and manage evidence with strict access controls.
- Use intelligence grading mechanisms for sensitive information.
Professional Standards
- Provide training on whistleblowing laws, including "tipping off" regulations.
- Conduct quality reviews for sensitive investigations.
- Develop clear escalation procedures.
- Adopt trauma-informed approaches when dealing with distressed whistleblowers, including conducting interviews sensitively, recognising trauma and stress, providing relevant support mechanisms, and employing techniques to avoid re-traumatisation.
Protective Measures for Whistleblowing System Managers
Organisations managing whistleblowing systems must mitigate OSINT-related risks through technical, procedural, and organisational measures to safeguard whistleblowers and potential victims of false or malicious disclosures. Those protections help defend against deliberate threats by malicious actors and unintentional privacy or security breaches during legitimate investigations. Recommendations fall into the following three categories.
Technical Safeguards
- Use anonymisation tools and secure communication platforms throughout the end-to-end whistleblowing lifecycle, such as the ICIJ's "Leak to Us" mechanism.
- Regularly audit and perform penetration testing on whistleblowing platforms.
- Strip metadata from submitted documents to protect anonymity.
Procedural Controls
- Offer multiple reporting channels, including ones independent from management, to prevent single points of failure.
- Enforce strict access control policies and conduct regular audits.
- Train system administrators in ethics and privacy.
Organisational Measures
- Develop strong anti-retaliation policies with clear escalation procedures.
- Conduct awareness programmes to promote safe and confidential disclosures, so all employees understand what is expected of them.
- Demonstrate executive buy-in for the whistleblowing mechanism, emphasising whistleblowing's role in good governance.
- Conduct annual surveys to gauge whether employees believe that whistleblowing mechanisms are genuinely anonymous and confidential, that they will be protected from retaliation and harassment, and that disclosures will be taken seriously and properly investigated.
Future Considerations
As technology advances, both threats to and protections for whistleblowers evolve. AI and machine learning may automate identity exposure, while encryption and anonymisation tools provide defences.
OSINT practitioners and whistleblowing system managers must remain vigilant about OSINT's capabilities to ensure they fulfil their distinct but interconnected roles ethically.
Conclusion
The intersection of OSINT and whistleblower protection requires balancing investigative capabilities, robust safeguards, and a strong ethical stance. Protecting whistleblowers is not just a legal obligation but essential for maintaining transparency and accountability in institutions. This protection must extend beyond technical measures to include ethical treatment and respect for the confidentiality of whistleblowers who wish to remain anonymous.
By fostering ethical practices and designing whistleblowing systems that evolve alongside OSINT capabilities, we can ensure whistleblowers feel confident their disclosures will remain confidential and their anonymity protected.