Privacy and Security
Could internal whistleblower platforms prevent public scandal?
- By Amber Corrin
- Jun 11, 2013
The recent leaks of information detailing National Security Agency domestic surveillance activities inevitably raise questions that echo those of previous, similar scandals: How did this information get out?
In recent years, such leaks have come at the hands of workers with access to government networks and sensitive information. The revelations are made through public avenues for a variety of reasons, including distrust of internal processes, scarce protections for the whistleblower and, perhaps most of all, the absence of anonymity.
But what if that anonymity was readily available inside an organization? What if whistleblowers did not have to go outside of an agency to report wrongdoing without being identified?
Some government entities have such mechanisms in place. The Securities and Exchange Commission, for example, provides ways to anonymously submit information through the whistleblower program mandated in 2010's Dodd-Frank Wall Street Reform and Consumer Protection Act. However, doing so requires legal representation and completed paperwork provided to the attorney "signed under penalty of perjury at the time you make your anonymous submission."
It is not hard to see why leakers and whistleblowers may instead decide to turn to the Internet's cloak of obscurity, whether real or perceived.
"The U.S. has roots in whistleblower protection; it's just a matter of execution in some cases," said Volker Roth, computer science professor at Freie Universität Berlin and a member of the team behind AdLeaks, an online whistleblowing project that aims to provide undetectable, encrypted communication capabilities.
While whistleblowing protections exist in U.S. law, it is often limited to designated areas – tax fraud, for example – and hinges on particular regulations and procedures.
"It can be difficult to navigate, and risky if one makes a mistake and those protections end up not applying," Volker said. "It creates tension in having to take risks and make concerns known within an organization, including possibly to people who could be in position to" retaliate.
WikiLeaks broke the mold in terms of public awareness in whistleblowing, and despite its subsequent demise, websites and programs, not unlike AdLeaks, have cropped up to facilitate those looking to anonymously expose wrongdoing. In the wake of WikiLeaks, a dual-focused movement in technology and transparency is yielding options that agencies could use to channel potentially dangerous exposés into reform efforts.
"We, as information and privacy experts, have analyzed the requirements from the security point of view, therefore what we're aiming for is not just software, but a wider project also involving advocacy in personal security for dealing with sensitive documents," Claudio Agosti, president of the Hermes Center for Transparency and Digital Human Rights and a developer with its GlobaLeaks project, told Radio Free Europe/Radio Liberty last year.
GlobaLeaks provides open-source software framework that companies and public agencies can use for free. The Hermes Center's Fabio Pietrosanti told FCW that one of the center's other projects, the LeakDirectory wiki with links to whistleblowing information and websites, will also be part of a forthcoming release of national security whistleblowing guidelines.
Other online platforms continue to emerge, many of them noted in LeakDirectory. Among them are companies and organizations that offer whistleblowing software as a service, usually built on anonymous Internet-based reporting tools, web applications and software like GlobaLeaks. But as Pietrosanti points out, platforms alone may not be enough for effective internal whistleblowing measures.
"The platform does provide a means to let whistleblowers to send tips...by the user of a web browser or smartphone," Pietrosanti said. "However, it's very important to underline that GlobaLeaks is a tool that facilitates the implementation of whistleblowing procedures, but it does not substitute the needed transparency policies and business process engineering activities for the setup of whistleblowing practices."