It’s been three weeks since Twitter’s former security boss, Peiter “Mudge” Zatko, revealed explosive claims about the company’s security practices. Among the allegations, Zatko said Twitter wasn’t taking steps to fix multiple security problems and that India had forced Twitter to put a government agent on its payroll. Twitter denies the claims.
Since then, Zatko has been entwined in Elon Musk’s effort to not-buy Twitter for $44 billion, with Musk deposing the Twitter whistleblower ahead of his October showdown with the company. Today, Zatko will appear before the Senate Judiciary Committee, which is interested in the potentially “dangerous data privacy and security risks” detailed in his 84-page whistleblower complaint.
Blowing the whistle against Big Tech has become increasingly popular in the last few years. As WIRED’s Steven Levy notes, this often involves prominent whistleblowers turning to nonprofit Whistleblower Aid
But blowing the whistle isn’t easy and carries an array of risks. Any whistleblower or potential whistleblower is faced with legal concerns and potential ramifications that come with exposing a company or government’s wrongdoing, of course. But that part is predictable. There’s also the risk of being targeted or publicly smeared as a result of the allegations, the mental and emotional pressure of whistleblowing, and unemployment. Lawyers representing whistleblowers and journalists writing about their claims can also be tracked or monitored.
While there are multiple laws in the US that protect whistleblowers, it’s not uncommon for businesses, including the likes of Google and Meta, to have internal teams that look for threats coming from within their own walls. Because of this, potential whistleblowers need to know to avoid trying to out wrongdoing using their work devices or systems, including email. “Due to advanced surveillance techniques … communication through your personal devices may also not be secure,” the House of Representatives whistleblower ombuds advises. It recommends using the anonymity service Tor, encrypted messaging app Signal, or SecureDrop for whistleblowing. The latter is an open-source platform that uses Tor to allow people to send journalists files securely. (The operating system Tails can also provide extra protection.)
For someone who decides to blow the whistle with Whistleblower Aid’s help, the first step is to contact the organization—which isn’t exactly straightforward. “We don’t have insecure methods to contact us,” says Tye. There are no cookies or trackers on its website and it doesn’t list any emails or postal addresses where potential whistleblowers can get in touch with it. Instead, potential whistleblowers can get in touch through either Signal or its SecureDrop instance, according to John Tye, cofounder of Whistleblower Aid, who spoke with WIRED about its security practices ahead of Zatko’s Senate appearance. (Tye says people can use its SecureDrop to send only messages and not files, as it doesn’t want to receive classified files.)
Initial contact is just the start. Beyond this—once Whistleblower Aid has signed on clients—it recommends using Signal for most messaging. “A lot of time is spent trying to keep our secure devices secure,” Tye says.
Not all whistleblowing is the same, and every whistleblower has their own set of risks. Someone who is calling out Big Tech malpractices will face different possible threats to a national security whistleblower, for example. Tye says Whistleblower Aid conducts threat modeling for each of its clients, assessing the risks they face and where or who those risks may come from. One consideration, he says, is whether certain cloud computing services can be used—a service may be riskier to use if it has a relationship with a government.