A whistleblower calls

Caller: I got your name and number from the web. You’re listed as a member of the “national committee.” I need some advice. Can I trust you?

Alex: You can call me Alex. I work for a big company with government contracts. Three months ago I received a message about some dealings that weren’t part of my brief. At first I thought I was accidentally included as a blind copy recipient and didn’t think anything of it, but the emails continued to arrive and then I thought maybe someone might be intentionally copying me in.

Alex continues with the story bit by bit for the next five minutes, never mentioning the name of the company or what the contract was all about.

Alex: Look, I’ve read some of your materials. I could report the matter to superiors but that would be career suicide. I don’t trust the company hotline.

Chris: You’re right to be wary of making an internal report. And you’re being wise to seek advice before speaking out.

Alex: What about going to the media? Do you know any reporters who would take up this story? Ones I could trust?

Chris: What you might do is look at who has broken similar stories, especially journalists with a lot of experience.

Alex: I thought of approaching Lenina Alpha. Do you know her? But I want to remain anonymous.

Chris: She sounds like an excellent choice. Do you know what to do to prevent your identity being exposed?

Alex: I’ve read about the data retention law. So I don’t want to ring her. If she writes a big story, the company will use its connections to get the police to go through all her phone contacts, and that could lead back to me. Even if we encrypt our messages, there’s a law that lets the police get access.

Chris: You obviously know a lot about making precautions. Have you thought about ensuring that there are no electronic connections that can be traced to you?

Alex: I thought about getting a burner phone — you know, one that you use and then throw out — but I’m worried that it could still be traced to me. I was hoping that you could pass my material to Lenina.

Chris: Sorry, that’s not possible. In Whistleblowers Australia, we can provide information, advice and contacts, but we don’t act on anyone’s behalf. Could we talk about some other options?

Chris: You might try to meet Lenina face to face. That way there’s no way to trace your connection with her electronically.

Alex: That’s sensible if I don’t mind revealing my identity to her. And I do trust her. But I’m worried that if she knows who I am, she might be put under pressure to reveal my name, you know like being threatened with prison or worse.

Chris: Isn’t that unlikely? It’s only in big-time national security cases, or organised crime, where you really need to worry.

Chris: Getting back to how to contact Lenina, another option is sending her a parcel of printed documents, or even dropping them at her doorstep.

Alex: I thought of that. It’s fine for a one-time leak, but what if I have information that needs to get to a target in a timely manner?

Chris: You’ve just made me think of something. How are you ringing me? Couldn’t the police obtain the metadata for this call and use it to track you down? That’s assuming they bother with my contacts, which seems unlikely. But if someone leaked really sensitive information, the police might search the metadata of every employee with access to the information. You never know, they might think a call to me was worth following up.

Alex: You don’t need to worry. I’m using someone else’s phone, someone the police would never suspect, and they don’t even know I’m using it. You know when you’re at a meeting and someone leaves their phone unattended. That sort of thing. Also, I route the call through a spoofing site so that the metadata doesn’t register my number.

Chris: Yes, I just read about it. It allows the Australian Federal Police, and some other agency whose name I can’t remember, to obtain a warrant and to break into someone’s computer and to capture the data or even to delete, change or add data. It’s frightening. A computer could be someone’s mobile phone.

Alex: You probably also know the law makes it possible for people to be served with orders to help break into someone else’s computer, for example by stealing it or obtaining a password to get into social media accounts. Anyone served with such an order who refuses to help fully in doing what’s demanded could go to prison for ten years — not that I expect that this provision will ever be used.

Chris: Spot on. When I read about this new law, I immediately thought of the implications for whistleblowers. The bill was passed with support from both major parties, which means there’s unlikely to be much significant political opposition to using it. The thing about warrants is a joke, because from what I know most requests are rubber-stamped.

Alex: You’re right to be worried. Of course the government justified the law by the need to track down and disrupt operations by terrorists and paedophiles. But the law is more general.

Alex: Imagine this. Imagine that someone working for the AFP, someone involved with Identify and Disrupt operations, was concerned about abuse of police powers to target journalists and whistleblowers trying to expose corruption — in the AFP, let’s say. What could they do to help?

Chris, after a pause: The best option would be to stay on the inside and somehow let targets of disruption operations know they are being targeted. Well, I think that might be a good option. I haven’t thought about this before.

Alex: It would be good if you did think about it. How are you going to know whether a message from someone who claims to be an AFP insider is genuine? It might be part of the operation, maybe to trigger paranoia and distrust. Have you heard about the FBI’s COINTELPRO program back in the 1960s?

Chris: Yes, it was only exposed after activists raided an FBI office — was it in Pennsylvania? — and obtained piles of files about the program.[2] The FBI was forging documents and trying to sow distrust among activist groups like the Black Panthers. You’re right, the new law gives the AFP the power to do the same sort of thing, legally.

Alex: Was COINTELPRO legal? Or does it matter whether it was legal? The thing that blew it out of the water was the raid and the subsequent exposure. Now I have a question for you. What would be the equivalent of the Pennsylvania raid today, in relation to the AFP?

Chris: It would be some hacker exposing AFP files on their Identify and Disrupt operations!

Alex: Think carefully. Who would have the knowledge to know whether such a leak was genuine or was part of a devious disinformation operation?

Chris, after thinking a moment: Maybe someone in Electronic Frontiers Australia, or in one of the other digital rights groups.

Alex: I’ve got to go. I’ll leave that with you. You know the scout motto: be prepared.

1. Surveillance Legislation Amendment (Identify and Disrupt) Bill 2021

2. Nelson Blackstock, Cointelpro: The FBI’s Secret War on Political Freedom (New York: Vintage, 1976); Paul Cowan, Nick Egleson and Nat Hentoff, State Secrets: Police Surveillance in America (New York: Holt, Rinehart, and Winston, 1974).