Advice on minimising digital security risks

When submitting potentially sensitive information, it is important you consider the risks you are taking and the consequences, including potential arrest, police harassment, legal action, problems at work or other retaliation against you. This is why it is essential to take as much care as you can to preserve your anonymity.

Before submitting any information to Netpoleaks, you should consider the aftermath: what will happen if the documents, files or data receive public and media attention?
Ask yourself these questions:

  • Am I the only person or one of only a few people who has access to the information I am preparing to submit?
  • If the information I submit reaches public attention, will someone ask me about it?
  • Am I able to manage the pressure of any investigation about the leaked information, and answer any questions I may face?

Technical risks

While Netpoleaks provides extensive protection for sharing data anonymously, using a computer and the internet to exchange information leaves traces (computer logs) that could identify who and where you are. This may happen while you are

  • Researching the information you are submitting
  • Acquiring the information to be submitted
  • Reading this web page

This is why we insist on submissions though the anonymous Tor Browser. You can reduce the technical risks further if you:

  • Do not submit information from a computer or laptop provided to you by your employer.
  • Keep safe your submission’s receipt and destroy this after you no longer need it.
  • Do not keep a copy of the information you submitted
  • Ensure, when researching and acquiring documents or files, that you leave no traces on IT systems that can lead back to you. For example, you can store files onto a USB drive rather than on your computer or on cloud storage and, after completing a submission to Netpoleaks, delete the files and reformat the USB drive.
  • Do not use the Tor browser for logging onto social media.

Meta-data

It is important to recognise that the information you submit might include hidden ‘meta-data’. Word or OpenOffice documents are likely to contain the name of the author, the date and time of when the file was created often some of its editing history. You can remove or edit this (normally in File > Properties).

Images created by digital cameras or mobile phones contain metadata in a format called EXIF that may include the image’s date, time and even GPS coordinates, the model and serial number of the device that took it and a thumbnail of the original image. There is a tool for amending and removing EXIF meta-data at http://owl.phy.queensu.ca/~phil/exiftool/ or you can find a list of other image meta-data editors here.

Consider converting all the data you are sending us to standard PDF format (but again, check File > Properties to see if the author’s name has been included and amend if necessary). Windows or MAC OS users can also use programs such as Adobe Acrobat XI Pro (for which a trial version is available) to remove or edit the hidden data from PDF files. GNU/Linux users can use a free and open source tool called PDF MOD to edit and remove metadata from PDF files. However, this does not remove the creation or modification time, or the type of device used for creating the PDF.

If you are interested in finding out more about activists’ digital security, visit securityinabox.org

Other risks

These include your physical location and social relationships. Consider the following:

  • Both before and after you make a submission, do not tell your anyone, not even your friends, if you wish to remain completely anonymous.
  • If information you have submitted receives media attention, think carefully about how you will react and how you will express an opinion about it.
  • Check for surveillance systems (for example, CCTV cameras) in the location where you research, acquire and submit the information you share with us.
  • After making a submission, avoid searching online for the information you have shared (this might reveal you knew about a leak before it became widely known)