President Donald Trump doesn’t have fond feelings for whistleblowers.
During his first term, Trump’s Justice Department carried out a clandestine spying operation to try to catch leakers. On the campaign trail, Trump on multiple occasions threatened to arrest journalists who don’t reveal their sources — and suggested they should be raped in prison until they give up names.
For those who want to speak out against wrongdoing within the U.S. government, it has never been more critical to take steps to keep themselves safe. So we compiled these best practices for leaking information in public interest under the Trump administration.
Don’t Call or Text
Phone calls and text messages are convenient, but they aren’t safe for whistleblowers. As outlined in a December report from the Office of the Inspector General, the Justice Department in Trump’s first term repeatedly utilized “compulsory processes” — which include subpoenas, search warrants, and court orders — to request “non-content communications records” from phone carriers serving journalists at CNN, the New York Times, and the Washington Post. The requests were for both the reporters’ work numbers and their personal numbers.
Non-content records don’t include the communications themselves — such as copies of text messages or voicemails. Instead, government investigators were keen to gather metadata pertaining to the communications: for instance, who sent a message or made a call to a journalist’s phone and at what time.
Even if the contents of the conversation are not recorded, the metadata establishes clear links between parties.
If a metadata search turns up evidence of communication with journalists or rights groups, this alone could reveal who is behind a leak.
Don’t Email
Never use a work or personal email address when communicating with journalists.
In its attempt to root out leaks during Trump’s first term, the Justice Department also sought non-content information pertaining to reporters’ email communications from their email service providers. They wanted details such as the time an email was sent and received, as well as the sender’s email address.
While email encryption technology can encrypt the body of the email message and in some cases subject lines as well, the email addresses themselves and dates and times emails are sent and received are not encrypted.
This means it’s not hard for investigators to use email records to draw a clear line between a journalist and their source — even if they can’t determine what information specifically was exchanged.
Setting up a separate email account entirely for communicating with journalists or rights groups is an option, but there are a number of potential gotchas. For instance, care should be taken to not reveal any identifying information when setting up a burner email account: Don’t use your phone number for two-factor authentication, choose a throwaway username that is not linked to you in any way, and select a vetted VPN or the Tor network to mask your IP address. Considering all these obstacles, it’s often best to avoid email altogether.
The owners of tech’s biggest social media platforms have shown varying degrees of fealty to the Trump administration. These genuflections include Mark Zuckerberg ending DEI programs at Meta, Andy Yen, the CEO of “privacy-first” email provider Proton, going on about how the Republican party today stands for “the little guys,” and Elon Musk, the owner of X, calling shots as a “special government employee.”
The fact that Trump’s richest fan also owns a popular social media platform should give pause about using X to share sensitive information. It doesn’t take an overactive imagination to see a scenario in which the companies that own communication channels are willing to provide user information to a government they’re eager to please.
Although social media direct messages are generally unencrypted by default, some social media platforms now offer optional end-to-end encrypted messaging, though this feature needs to be enabled manually. For instance, X direct messages can be encrypted if both parties are verified users, and Facebook Messenger can also be used to send encrypted DMs. But the metadata, or non-content information, would still reveal that your account was in contact with a reporter’s account.
Similar metadata risks apply to messaging platforms such as Telegram and WhatsApp. Telegram offers encryption, but it is not enabled by default and comes with a number of limitations. WhatsApp encrypts messages by default, but nonetheless reveals a variety of metadata about communications themselves.
Given the way government investigators typically demand non-content communication records, end-to-end encryption alone does not mask whether or not someone is talking to journalists or other entities.
Secure communication tools such as Signal and Session minimize the amount of metadata and user information that platform operators themselves can access.
Signal can identify the date a particular account was created, as well as when the account last accessed the service. It can also identify a phone number associated with an active username, which is vastly less metadata than other messaging platforms collect.
If you’re concerned about your username being linked to your phone number, change your username at regular intervals, which would prevent past usernames from being tied to your phone number.
Signal routinely posts copies of the requests for user information it receives from the government. These disclosures show that Signal tends to share merely when a particular account was last accessed and first created. Government requests for information from service providers, however, may come with non-disclosure orders that could legally prevent operators from posting notice of these demands on their transparency pages and potentially bar them from notifying the affected users themselves.
Session, a messenger whose tagline is “send messages, not metadata” reduces the amount of information it stores about its users by, for instance, not using centralized servers to relay messages.
Nothing Is a Substitute for OPSEC
But the best end-to-end encryption and metadata minimization won’t keep you safe without basic operational security.
Digital access logs may reveal who viewed, printed, or downloaded a copy of the file, and when. The more files you access, the more likely it is that you may be the one common individual who accessed all those files.
Avoid whistleblower communications while physically present at work. Aside from someone seeing your screen, your employer may also be able to identify that you accessed a particular communication service while on a company network.
Under no circumstances should you also use work devices when communicating with or transferring data to reporters or rights groups.
Equally risky are personal devices with any work-assigned device management apps installed. It might seem old-fashioned, but rather than taking a screenshot of a specific document or chat record on a work device, take a photo of the screen with a separate one-time use phone, or at least a personal device.
Make clear to anyone you might alert of wrongdoing that leaked photos or documents generally should not be published in their entirety. That’s because source material can potentially be linked to the specific device with which it was captured.
A photo showing a file on your computer monitor, for instance, might include a blemish or a smudge of dirt on the screen. More sophisticated forensic techniques, such as watermarking, can be used to trace the origins of a leaked email or video conference.
Even emails seemingly sent to a large number of recipients may be individually watermarked, with each message containing some unique change that can be traced to a single recipient. That’s why it’s safest for journalists not to reproduce emails verbatim and instead rely on selective quotes or summarizations.
After communicating with outside parties, ensure that no records of sensitive communications persist. Be sure to delete not just specific messages, but entire chat histories from all linked devices on which your messaging app of choice is installed. Request that anyone with whom you share sensitive information does the same. Remember to not save each other in your contacts lists, either.
Blowing the whistle can have a real impact in the world, but it also comes with risks — the threat of prosecution or losing your job among them. Although leak investigations may again become a priority in the Trump administration, these dos and don’ts can help reduce the chances of exposing yourself when you’re shining light on wrongdoing.
