US Govt Whistleblower guide (incomplete draft)
2025-05-20
WARNING
This guide is currently a research draft. DO NOT follow the guide as of today, if you are a whistleblower. I do not yet endorse following this guide as being sufficient to protect your safety. I am only sharing this to get research feedback. I will update you once I do think the guide is good enough.
Main
Why this guide?
My personal motivation here is especially focussed on whistleblowers working at an AI company in the US hoping to build superintelligent AI. The guide may also be useful for others.
Some of the whistleblower guides online are IMO blatantly against your true interests, and in the interests of journalists or lawyers. I wanted to write a guide that’s in your true interests as a whistleblower.
A lot of cybersecurity guides online fail to acknowledge that the way to escape the NSA with high success rate is not to improve your opsec, it’s to flee the country. But the latter is less fun for them to geek out about. So I wanted to write about that.
Disclaimer
Geopolitical disclaimer
This guide is based entirely on publicly available information.
This guide is based on the geopolitical situation as of 2025-05. Some parts of this guide will no longer apply if the US govt were to enter a war (not via proxy) with the govts of Russia, China, Ecuador or any of the other countries mentioned in this document.
Case study: Manhattan project spies Julius and Ethel Rosenberg were executed. This guide assumes US citizen whistleblowers are unlikely to be executed, which is likely true during peacetime but may or may not be true during war.
Expertise disclaimer
This should go without saying, but I don’t have credentials or expert-level knowledge on cybersecurity or international law or psychology or any other subject. I have above-average knowledge on cybersecurity and below-average knowledge on all the other subjects.
This is a “first pass” guide.
After reading this guide, you should also do your own independent research on any steps you’re uncertain about.
Also you should eventually involve someone else to give you personalised advice for your specific situation. For legal topics, a good lawyer will almost certainly give better advice than what’s in this document (assuming you trust them to not prioritise their self-interest above yours).
I broadly categorise whistleblowers into three categories:
corporate whistleblowers—possess incriminating information about a company
political whistleblowers—possess incriminating information about a political party or group
govt whistleblowers—possess incriminating information about intelligence agencies, military, judiciary, etc
Who?
This guide assumes you’re a govt whistleblower living in the US with US citizenship.
This guide assumes you’re a software developer (above-average IT skills) and have >$100k in funds.
My personal motivation here is especially focussed on whistleblowers working at an AI company in the US hoping to build superintelligent AI. The guide may also be useful for others.
Picking a strategy
As a whistleblower, you have a few available strategies:
-
leak summary, stay anonymous in the US
-
leak summary, become public in the US and
-
leak summary, become public outside of the US
-
leak summary, stay anonymous outside of the US
-
leak US classified information, stay anonymous in the US
-
leak US classified information, become public in the US
-
leak US classified information, become public outside of the US
-
leak US classified information, stay anonymous outside of the US
A summary would include broad overview of the situation as you see it, but not a lot of details or any classified documents or recordings.
As per my reading of all the past NSA whistleblower cases: 2 is slightly better than 1 3 4, 7 is far better than 5 6 and 8 is unlikely. Therefore this document is actually a guide for 7. (Leak US classified information, become public outside of the US)
2 is slightly better than 1, 3 and 4.
In almost all cases of 2 and 3, people were fired, house raided, social circle investigated, and spent funds on legal case. In almost none of these cases, people spent time in prison.
Being public is slightly better as you can then control the media narrative of your story.
Maybe if you lack funds for a legal case or finding another job, then staying anonymous is an option. Consider not becoming a whistleblower if you don’t have atleast 6 months savings.
(I haven’t researched this enough.)
Leaving the country doesn’t benefit you much.
7 is better than 5 and 6
In almost all cases of 5 and 6, people spent atleast 3 years in prison. How good their opsec was did not matter, although some had much better opsec than others. IMO do not trust all the opsec guides on the internet that suggest otherwise.
The sysamdmins working for the NSA leadership internally track who downloads a document from a central database. If you make a document public, the NSA now has a small list of suspects who have downloaded that particular document from their databases in the last few months.
Case studies
The only recent case of someone avoiding prison while leaking US classified information is Edward Snowden, who got asylum from Russia. Leaving the US geopolitical sphere of influence is by far your best bet if you look at historical data.
8 seems very unlikely
If you’ve already obtained asylum in a foreign country, that govt is willing to protect you from the US govt. The main reasons I can think of to continue wanting to spend your life in anonymity from the US govt inspite this:
possible illegal assassination by US
this is a real threat, for instance Assange expressed concern that Snowden could be assassinated if he lived in asylum in a Latin American country
want to be deployed in future as a spy on behalf of this country
this seems unusual and also not something I will currently be providing a guide for
Case studies
There is no public case in last 25 years of this situation happening.
For 8 to occur you need to figure out a way to steal classified documents anonymously, apply for asylum anonymously, live many years anonymously in that country, and escape US govt-controlled agents or militias in that country trying to assassinate you. Theory says conjuction of these many unlikely events is very unlikely.
Case studies
List of people who may not have been imprisoned if they had attempted to fly out of their country on the same day they leaked the documents.
(This is complete speculation on my part. Someone with more knowledge please correct me.)
Chelsea Manning
Chelsea Manning was living in US military base in Iraq. She talked to Adrian Lamo during time period 2010-05-21 to 2010-05-25, who tipped the NSA. She was arrested on 2010-05-27.
Hypothetically, someone with more foresight could have waited till they had a valid flight ticket and a plausible excuse for it, smuggled an SD card on their person until then, and leaked the documents on the same day as the flight.
Reality Winner
Reality Winner was living in US. She sent leaked documents by email to the Intercept on 2017-05-09. The Intercept contacted the NSA for document verification (blunder on the Intercept’s part) on 2017-05-30. She was arrested on 2017-06-03.
Hypothetically, someone with more foresight could have gotten approved travel first and then leaked the documents on the same day they flew. Since they were not identified as the source, it is quite likely their travel outside the US would have been approved.
How to leak classified documents and leave the US
The more complex a plan you’re following, the more planning is required. If you are willing to follow a more complex plan, you can ensure a slightly large window of time for yourself, from when you steal the documents to when you are deanonymised.
Objective: leak US classified documents, leave the US, reveal identity to public outside the US, neither you nor anyone in your circle gets imprisoned
Case studies of worst case outcome
None of the recent NSA whistleblower cases faced the death penalty. Your worst case scenario that’s not unrealistic is a prison sentence between 5 years and life imprisonment.
Julius and Ethel Rosenberg were executed as Soviet spies in the Manhattan Project during the cold war. There is a possibility you may face death penalty if caught during wartime scenario. As mentioned already, this guide assumes a war is not ongoing.
Minimmum not-anonymous plan
Here’s the minimum plan you should execute. The order of steps in this plan is deliberate.
walk out of the building with classified documents or recordings
redact documents yourself (don’t trust a journalist)
send snail mail to >100 journalists a few hours before the flight
(Minimum plan skips trying to encrypt or anonymise the messages, the good plan below does both.)
fly to country A
contact lawyers and retain atleast one
walk into country B embassy in country A and apply for asylum
Consequences
Above plan is easier to execute so I’m guessing there’s a >80% probability you’ll escape the US without being arrested.
Depending on your skills my guess is there’s a >50% probability your identity is made public within one month after you send the documents to journalists.
Good anonymous plan
Here’a a more advanced plan that might get you a few more months of anonymity. The order of steps in this plan is deliberate.
walk out of the building with classified documents or recordings
on airgapped computer:
redact documents yourself (don’t trust a journalist)
encrypt the documents twice, first with your symmetric key and second with various journalists’ pgp public keys
copy the encrypted documents to printed paper (or else USB)
setup 10-100 anonymous dead drops in the US
wipe your house clean
fly to country A
send anonymous messages to 10-100 journalists revealing dead drop locations and decryption keys (use a secure channel with pgp+airgap on both sides to communicate)
contact lawyers and retain atleast one
walk into country B embassy in country A and apply for asylum
Consequences
Above plan requires you execute more steps correctly before you leave the US. Your probability of being caught and imprisoned before you leave the US increases.
The benefit is you might remain anonymous for a few months maximum before the NSA identifies you, because they need more to time to narrow down the pool of all suspects who downloaded that specific document. Depending on your skills my guess is there’s still a >20% chance your identity is made public within one month of you sending the documents to journalists.
Case studies
Snowden did not execute either of these plans. He took the documents with him to Hong Kong on a (presumably encrypted) disk drive. He met journalists in-person.
US border and airport security has increased in subsequent years and they’re a lot more likely to confiscate your electronics or demand decryption keys. (Snowden leak may or may not have influenced this.) I currently do not recommend carrying encrypted SD cards with you on your flight leaving the US. I recommend leaving encrypted information back in the US and either carrying decryption keys on paper or memorising the decryption keys.
I do not recommend trusting any journalists with your identity if you have the time and energy and skill to redact documents yourself. You can always involve journalists in the plan after your identity is public.
Social circle guide
Specific advice for you
Spend time to take a clear decision on who is in-the-loop on your plan to whistleblow. See below for my recommendations.
If you have sufficient funds, leave some funds behind for your family members in the US. They will need this for legal expenses, until you have revealed your identity and can direct more funding towards them.
Read mental health resources as required. Do not contact a mental health practioner or friend or any other person for mental health reasons, as mentioned below.
Grand strategy—flow of information
You have broadly 3 options if you want to inform anyone in your social circle in the US about your plan, before you have gotten permanent asylum in another country. This includes immediate family members such as your spouse or children.
Don’t inform anyone living in the US geopolitical sphere. Let them stay behind and get investigated.
Inform someone living in the US geopolitical sphere. Let them stay behind and get investigated.
Inform someone living in the US geopolitical sphere. Ask them to fly with you and apply for asylum together.
-
Whether to execute 1
If you only want to maximise success probability of whistleblowing while ensuring you and your social circle avoids being imprisoned, I would strongly recommend executing 1.
Important: There is a possibility you will lose people including immediate family members who will not be ready to continue the relationship when they understand the decisions and risks you’ve taken. This is a risk you must be ready to accept if you go ahead with this plan.
-
Whether to execute 2
If you feel you have an inflexible moral obligation to inform someone in your social circle about your plan, I currently strongly recommend 3 over 2.
If you execute 2, there is a significant likelihood that they will be imprisoned as an accessory to your crime, for not reporting you immediately.
There is a low likelihood they will be able to successfully deny that they were informed, if they were in fact informed.
-
Whether to execute 3
Executing 3 also reduces your success probability significantly, compared to executing 1.
This person will also need to learn considerable opsec skills just like you.
They will need to psychologically adjust to complete social isolation and constant fear of imprisonment, just like you. A single word spoken by them to wrong person can lead to both of you being imprisoned.
Since you are the person who took the initial decision to whistleblow, it is possible you are psychologically more ready for these adjustments than they are.
You likely have a good understanding of the psychological makeup of the person you are considering involving in your plan.
However, you are also an emotionally biased judge of how much your success probability drops by involving them in the plan. You might want to do your own research and attempt writing down an actual number for how much you estimate your success probability to drop if you involve them. My naive guess is success probability will drop by atleast 40% for a majority of people, if they were to involve their spouse in their plan.
-
Case studies
There is no recent example of someone doing 2 or 3 successfully. Snowden is the only recent example of doing 1 successfully.
-
I would strongly recommend distancing from your social circle over a period of multiple months, and not informing them about your plan. It is important not to raise any suspicion, as doing so could lead to you and them being imprisoned.
-
Apart from your lawyer, I do not recommend keeping anyone in-the-loop by default until you have obtained asylum.
I do not recommend contacting a lawyer until you have the left the US geopolitical sphere. This document and similar resources already contain most of the generic advice you require. It is unlikely they will have a lot of situation-specific advice you cannot get otherwise. Hence it may not be worth risking informing them.
Once you have left the US geopolitical sphere, you can contact your lawyer.
Your lawyer may be able to provide better advice on what information is appropriate to share with other people in your circle including your family members.
-
Psychiatrists, extended family, work colleagues, journalists and so on will be part of the people investigated. I do not recommend informing any of these people.
-
Until your identity is safe to publicly reveal (and likely even after that), you cannot support anyone in your social circle living in the US sphere in any way. It could take many months before you can support them.
You (and any orgs supporting you) will not be able to financially support their legal expenses.
You will not be able to inform them of any of the upcoming consequences in their life, or inform them of any strategy to protect themselves.
You will not be able to emotionally support them.
Consequences for social circle living in the US geopolitical sphere (who are not informed about your plan)
When I say social circle this includes but is not limited to immediate family, extended family, neighbours, work colleagues, etc. Immediate family members are likely to face more severe consequences.
Consequences
Your immediate family members living in the US geopolitical sphere are likely to be interrogated, wiretapped and have their houses raided.
They are likely to be intimidated and followed.
They are likely to be cut off by members of their social circles who would like to avoid being caught in the investigation.
They are likely to receive hate mail.
They will almost certainly will not be imprisoned in the US. The investigation will almost certainly successfully prove their innocence at the end.
Case studies for consequences
Almost every single US govt whistleblower leaking classified documents has family members who faced every single one of the above listed consequences.
I have not yet found a case of a US govt whistleblower leaking classified documents whose family member (or other person in social circle) went to prison if they were not informed about the plan to whistleblow.
Family visits
Exact details here depend on the country you go to. Ask your lawyer for advice.
If you go to prison in US/Europe, you will likely be allowed family visits in prison.
If you get asylum in Russia, your family will likely be allowed to leave US and enter Russia.
Once in Russia, their safe stay and potential return will depend on decisions of the Russian govt.
Case studies for family visits
Snowden’s wife (then girlfriend) was allowed to leave the US 13 months after he left. As of 2025, Snowden’s wife lives with him in Russia along with their son (born in Russia).
I could not find any documented case of family members or friends being indefinitely held in the US and prevented from travel out of the US.
Chelsea Manning, Reality Winner and Julian Assange were allowed in-person family visits in prison in US and UK respectively.
See the whistleblower database document for more detailed case studies.
Mental health
I do not recommend informing a mental health practitioner, spiritual/religious mentor or friend about your plan for mental health reasons.
They will likely be investigated using illegal tactics, and will not be able to protect your information.
Any such existing person in your life should be slowly distanced from, as mentioned above.
Case study: Daniel Ellsberg’s psychiatrist’s office was broken into, as part of a (failed) strategy to prove him mentally unstable in court.
I recommend reading mental health resources yourself using your secure tails-based setup, if you require it.
Mental health resources
Secret life of secrets by Michael Slepian
Consider whether you believe you are morally correct or incorrect in keeping this secret.
Consider whether your actions in the long term (not short term) benefit or harm people you care about.
Pre-planning security guide
Even before you actually start planning, you should consider setting up a relatively secure machine to do research and planning.
You may or may not yet have made up your mind on whether to whistleblow or not.
Setting up a secure machine running tails does not by itself incriminate you. You are allowed to change your mind afterwards and decide not to whistleblow.
As of 2025, I have not been able to find any case with public evidence of a person becoming a person of interest due to search results alone. Usually search results are used to investigate only after you are already a person of interest.
Increase in NSA surveillance activity and AI capabilities could change this in future however. It is, in theory, possible that are you already a person of interest for having read my guide on clearnet.
I’m unsure about giving concrete advice on this point.
If you do finally decide to whistleblow, your search results starting from today could reduce the time required by the NSA to doxx you.
How to setup secure machine for planning and research
-
Purchase a new windows/linux machine.
Physically disconnect the wires to the mic, camera, wireless adapter. Open the case and use a plier.
Only connect ethernet cable to router. No wireless signal.
-
Purchase a USB drive and install tails on it.
-
Reserve a separate room in your house where this machine is kept.
-
No mobile phone or other device allowed in this room.
Even better, physically dismantle and destroy your phone, if you can manage to still keep your job and manage your life without a phone.
-
No other person allowed in this room.
-
Important: Resist the urge to search whistleblower related info on your other devices or on home or corporate network in clearnet.
“Walk out of the building” guide
-
Do not raise any complaints whatsoever via internal channels.
This is possibly the single biggest blunder made by all the historical NSA whistleblowers.
This guarantees you’ll be on a suspect list even before leaving the US. Your networks may be monitored by a person. You may be followed. You may be prevented from travelling. You may be (unofficially) interrogated.
This almost guarantees you’ll be doxxed within the first month of leaving the US
The intersection of people who downloaded a specific document and people who raised complaints via internal channels uniquely points at you.
Case studies:
Thomas Drake raised complaints via internal channels and this may have shortened the time interval to him being doxxed. Complaints via internal channels did not have major impact on NSA afaik.
Thomas Tamm raised complaints via internal channels and this may have shorted the time interval to him becoming a person of internet, with his house raided and communications tapped. Complaints did not have major impact on NSA afaik.
John Crane sued claiming internal channels of NSA are being used to hunt down whistleblowers. Fired as a result. Complaints and legal cases did not have major impact on NSA afaik.
Russ Tice claims NSA uses internal channels to hunt down whistleblowers.
William Binney raised complaints via internal channels and publicly. Complaints did not have major impact on NSA afaik.
James Robertson, a judge on the US FISA court post-9/11 made complaints via internal channels, and resigned. Complaints did not have major impact on NSA or the FISA court system afaik.
-
Select which documents to release.
More documents means more work.
More manual work to redact them, including higher probability of human error.
Might become less feasible to print on paper, mandating disk storage.
If there’s a large amount of video data, any copying or file processing you wish to do could take multiple hours.
You can probably make the key political arguments you wish to make by leaking 100 documents rather than 1 million.
Maybe put the most important documents in a folder to save the journalist some time while analysing the archive.
The public could benefit from more documents leaked rather than less, in a way that you can’t immediately foresee. It is hard for you to pre-emptively guess every possible usage of your leaked documents from now till a century from now.
If you are willing to undertake personal risks involved in redacting and transferring a larger dataset, prefer releasing a larger dataset over a smaller one.
-
Plausible deniability
Increasing size of initial pool of suspects could give you more lead time before your identity is found out by the NSA.
Make sure to access a large number of documents from the database, not just the ones you will be publishing.
Make sure no camera or person is watching you while you access the documents or copy them
-
Hardware
A standard SD card will do, as it is easy to smuggle. A USB drive or hard disk drive will also do.
If you are releasing a lot of video content you may need to purchase multiple disks. As of 2025, it is not common to get disks larger than 12 TB. Prefer purchasing a disk with high throughput like 1 GB/s instead of 100 MB/s.
As always, make sure to have a plausible alternate reason for any hardware purchases you make under real name or credit card.
Video recording guide
You can consider hiding a camera and mic on you to record important interactions you see. This could include leadership admitting to any actions or values they would not admit publicly.
Should you make recordings yourself?
I strongly recommend you only make recordings yourself if there is no existing documented evidence that would be straightforward to obtain. In most situations, there will exist documented evidence that is available to atleast a few people.
Cons
Remember that you do not have a second person to help you, and you do not have prior experience with undercover work.
Attempting to make recordings noticeably reduces the success probability of leaking information without being imprisoned.
Pros
Video recordings of the leadership making unpopular decisions might be more influential in subsequent politics than leaked documents of the leadership making the same decisions. Average citizen has limited attention span and hence prefers video over text.
Video recording guide
Prepare to be doxxed
Audio and video are harder to redact. If you are making recordings you should be aware of this.
You may or may not be a participant in the conversations being recorded. If you are a participant in the conversation, you may be doxxed soon after the recordings are released publicly.
Getting access to people
It may take multiple months of effort before you obtain access to such people and discussions. Every additional month of time taken decreases the success probability of the plan, as there is more potential to make a mistake.
Until you have made the recordings, there is some probability you will avoid being imprisoned even if caught. (I don’t have legal background to comment on the exact boundary here.) You can spend a fair amount of time preparing to make the recording, before actually making it.
You may find it difficult to mentally adjust to your new role, your motivation levels may reduce and your work performance may be affected. All this is detectable by people working with you.
You will likely need to take a significant amount of self-initiative to get access to people.
It is best to continue playing your old role at the company, and invent plausible reasons why a person in your role would need access to the leadership or to a specific meeting. For instance you may want to volunteer for additional responsibilities or attempt getting promoted.
Don’t carry recording hardware with you while you’re still in the process of increasing your access.
Don’t possess any incriminating evidence on you while you’re still in the process of increasing your access. Assume you can be caught and interrogated at any moment.
Hardware
Warning: Your building may contain scanners, including metal detectors, X-ray scanners, millimetre-wave scanners and infrared scanners.
Security may be able to detect equipment you carry even while switched off.
Assume the security team has read this guide and installed scanners in all buildings, unless you have evidence otherwise.
Choice of hardware
You should have a plausible excuse for why the hardware is on you, if interrogated by security. You should have a plausible excuse for why you purchased it, as all purchases are recorded and can be questioned.
It might therefore be better to use a regular phone or mic to do the recording, instead of specialised “spy” hardware.
Spy hardware typically is designed to be hidden (in your shirt, in the wall etc) with an almost invisible opening.
Spy hardware may also have pickup and sensitivity higher than regular use.
Use simple hardware without too many pieces or cables.
I’m not listing models of specific mics or cameras here. Anything I list here might be automatically suspicious. Do your own research. Purchase high-quality hardware that won’t look suspicious. The exact choice is not very important, multiple brands sell similar enough hardware.
Using mics
Distance of mic from the speaker is by far the most important variable to ensure good pickup.
Mics are best carried on person to ensure better pickup. Place them at 30 degree angle or pointed at other person’s mouth to maximise pickup.
Mics may have digital or analog filters to remove low-decibal noises, make sure those are not present or disabled.
Mics may accumulate lint or dust, clean as required.
Ensure less ambient noise in the area.
Parabolic mics are designed for surveillnce and can pickup at >1 metre distance.
Laying blankets or padding behind the talker can help, for recordings taken at >1 metre distance.
Using cameras
Room lighting is the most important variable for good quality video.
Ensure sufficient ambient lighting in the recording. Ensure there’s no window creating glare.
Assuming good lighting, most camera models perform well. Pick any camera with good resolution.
Cameras may also accumulate dust or lens scratches, clean as required.
Cameras can be carried on person or placed in the room.
Camera placement is important. Minimise blind spots in the room not captured by the camera.
Testing—very important
Attempt multiple test runs of your recording equipment by secretly recording lower-stakes conversations.
Resources
The Sting Book (1994) by Steven Frazier
(Don’t purchase a hard copy using your real address or credit card. Get a soft copy using your tails setup)
Many sections of the book is irrelevant, some sections are outdated, but some sections are useful.
Informed by real empirical data but in a different context.
Redaction guide
Time investment
If you can do the redactions yourself within 1 month, I would strongly recommend doing it yourself instead of trusting a journalist to do it. (Exceptions exist.)
Generic information
You need to do redaction (removal of private information) and metadata removal. Always do metadata removal first, redaction second.
Metadata
Almost every file format leaks some other the other metadata. Could be docx, jpeg, pdf, html, whatever.
Possible metadata in input files
Useful metadata—for users of the application, but may end up doxxing you
Junk metadata—that no one notices or uses, but may end up doxxing you
Steganographic—deliberately inserted by organisation to doxx whistleblowers like you
Redaction
There may be information in the documents that is incriminating either to you or to third-parties. You might prefer to remove this information for either moral or strategic reasons.
Text
Suggested programs: vim, nano, emacs
Also likely safe: Gedit (linux default), Notepad (windows default), TextEdit (mac default), Sublime Text
Step 0: File format conversion
Output format should be plaintext.
Use ASCII not UTF-8.
Step 1: Metadata removal
If you suspect your file contains steganographic metadata, consider not submitting the file, and rewriting its contents in your words. If not, continue.
Remove all non-printable characters.
Step 2: Redaction
Replace with
[REDACTED]Don’t use different placeholders for different types of information. Use same placeholder across all content.
Use common sense when redacting documents. Redacted content is sometimes easy to guess based on surrounding content.
Step 3: Final checks
Generate hexdump and verify no extra characters present. All chars must be within accepted byte range.
Images
Suggested programs: GIMP, hexdump, Tails metadata cleaner
Step 0: File format conversion
Output format should be bitmap (.BMP), with low resolution.
GIMP supports converting many image formats to BMP.
poppler-utilson linux can convert pdf to image, which can then be converted to BMP.Linux screenshots are a sufficiently safe way to convert any file to image, which can then be converted to BMP.
Step 1: Metadata removal
If you suspect your file contains steganographic metadata, consider not submitting the file, and rewriting its contents in your words. If not, continue.
Remove any image metadata such as EXIF/XMP data. (EXIF can include location data, which is important to remove.)
Image resolution
Camera lenses may have scratches that uniquely identify the camera used. These are hard-to-detect with naked eye in an image, but can be seen using graphics processing tools. Lowering resolution helps prevent this analysis.
Lower resolution down a minimum resolution that ensures documents are still readable.
Keep this minimum resolution constant across all your images.
Step 2: Redaction
Guide to making black boxes
Use GIMP to make black boxes.
Use black fill with opacity 100%.
Click Image → Flatten layers. (This is optional, layers get flattened by default if you use .BMP as save format)
Save as .BMP. Uncheck saving EXIF/XMP data.
Use the same fill across all redacted content.
Use common sense when redacting documents. Redacted content is sometimes easy to guess based on surrounding content.
Step 3: Final checks
.BMP format includes a 54-byte header followed by RGB values, with no compression, no encoding and no metadata.
Generate hexdump and check that bytecount matches expected bytecount based on header size and number of pixels.
Audio
As of 2025-05, my recommendation is to not do audio redaction unless you have previous expertise. I will update the guide once I have more experience with audio redaction.
Your audio files may also require mixing and editing to improve quality. Trust that someone else will do it once the files are released publicly.
If you are submitting audio
Use tails metadata cleaner.
Accept that there is increased risk of the file containing information about both—the people recorded in the audio, and any devices and people that transmitted the file including you.
Methods can depend on encoding method used. You may want to delete entire frames or delete / voice-change voices within some frames.
Video
As of 2025-05, my recommendation is to not do video redaction unless you have previous expertise. I will update the guide once I have more experience with video redaction.
Your video files may require editing to improve quality. Trust that someone else will do it once the files are released publicly.
If you are submitting video
Use tails metadata cleaner.
Accept that there is increased risk of the file containing information about both—the people recorded in the video, and any devices and people that transmitted the file including you.
Methods can depend on encoding method used. For visual, you may want to delete entire frames or black fill polygonal regions within some frames. For audio, see above.
Otherwise, don’t submit video. Consider extracting frames
Extract a few important frames as .BMP. Then follow the image guide above.
Programs: ffmpeg:
ffmpeg -i video.VOB -vsync 0 -ss 01:30 -to 01:40 %06d.bmp
Airgap and encryption guide
To do for self
Write this
Anonymous dead drop guide
To do for self
Write this
House cleaning guide
To do for self
Write this
List of recommended countries
Travel paths
-
My naive guess is your best bet is going to the Ecuador embassy in Moscow, Russia and requesting asylum in-person, not anonymously. You are likely to be imprisoned only if both Ecuador govt and Russian govt reject your requests.
-
My naive guess is that contacting consuls requesting asylum before reaching foreign soil is a bad idea. You should first fly out, before contacting your lawyer and making asylum requests.
-
If you are flying from US to Russia, my naive guess is it makes more sense to fly to a third country that has flights from both Russia and US. This will raise less suspicion when you apply for visa or book tickets. This is especially important if you hold a security clearance. Once you are in the third country, you can book the second ticket.
-
Ask your lawyer for advice, after you have landed in Russia.
-
(It is possible to ask for more information from a lawyer before you leave the US. There is a low probability your lawyer will get you imprisoned. There’s also a low probability they offer you useful personalised information which you cannot otherwise obtain from guides such as this one. Ideally someone who is not affiliated with you, such as me, should be getting this information and publishing it publicly in a guide.)
-
Case study: Snowden was approved for asylum in Russia, after being rejected by 20+ countries including countries in Latin America, countries in Europe, India and China. Later he was granted Russian citizenship.
-
Case study: Assange was approved for asylum in Ecuador embassy in UK. His room was bugged by cameras and eventually Ecuador govt revoked their approval, letting UK govt arrest him.
Along with the leaked documents, you can request govts to unilaterally promise asylum to the whistleblower without knowing the identity of the whistleblower.
You can also include a pgp public key in your leaked documents. This allows a government to start an encrypted conversation with your lawyer without knowing the identity of either you or your lawyer.
My guess is there’s <20% probability this will work. My guess is all countries have a strong enough negotiating position to demand you reveal your identity and reach their soil, before they take a decision on your asylum application.
No govt in the world cares to keep you alive on humanitarian grounds but they may do it if it helps strengthen their reputation as a country that can defy the US.
Funding guide
You need funding for the following:
Secure computers, while in the US
Legal expenses
Living in foreign country while you apply for asylum
Living in foreign country after you have asylum, but not an alternate job
Emergency funds, such as funds for emergency flights, purchasing new computers
Legal expenses are by far your biggest expense, as per case studies.
Being cut off from your own funds is a potential risk.
Soon after the first meeting with your lawyer outside the US, they should help you contact organisations that can fund expenses on your behalf.
It is ideal if someone else is making the payments on your behalf, as your cash on hand can be seized and accounts can be frozen. This is high probability.
Case study: Assange paid for Snowden’s stay in Hong Kong and onward flight tickets.
Case study: Assange received payments via cryptocurrency after all bank accounts were frozen.
Cryptocurrency
Having an organisation willing to send you funds is better than managing your own funds. Once you have left the US, there should ideally be atleast one such organisation willing to support you and bring cash to you in-person as required.
Using cryptocurrency or cash by yourself is only a worst case option if you and your lawyer are unable to find an organisation willing to fund you.
If you have never purchased cryptocurrency before, I would strongly recommend not learning to do it now.
Having cryptocurrency with you instead of cash will only help you in a small number of scenarios. It is not worth significantly increasing the risk of being caught, and if you have not done this before, your risk of being caught before leaving the US goes up significantly.
If you already have BTC or XMR with you in a cold wallet, or if you have previously purchased BTC or XMR using cash via no-KYC methods, you can consider bringing some with you on your journey outside the US.
Carry it in a brain wallet (i.e. memorise it) or paper wallet. Don’t leave behind any hardware wallets or hot wallets. (Any electronic devices left behind will go through data recovery, and could reveal your crypto addresses for example.)
Don’t carry more than $1M as this makes you a target for theft.
Some countries are far more friendly than others, when finding counterparties as a stranger. Consider checking this for your destination country before leaving the US.
Case studies: I did not find any historical example of a whistleblower who left the US, failed to find an organisation who will fund them, and ended up relying on their own cryptocurrency assets. This entire section of the guide is dealing with a low-probability speculative scenario.
List of recommended lawyers
To do for self
write this section
List of funding sources
To do for self
write this section
List of high-attention media operators (such as journalists and youtubers)
To do for self
write this section
As mentioned multiple times in the document, prefer making a plan that does not involve trusting any journalists.
List of somewhat trustworthy high-attention media operators (with securedrop/signal/email IDs)
?
Exhaustive list of high-attention media operators (with securedrop/signal/email IDs)
?
OK, now I’ve been through this whole thing.
For the record, I would like to say that I don’t think the AI labs will get to the level of secrecy of something like the NSA before the whole issue becomes moot. So this is all pretty hypothetical. But it’s a kind of hypothetical that I’ve spent a lot of time on.
I also have my doubts about the value of guides like this in general. But anyway...
Summaries have limited credibility.
Anonymous summaries have almost no credibility, and summaries are hard to write without losing your anonymity. What you choose to include is identifying… and may also have implications about what you don’t know, which is also identifying. The phrasing you use is also identifying.
… so any option that includes both “anonymous” and “summary” should probably be eliminated as not worth the trouble. You’ll put yourself in danger, and nobody will listen to you.
I disagree. In most cases, I think 5 (leak details anonymously and stay in the US) is the best strategy. But you’d better know what you’re doing.
As I said in my first comment, “You can?”.
Reporters will write what they’re going to write, and others will react however they’re going to react. You get to tell them your version of “your story”, and your adversaries get to tell them their version. Which they choose to believe is up to them.
… and almost alll reporters will try to make it a personal story about you, rather than a story about whatever important information you’re actually trying to call attention to. It gets clicks, but those may not be the clicks you want. The less “personality” they have to work with, the less they can do that.
There aren’t that many of these cases… and none of them have had anything close what I would call “good OPSEC”. Having extended conversations with random people is not OPSEC.
But it’s also true that you won’t learn how to do maintain OPSEC from some succinct “howto” guide, because it’s complicated and demands that you actually know how things work. There are an almost infinite number of ways to go wrong, so The Way cannot lie in trying to list them all.
Any “high security” operation does this as an explicit policy. Many commercial companies do it. Most document storage servers keep equivalent logs as a matter of course anyway. Every Web access is logged. And nowadays there’s spyware/bossware/EDR on many business computers, so your local activities are also watched.
You have to assume everything you do anywhere is logged unless you know specifically why it isn’t.
Some of the more paranoid organizations also watermark the individual downloaded copies in various ways, or even vary the text. It may take AI companies a while to get there.
You may be able to identify in-text watermarks by getting your hands on multiple copies from different sources. Rendering documents to images (and processing those images with simple tools, and paying attention to things like what fonts you’re using) may be best.
If possible, you want to get your document via some back channel… one that doesn’t itself raise alarms. Which is much easier said than done and is beyond the scope of any brief guide.
This applies less to things that get broadcast internally.
Again, in public reporting, I think it’s more like “historical anecdotes” than “historical data”. That’s especially true because “spy swaps” are kind of out of scope; you don’t qualify for that consideration.
But this may be true if you can live with whoever you think might give you asylum. And remember that Russia wasn’t Snowden’s original plan.
You mean before you did your leaking? What if you ask them, saying you plan to leak, and they instead choose to rat you out? And you don’t know how much pressure will be applied or how they’ll respond. Governments aren’t monolithic and don’t have friends, only interests.
If you plan to leak and leave, you’re fundamentally just going to have to hope that somebody will shelter you, without any prearranged assurance of that.
Subject to the assumption that you’re going to leave the US, I agree that you are going to get deanonymized. The mere fact that you, one of the relatively few people who had access in the first place, left the US at around that time is enough to paint a giant target on you. And once you’re an individualized target, you’re doomed with very high probability.
That’s why I actually believe that, if you’re going with an anonymity-based strategy, you want to stay in the US. And, yes, you will need much, much better OPSEC than any of the past cases have had.
Not sure that’s adequate. Was Julian Assange “imprisoned”?
I can see the value of days or weeks of anonymity while you make your exit, and I can see the value of trying for permanent anonymity so you don’t have to exit. I’m not sure I see the value of trying for “a few more months of anonymity”.
So, looking at it from a more “let’s try for long-term anonymity” point of view:
I’m not going to go point-by-point on the redaction guide, so I’ll put this here.
Remember that the specific information you choose to redact is a clue in figuring out who you are. In general it’s safer for you (as opposed to other people you may also need to protect), if you remove watermarks and metadata, but don’t remove “real content”.
One of the tradeoffs with removing either content or metadata is that too many visual changes make documents less credible. Turning a document with characteristic formatting into plain text will make people doubt it, beyond the actual evidentiary value of the change. Paraphrasing is going to be fatal to credibility; it’s too easy to spin that as your having fabricated the document or deliberately slanted the paraphrase.
I’m not sure what threat you’re trying to address with the double encryption. Is the idea that if the file somehow makes its way from the dead drop to the journalist before you tell them where to pick it up, then they still won’t be able to read it until you send them the symmetric key?
That seems like an oddly specific failure mode, and one that shouldn’t be fatal if it somehow does happen.
Note that if you do this with PGP, the outer layer of encryption will identify the intended recipient.
Many printers watermark their output. Many USB sticks have serial numbers that may theoretically be traceable to where you bought the stick. This can thwart your metadata-stripping work. And I dislike the whole physical approach because...
If you try to set up that many physical drops, you probably will get identified as soon as anybody tries in earnest to investigate. There are cameras everywhere nowadays. Meatspace is not safer any more. Not against a really angry major nation-state adversary.
Your house should never have been dirty. Seriously, from the moment you walk out the door with those documents, your house, except maybe for one very tiny, well-understood area, should be completely clean every second you’re not in it, not just of definitive evidence but of anything remotely unusual or suspicious. Which is hard to assure if it wasn’t also clean before you walked out.
And your person should be clean the vast majority of the time.
… or, again, stay in the US and try for long-term anonymity.
“Send anonymous messages”. Aye, there’s the rub. Available tools are limited, and using them safely requires real, detailed understanding of a whole lot of quite technical things. It’s especially hard if you want them to be able to reply (which I wouldn’t recommend). “Use Tails” isn’t remotely enough guidance.
Using both physical drops and Internet communication just means you now have two independent ways of being caught. Multiplying exposures is always a bad idea. If you have an anonymity system you’re willing to trust, you should probably just send them the raw document images, assuming they’ll fit in the available space, and dispense with drops entirely.
Or, if the files are too big and your anonymity mechanism permits it, use it to upload the files to cloud drops, and send the locations.
I doubt you’ll find 100 journalists who have active PGP keys in 2025, and you might not find 10. More have things like Signal nowadays, but chat systems like that are not effectively anonymous, not if you’re assuming that the spy resources of the US government are truly focused on you. Even the Tor ones can, under some circumstances, be vulnerable to traffic analysis.
If your redaction is good enough, you should be able to just publish the documents, along with any suggested ways of corroborating them. If there’s no way to corroborate them other than your say-so, then you may not get anywhere anyhow even you’re not anonymous, let alone if you *are.
Back-and-forth communication will get you in trouble sooner or later.
This step will be fatal to your anonymity. Possibly immediately so if you’re forced to disclose an intention to do some future illegal act. And you may not know that one of your necessary future acts is illegal.
It’s actually not necessary to do this in advance if you assume that the people who are after you are going to stay within the law. Just learn “I have nothing to say without my lawyer present”. You might want to mentally identify a lawyer to call, or somebody who could be asked to help retain a lawyer on your behalf, though.
This step will probably be fatal to your anonymity. They’re not going to talk to you without knowing who you are, and they can’t be trusted to keep that secret.
Again, you should not be in that pool, at least not unless you have a lot of company.
If you’re going to do this, you probably want to develop some skills first.
Nah, they’re just searching everything on principle.
Perhaps the correct way to view this is that giving your identity to anybody, including a journalist, basically is making it public. So don’t do that unless you want to do that. The tradeoff being that your disclosure is far less credible, both to journalists and to their readers, if you’re anonymous.
A lot depends on what they can check, but you also have to be credible enough to make it worth their while to check.
Spend no time on this. The right answer is always “nobody”.
If you’re responsible for a family, you probably shouldn’t be doing any of this, especially not any of the “flee the country” versions.
Where are you going to be getting this “more funding”? You may not be in prison, but your job prospects are gonna be pretty limited. Although admittedly a lot of AI people nowadays have significant cash.
As you point out below, your searching for these creates an evidentiary trail.
This is suspicious behavior that will be noticed and remembered.
Also, you probably shouldn’t be doing any detectable action related to your whole whistleblowing plan for “multiple months”. The longer you prolong your execution, the more chance you have of hitting trouble.
Again, lawyers are required to report their clients’ credibly stated intentions to perform future illegal acts.
Lawyers aren’t spies or spymasters. They have a certain basic ability to not be completely stupid with supposedly confidential documents most of the time, but few of them can operate anywhere near this level.
It may never be possible to support them.
I don’t think Russia’s in the business of handing out asylum all the time. Past Snowdens aren’t a guarantee of future performance.
It’s kind of the idea of Tails that you don’t have to run it on a separate machine. Although it’s also true that if you use your main machine for anything you have risks like MAC address leakage from Tails bugs or unusual firmware behavior.
Be aware that Tor may not be an impenetrable barrier.
Yes, but the thing is that there’s “more interest” and “less interest”. They(TM) don’t even have all of everybody’s search results, but if you manage to get into a pools small enough for Them(TM) to go get your search results, those results can further narrow the pool.
Indeed. In fact, so could your past search results. You have to think about your existing posture.
This whole section has its heart in the right place, but taken as a whole it causes you to do a lot of noticeable, suspicious things, and on net I think it puts you in danager.
If you’re going to have a dedicated machine, it’s better to make it a used machine for bought for cash at a bricks-and-mortar store.
Better have a story about why you did that.
At least just unplug them so they can be plugged back in again later.
This implies that you’re doing your Internet access in your own house. This may or may not be a good idea. There’s a lot to be said for public WiFi in secluded little nooks. Preferably nooks that would be in character for you to visit anyway.
Actually, I would probably use Whonix from an amnesticized “live” USB stick… although that’s another knowledge barrier.
I rate that as impractical, unnecessary, and suspicious.
Remember that as yet you’re not a person of interest. Nobody is going to be running covert channels or installing spy cameras… and if they do, you lose anyway. Not having your phone in the room while you’re doing secret things might be a good precaution. Turning it off might not be, by the way; that’s detectable and most people don’t do it much.
These are suspicious enough that all your acquaintances will remember you did them. You will come off as some kind of paranoid freak, you will jump to all of those people’s minds when your leak hits the news, and they may very well spontaneously report “tips” about you.
What specific threats are you trying to counter with this?
If you feel an “urge” to do that, as opposed to immediate horror at the mere idea, you haven’t internalized The Way.
… but also minimize your searches over Tor (or I2P or whatever). Get the information you need, and no more.
Yep.
Make sure not to look weird. If you’re downloading an unusual number of documents, with no obvious reason, that in itself is suspicious. You may get yourself watched heavily before you even try to grab or exfiltrate your actual target. And you’ll still be in the list of people who downloaded it. And if you download anything not clearly related to your job (including the target), that may be suspicious to anybody going through logs after the fact.
Extra points if you’re actually allowed to have it.
In highly classified areas, such devices are forbidden, or subject to “once it checks in, it doesn’t check out” policies. They do search people, and they don’t tend to be forgiving if they find anything, especially if seems to have been deliberately concealed.
Also, even in standard commercial security, computers tend to have their USB and media ports disabled, in ways that aren’t easily bypassed without obvious physical attacks. And every USB device inserted may be logged… or even every file copied to and from such a device. And God help you if you try to boot from USB.
An actual whistleblower candidate will, or at least should, know, or be able to learn or infer, much more about their own facility’s security than even a very experienced “guide writer”, so really what’s important is to remind them that they need to watch for unobtrusive measures.
I don’t see how that’s likely to be relevant to AI… and I also don’t see how anybody is going to get away with walking out of a “secure” facility with stacks of 3.5-inch disk drives.
Any recording you make will probably identify who you are, regardless of whether you speak or are officially a party to the conversation. The video angle identifies where you were. You can even often figure out where a microphone was. There may be identifying incidental sounds.
Your recording device will probably leave an individualizable signature on the captured data, and that may be used if you’re ever actually a target of investigation.
So this isn’t viable for any anonymous approach.
Again, this is not viable if you want to remain anonymous after the fact. It may get you in the door, but people will realize after the disclosure comes out.
Most of what’s sold to the public with explicity “spy” labels on it is also low-quality schlock. I’d be tempted to build my own.
But anyway, once you go beyond what you can do with your phone, you’re getting into a lot of very complicated, highly technical stuff. I would just leave this out unless you’re prepared to write a book about it.
I think a lot of the specific advice here is at best questionable, but I’m not going to argue point-by-point. Not my specialty anyhow.
Well, except for this:
“Hey, Boss, please stand in front of this anechoic backing while I point a one-meter dish at you?”
Wearing a wire for law enforcement is very different from wearing a wire for whistleblowing… and the available hardware, at least near the “high end”, is almost unrecognizeably different after 30 years.
Your redaction tools may introduce their own metadata. And that’s all I’m going to say about the redaction part. In general it needs a ton of work, and it’d be book-length in itself done right.
You probably want to leave out all naive guesses. There are procedures for getting asylum.
Ecuador and Russia are only of special interest if your initials are “E.S.”.
Really, this whole “fleeing the US” thing, including but not limited to asylum, is a huge crapshoot, and unlikely to work, unless you know of a specific political angle relating to whatever specific whistleblowing you’re doing.
Again, if you inform a lawyer that you actively intend to do something illegal in the future, that’s not privileged and they’re required to report it. You can say “I did this illegal thing in the past, where do I stand?”. You can say “Would it be legal for me to do this?”. You cannot say “I plan to break this specific law next Tuesday”.
These case studies are really situation-dependent, and amount to people getting asylum or not because various leaders were playing various political games that weren’t entirely, or even mainly, about those particular whistleblowers. It’s dangerous to try to generalize.
Legal expenses are by far your biggest expense, as per case studies.
Being cut off from your own funds is a potential risk.
If you don’t know in advance of specific organizations that would be motivated and able to fund you, then assume there will be none. And make sure you have an actually detailed and sophisticated understanding of those organizations, not some kind of “Well, obviously X would want to...” generalities.
A lot less than $1M will make you a target for theft. But what does it mean to “carry” cryptocurrency?
Here’s more on why I think classification of information is likely. Copy pasted from a different document.
US intelligence circles will significantly underestimate national security implications of AI, lots of information about AI companies will not become classified—Disagree
I think AI will be the number one national security issue of the US by 2026 or 2027 and lots of important information will get classified soon after.
I’m putting more evidence here because this argument got upvoted.
Attention of govt and intelligence circles
Paul Nakasone
ex-Director of NSA, now on OpenAI board
Recent talk by Paul Nakasone
Says: Cybersecurity, AI, and protecting US intellectual property (including AI model weights) as the primary focus for the NSA.
Likely a significant reason why he was hired by Sam Altman.
Timothy Haugh
ex-Director of NSA, fired by Trump in 2025
Recent talk by Timothy Haugh (12:00 onwards)
Says: Cybersecurity and AI are top challenges of US govt.
Says: AI-enabled cyberwarfare such as automated penetration testing.
Says: Over 7000 NSA analsysts are now using LLMs in their toolkit.
William Burns
ex-Director of CIA
Recent talk by William Burns (22:00 onwards)
Says: Ability of CIA to adapt to emerging technologies including large language models is number one criteria of success of CIA.
Says: Analysts use LLMs to process large volumes of data, process biometric data and city-level surveillance data.
Says: Aware of ASI risk as a theoretical possibility.
Says: CIA uses social media to identify and recruit potential Russian agents.
Avril Haines
ex-Director of National Intelligence, ex-Deputy Director of CIA, ex-National Security Advisor
Recent talk by Avril Haines
Says: major priority for her is US election interference using generative AI in social media by Russia and China
US policy efforts on GPU sanctioning China
Significant US policy efforts already in place to sanction GPU exports to other countries.
China is currently bypassing export controls, which will lead US intelligence circles to devise measures to tighten export controls.
Export controls are a standard lever that US policymaking and intelligence circles pull on many technologies, not just AI. This ensure US remains in frontier R&D of most science, technology and engineering.
Attention of Big Tech companies
Leaders of Big Tech companies, including Jensen Huang, Satya Nadella, Larry Ellison, Reid Hoffman, Mark Zuckerberg, Elon Musk and Bill Gates have made public statements that their major focus is AI competitiveness.
Elon Musk
Elon Musk is explicitly interested in influencing US govt policy on tech.
As of 2025-05, Elon Musk likely owns the world’s largest GPU datacenter.
Has publicly spoken about AI risk on multiple podcasts
Mark Zuckerberg
As of 2025-05, open sources latest AI models
Has previously interacted with multiple members of Senate and Congress
Has publicly spoken about AI risk on multiple pdocasts
People who understand nothing about AI will follow lagging indicators like capital and attention. This includes people within US govt.
Capital inflow to AI industry and AI risk
OpenAI, Deepmind and Anthropic have posted total annual revenue of $10B in 2024. This implies total market cap between $100B and $1T as of 2024. For reference, combined market cap of Apple, Google, Microsoft and Facebook is $10T as of 2025-05.
All Big Tech companies have experience handling US classified information. Amazon and Microsoft manage significant fraction of US government datacentres.
If you believe AI in 2027 will be signifcantly better than AI in 2024, you can make corresponding estimates of revenue and market cap.
Attention inflow to AI industry
OpenAI claims 400 million weekly active users. This is 5% of world population. For reference, estimated 67% of world population has ever used the internet.
As of 2025-05, Geoffrey Hinton speaking about AI risk has been covered by mainstream news channels across the world, which has significant increased the fraction of humanity that is aware of AI risk. (You can test this hypothesis by speaking to strangers outside of your friends-of-friends bubble.)
It’s not that I don’t think people will want to classify information, probably at least as much about how AI is being applied as about the basic technology.
It’s that:
Those people have a keen appreciation of the agility costs, which are very large. If they’re smart, they’ll want to do it smoothly and selectively.
There are countervailing political forces, and it will take time to overcome those even if a win is assured in the end.
It takes a long time to actually put that stuff in place, especially across multiple large, preexisting private organizations in peacetime. And even longer for it to become actually effective.
To move any large fraction of what an organization is doing under a classification umbrella (or under a comparable private), you have to--
Convince the (or coerce) right people to do it. You’ll hit resistance, because it’s an expensive pain in the butt. If anybody has to be strongarmed, then that will involve convincing those who are in a position to do the strongarming, which also takes time.
Set up a program and find people to run it. Or convince somebody else’s already overworked program to do it for you.
Define the scope and do the planning.
Possibly significantly restructure your organization and operations.
Probably cut loose most of any international collaborations.
Set up compliance, auditing, and reporting procedures, which are not simple or lighweight.
Clear your people. This takes time. You’ll have to work through an outside office. Individual investigations take months, and there’s a waiting list. Some of your people won’t pass. You will have to replace those people, and perhaps find something to do in some unclassified “rump” of your organization. Expect this to cause pushback, and not just from the affected individuals.
Train your people.
Set up technical security measures and facilities (usually meaning several large semi-independent projects with their own delays). The buildings have to change.
Wait a while for all the bugs to shake out. You will be relatively leaky while that’s going on.
Obviously it’s faster to do it for a relatively small fraction of your information, but it’s not what you’d want to call fast no matter what. And if the classified part is very small, it tends to have limited influence over what the rest of the organization is doing, as well as finding it relatively hard to maintain its own internal security.
I’ve never actually done any of this, but I’ve been close enough to it to see, at least through gossip, the outlines of how big a deal it is.
I think the biggest meta input I’ve gotten from your feedback, is that I need to publish a redteaming document for the theory of change of this work.
Also copied from another document. Sorry, I may need to publish all my work more clearly first, before soliciting expert feedback. Keen on your thoughts.
AI capability increases will outpace ability of US intelligence circles to adapt. Lots of information won’t become classified. - Weakly disagree
I have low (but not zero) probability we get ASI by 2027. If we get ASI by 2030, I think there’s enough time for them to adapt.
Classifying information is possible without significant changes in org structure or operational practices of AI labs. This means it can be done very quickly.
Classification is a legal tool.
The actual operational practices to defend information can take multiple years to implement, but this can come after information is already marked classified in terms of legality.
US govt can retroactively classify information after it has already been leaked.
This allows the US govt to pursue a legal case against the whistleblower under Espionage Act and prevent them from presenting evidence in court because it is now classified information.
The specific detail of whether information was classified at the time of leaking is less important than whether it poses a national security threat as deemed by US intelligence circles. (Law does not matter when it collides with incentives, basically.)
Case studies
Mark Klein’s 2006 leak of AT&T wiretapping—retroactively classified
Hillary Clinton 2016 email leak—retroactively classified
Abu Ghraib abuse photographs 2004 - retroactively classified
Sgt. Bowe Bergdahl 15-6 investigation file 2016 - retroactively classified
Well, yeah, but normally if you declare something classified, you’re supposed to shut it all down until those practices are in place. That’s a huge cost in this context, one that the people making the decisions may not be willing to accept.
… and if you do declare it classified but don’t actually protect it, that means that the whistleblower is dealing with a different landscape. If you’re planning to disclose anonymously, the actual protections, not the legal status, are what matter. Of course, if you’re not anonymous, the converse applies.
… and it’s getting nothing but more lawless in doing that.
If you’re dealing with a lawless enough government, it doesn’t even matter if what you did is actually illegal. Your life can be totally destroyed even if you win some kind of court victory 30 years later.
I’m saying this has happened multiple times in the past already, and has high probability of happening again
We seem to be mostly on the same page here honestly.
Not to argue on any specific points yet, but I think the main difference in approach between you and me is that mine is a lot more based on past empirical data, than theoretical speculation of the best way to do things.
I agree that a theoretical ideal opsec will cover multiple books. It is difficult to educate someone on that quickly. A shorter guide is actually better to not overwhelm someone with info. That being said, I’d highly encourage you if you want to write it.
This was a footnote, but I think I should actually move it up top.
Both you and I are distorting the landscape with this whole conversation.
Most leaks are humdrum, day-to-day, below-the-fold or inside-pages “an anonymous source in department X informs us that...” cases. Often the information involved isn’t classified. If it is, it’s not a big enough deal to put unlimited resources into it.
Those cases don’t get the level of investigation we’re talking about, with all the stops pulled out. Journalists are able to protect those sources.
But those cases add up and can have impact over time.
Honestly a guide for those cases might be more useful than a guide that assumes you’re going to be so hot you have to flee the country. But even those cases are complicated.
And you may guess wrong, in either direction, about how hot your disclosure will be.
I’m going to have to dispute this.
First, a handful of cases may be “empirical”, but it’s misleading to call them “data”. One reason I reacted to what you posted was that it was so full of “theory” derived from relatively narrow and shallow information.
Second, I watched all of those cases in real time, and have also watched a lot of relevant stuff that wasn’t in the news, or at least wasn’t on the front page, because it wasn’t high-stakes “whistleblowing”. There are impactful leaks that aren’t at the level of the Snowden drop. Beyond that, tons of relevant things play out every day in non-leak-related contexts.
No, I haven’t gone through and systematically analyzed everything I could find in a single process. But I don’t think you have either. How did you identify the cases you thought about? Just off the top of my head, where’s Mark Klein[1]? Where’s Deep Throat[2]? Did you use a systematic and relatively unbiased method of finding the “data” you’re relying on?
What I take from the [anec]data is that:
Nobody so far has taken what I’d think of as decent OPSEC measures in the kind of very high-stakes, headline-grabbing, usually-clearly-illegal whistleblowing that makes you a truly major target[3].
We therefore don’t know anything about what would happen to anybody who did. You may indeed get caught even with the best feasible level of OPSEC, but we have no experience with that case. We know the risk is real, but have no defensible way to quantify it.
The reason we don’t see cases with good OPSEC may be that really good OPSEC is so constraining that it keeps leaks from happening at all[4].
If you make a truly high-profile leak under your own name, or if you get de-anonymized, your life will definitely be turned upside down, probably including prison time. If you flee the country or whatever, you will still not have anything resembling a normal life. It’s not obvious to me that there’s a lot of difference in consequences between deliberately disclosing your identity and having it found by investigation.
At the same time, doing it under your own name makes you more credible.
You seem to have arrived at (4) and maybe (5), too, but I’m not convinced that the measures you suggest for reducing the disruption are going to have predictable positive effects. What happened to Julian Assange may or may not have been better than prison[5]. Snowden did better than prison, I think, but not great[6].
I don’t actually think it’s completely futile to try to do this stuff with lasting anonymity, whereas I think you may believe that it usually is. But to do that, you have to be a certain kind of person, with a certain kind of knowledge, and a certain mindset. If you’re not that person, you may have to become that person first. Which, by the way, can make you suspicious in itself.
On the other hand, doing it openly also requires being a certain kind of person. Instead of the ability to do OPSEC, you need the ability to handle blowing up your life, and possibly the lives of people who depend on you. Also not easy to become.
If they’re overwhelmed, they will fail. If they rely on a short guide, they will also fail.
I believe that step-by-step recipes are actively dangerous[7]. They create false expecations, giving people the idea that they know what they need to do, without equipping them to understand the limitations of the approach, or notice when it need to change to match individual, unforeseeable circumstances.
If you give people counsel about risks, you need to make them understand those risks, and exactly how and how much your guidance changes those risks. Short guides can’t even do that much, let alone do much beyond the most obvious things to mitigate those risks.
It might actually be safer to force people to think for themselves. Even the sort of OPSEC that keeps you from getting caught before you leak takes a certain mindset.
For every action you take, you have to think “Can this be observed? Recorded? How can its effects be seen? What can be inferred from it? What does it look like? Why would people (or nowadays computers) think I might be doing it? How will they react? Might it make me interesting? What other information can be connected with it? Who has that information? Will it be noticed immediately? Will an after-the-fact investigation find it? Is there a better way to get the same result?”.
Once you’ve internalized those questions, answering them takes a lot of factual knowledge, and the particular knowledge you need is specific to the environment you’re working in. But at least if you’re asking the questions, you have a fighting chance of identifying all of the knowledge.
I sometimes give individual advice on things like Tor. I might as well have a keyboard macro for “If the stakes are high (which I don’t know because there is no reason for me to know why you want to do this), then don’t try this until you understand <long-list> at a much deeper level, or you will fail”. But rarely do I need to explain everything about <long-list> itself. There’s usually a manual. If they can’t understand the manual once they’re told they need to, they won’t understand what I say, either.
I could maybe write a study outline: a checklist of things you might need to understand. I’m not volunteering, just saying I’d be capable of it and it might be useful. If I wrote a comprehensive book (or series of books), you’ve correctly pointed out that nobody would read it. It’d also have to be maintained, or it’d have dangerous inaccuracies scarily soon. Things change all the time.
Klein wasn’t an insider. They(TM) probably didn’t have a sense of having be betrayed (which matters a lot to the type of people who tend to get into military and intelligence jobs, but I’m not so sure about AI companies). They(TM) also apparently didn’t feel they had a good legal way to go after Klein. But, still, he did make a high-impact disclosure, under his own name, and skate. He might not have skated under a more vindictive administration, though. Some people, including more than one person we’re probably both thinking of right now, feel betrayed as a default state, and are willing to upend people’s lives without any real legal basis for it. And that can seep into organizational culture.
Deep Throat stayed anonyous, even though Woodward and Bernstein knew who he was. The technological, cultural, and even legal landscape may have changed enough that Deep Throat isn’t on point, but you don’t say why you didn’t include him.
Ed Snowden probably came closest. Manning and Winner, on the other hand…
Which may be why Snowden, who seemed to have a realistic inside view, didn’t really try to remain anonymous post-leak, and did in fact just flee the US (in which he very nearly failed). Or maybe he did it because he knew he’d be more credible with his name on the leak. But that should still be understood as him deliberately sacrificing himself.
It turned into a big pain in the butt for the government of Ecuador, too. I wonder if other governments may not have watched and seen it as a lesson not to take in foundlings like that.
And, seriously, everything about Snowden’s flight and asylum was weird. It doesn’t look like a good case to be generalizing from.
… at least unless they’re so tightly focused on a single set of circumstances that they nearly have to be written for a specific individual. I might be able to write you a somewhat digestible recipe for setting up X type of Web site as a Tor hidden service. At least if it were a simple kind of site. I’d feel better about it if the stakes weren’t too high. I could not write a reasonably digestible recipe for anonymously exfiltrating and disclosing just any data from just any highly paranoid organization.
I love your reply.
I actually think we’re on the same page about a lot of what you’re saying.
I agree with this. It is valuable for me to write a guide on those cases too. If I have to write only one guide I’ll write the one I’m writing now. But yes both are valuable.
I have some notes on both Mark Klein and Deep Throat, haven’t published. I do plan to publish a proper database of atleast the top 20 or so leaks (and ideally a lot more) with fact-checked information.
Short version is Mark Klein did not release classified information, and Mark Felt (Deep Throat) operated over 50 years ago in a different technological and legal environment. The NSA did not have same level of technical capabilities, nor had it bureaucratically hacked the FBI back then.
The main reason I’m pessimistic about anonymity in this case is the extent to which the NSA tracks who downloads every document. The list of suspects is small enough that everyone can be investigated, which means your best bet might be to attempt to falsely incriminate someone else in that pool. Apart from that having questionable morals, it’s also really hard to do for someone who lacks experience in this type of work.
If you are giving up on anonymity, I agree you have to be able to handle blowing up your life in many respects. I’ve recently been reading up on the possibility of taking spouse or children with you when you whistleblow. I do think this guide needs more resources on mental health.
This is valuable input, thanks for sharing this. I do understand opsec is a mindset not just a set of rules.
Someone who has the mindset still needs a clear set of rules though. And I think it’s better for a team of experts from the outside to write that set of rules, instead of the person themselves. They can make an attempt to adapt the rules to their circumstances.
I think it would be extremely valuable if there were fast ways to transmit this mindset to someone who does not already have the mindset. I’d love more input on how to do this. I will also think more about it myself. Most people at OpenAI/Deepmind/Anthropic are software developers and hence teaching them the mindset can be done more quickly, assuming they dont have it already.
I think the ethics of this come down to ultimately what the probability of success is. I think if you’re going the Snowden route of fleeing the country, you can afford to make some opsec mistakes and still escape with your life. The bar is nowhere as high as it would be, if I were writing a guide for someone trying to stay anonymous within the US. My guide explicitly says you will be doxxed eventually, it’s just a question of how soon.
I have seen some of these manuals on dark web. You can send me anonymous email at samuel.da.shadrach@gmail.com if you want to send me any. (I don’t operate an anonymous email myself for this circumstance, I think it could give me false sense of security if I create one and then post it here under my real name.)
The main reason I don’t want to tell people to just refer to a manual is none of the manuals are tailor made to this circumstance, they’re usually written by someone with a different circumstance in mind, such as a drug vendor or cyberhacker or whatever.
And a whistleblower has limited time and energy, they can’t go through 10 different manuals and carefully pick and choose what applies to their situation. They need a clear set of rules ready-to-go IMO.
Agree. My platonic ideal is atleast once a month, all the experts involved in writing the guide go through and approve any changes to it.
Right. And I think at least part of the reason he got away with it was that particular people (and courts) at the time felt constrained by the rule of law. This may not always apply.
I’m going to respond to this at more length, but I’ve moved most of it down because I think it’s a lower priority. The main point I want to make is that there’s a misleading attitude out there about the NSA, and letting your thoughts be all “NSA” may not be healthy.
I agree that everybody who’s watching will cooperate on something like what we’re talking about here.
That depends on circumstances, though. Sometimes yes, sometimes no. Some things you might want to leak may have fairly wide internal distribution. And sometimes there’s a way to get something outside of the normal channels. And sometimes they really don’t want to risk going after the wrong person, so those investigations need to be more airtight.
But surely not always.
Lots of people get caught trying to do that.
Well, what kind of rules do you want?
That litany of questions I posted could be considered as a checklist. But I’m not sure that asking them equips you to recognize when you have or haven’t actually answered them.
I might add something about thinking about the other side’s constraints and available moves, and about not being comfortable that you understand something until you’ve confirmed how it works at the “gears level”. That’s where all the factual knowledge comes in.
Other than stuff like those questions, I don’t know a way. I think it’s partly about seeing these sorts of games played a lot of ways, and partly about the innate ability to think through all the possibilities with the right kind of paranoia. Paranoia that’s skeptical of itself.
In some sense it’s like the skill of finding all the cases in a mathematical proof, except that in practice you also have to be able to decide you’ll live with a “counterexample” if it’s improbable enough. Which, of course, means judging how improbable it actually is. It’s easy to fall into error there, in either direction.
… and of course this is all “theoretical” on my part in that I’ve never actually done it when anybody was really going to go after me.
… and to whether the person at risk knows that probability...
Egad, no, not those “manuals”[1]!
Most of that stuff is drivel. It tends to be a total mishmash of truths, half-truths, unsupported folklore, misunderstandings, outright lies, and regurgitated disinformation, collected by people with no coherent internal model of How Things Work to measure any of it against. Then it gets filtered through whatever conspiracy theories the writers use to feed their addiction to feeling like they know the Hidden Truth(TM), with incompatible evidence discarded.
Trying to dig real information out of that material is at best horribly frustrating, and it’s terrible for helping you get a coherent model, especially a coherent accurate model. At most it might give you some search terms, and even then you need to be super skeptical of what you find.
And not any “howtos”.
I mean the actual manuals that actually explain how the systems involved work.
For technical information, that means not something entitled “How to HaxOr on the Dark Web lol”, but the manual for the OS. The manuals for servers and monitoring systems. The protocol specifications. Security product literature. Technical security standards. Architecture textbooks. There’s no royal road; you have to actually understand how things work.
Figuring out how organizations and institutions work is harder than technology, because they vary, they have fewer relevant physical or mathematical constraints, they don’t tend to have public documentation, and they don’t always follow their own internal “rules”. You can piece some of it together, and for the rest at least you can often figure out what you don’t know. You can look at court documents, official procedures, security management standards, even amusing personal anecdotes about bureaucracy. You can infer some of it from the features people have seen fit to put into technology that supports the organizations. But you won’t get it from something called the “The Truth about the NSA(TM)”. If anything there are more silly conspiracy theories about institutions than about technology.
This may be the crux of the issue. I would tend to say that if you’re not already pretty sophisticated, maybe you shouldn’t do it. Not just because you don’t know your risks, not just because you may be unprepared either to stay anonymous or to deal with the consequences of not being… but also because you may not understand the actual impact, or lack thereof, that your disclosure will have when it hits the real world.
Sure, but it’s super hard to actually do even a far less perfect version of that.
Surveillance and “the NSA”
A couple of reordered quotes--
I think we’ll probably agree that, at least in your main scenario, it doesn’t actually matter much exactly who watches what. You can expect them all to be cooperating, and it may not matter much in the end. But I think it may matter enough that it pays to keep a clear model of them. And for the sake of that...
It’s not just the NSA spying on everything, nor the NSA and the FBI, nor any fixed set of people. Also, the NSA qua NSA isn’t as omniscient as some people think. And information sharing isn’t about “hacking”, even bureaucratic hacking. If you think of all the people who are watching in terms of a monolithic, all-knowing “NSA”, you may make mistakes.
Basically every modern institution, even non-secretive ones, logs internal downloads (and external network connections, and more). You can end up doing that without even trying, just because of the software defaults. I believe the NSA does not usually have access to such internal logs. But, again, for this case, they’re on the same side as the people who do.
The people who matter most in terms of noticing your initial acquisition of whatever information will be your organization’s internal security and counterintelligence functions.
Where you get into trouble with the NSA is out on the public Internet. After you exfiltrate your data, the NSA is the agency that may be able to figure out where they went, or link your activities outside of the organization you’re whistleblowing on with your activities inside of it.
I think the technological change is really the key point. Back then, you couldn’t keep a log of every download; there were no downloads. If somebody photocopied something, that would at most show up on a total copies counter on one of any number of machines. And there weren’t likely to be permanently recorded cameras in that parking garage (which would mostly likely belong to the garage, not the NSA).
As for organizations, the FBI at the time was the J. Edgar Hoover FBI. I’m not sure anybody had to hack it to weaponize it. And the NSA was still the totally secret No Such Agency, and was almost entirely focused on foreign COMINT (it’s still basically about COMINT, and theoretically foreign).
I’m not sure what “bureaucratically hacked” means. I don’t believe the NSA has substantially infiltrated the FBI in some undercover way. A lot of interagency barriers went away with the (stupid) USA-PATRIOT act and the surrounding restructurings. But those changes weren’t “hacking”. They were openly imposed by official policy from above and outside both agencies (even though they were probably welcomed on both sides).
And please don’t say “Dark Web”. It romanticizes a bunch of unconnected Web sites, many of them run by fools and cranks, into something they’re not.
There is a more recent list of examples of people who also got away with publicly leaking summaries but not leaking classified information. Your point is also true, but I think classified information being leaked is a bigger factor. It’ll be easier for me to argue all this once I publish an actual list of case studies.
Sorry, I need more time for that.
Yes I agree this is required for the multiple books opsec guide, not the 10-page quick guide. Again, the question comes back to probabilities. These are very much not the actual numbers but if P(no guide, no prison) = 50%, P(10-page guide, no prison) = 65%, P(1000-page guide, no prison) = 80%, then it is worth publishing a 10-page guide.
You can have wide uncertainty on every single one of these questions and still conclude that whistleblowing is the correct decision. See the example probabilities above.
I agree that my guide should include a section on predicting potential outcomes after you whistleblow. I will definitely do this. Thank you for the suggestion.
I agree this model is valuable to have, and I appreciate you writing this up.
I honestly do think though that by 2027, there is a good chance internal security for AI companies will directly report to the head of the NSA and ultimately the president, not to the head of labs.
And not just in a legal abstract sense like how Lockheed Martin’s various security teams may be accountable to the govt, but in the sense of how Manhattan project security directly reported to US military generals who frequently visited the sites for inspections.
I would not be surprised if NSA leaders built war rooms and private residences inside the datacenter compound, although this might be me speculating too far. If it happens though it may take longer than 2027, maybe 2029? It depends on timelines honestly.
I’ll try to think of a way though. It seems valuable to do.
Agree!
Snowden in Permanent Record considers Dick Cheney, vice president and Michael Hayden, NSA director co-conspirators. I don’t have a lot of data to argue this but I do think the FBI director was intentionally kept out of the matter.
Your description is not wrong, there’s nuances here I haven’t tried to fully understand yet either. Thanks for the pointer that this may be worth doing.
Thanks a lot for typing detailed reply.
Are you interested in scheduling a call to go through this? I could reply here but a call might be faster.
I usually refused to do that even when I was getting paid. I dislike trying to do anything complicated with real-time interaction, and furthermore I believe that even the people who like it get inferior results.
I’m also not sure how much more time I want to put into this.
You can? How?
You might be more credible, though. Anonymous summaries aren’t going to be believed.