OK, now I’ve been through this whole thing.
For the record, I would like to say that I don’t think the AI labs will get to the level of secrecy of something like the NSA before the whole issue becomes moot. So this is all pretty hypothetical. But it’s a kind of hypothetical that I’ve spent a lot of time on.
I also have my doubts about the value of guides like this in general. But anyway...
A summary would include broad overview of the situation as you see it, but not a lot of details or any classified documents or recordings.
Summaries have limited credibility.
Anonymous summaries have almost no credibility, and summaries are hard to write without losing your anonymity. What you choose to include is identifying… and may also have implications about what you don’t know, which is also identifying. The phrasing you use is also identifying.
… so any option that includes both “anonymous” and “summary” should probably be eliminated as not worth the trouble. You’ll put yourself in danger, and nobody will listen to you.
As per my reading of all the past NSA whistleblower cases: 2 is slightly better than 1 3 4, 7 is far better than 5 6 and 8 is unlikely. Therefore this document is actually a guide for 7. (Leak US classified information, become public outside of the US)
I disagree. In most cases, I think 5 (leak details anonymously and stay in the US) is the best strategy. But you’d better know what you’re doing.
Being public is slightly better as you can then control the media narrative of your story.
As I said in my first comment, “You can?”.
Reporters will write what they’re going to write, and others will react however they’re going to react. You get to tell them your version of “your story”, and your adversaries get to tell them their version. Which they choose to believe is up to them.
… and almost alll reporters will try to make it a personal story about you, rather than a story about whatever important information you’re actually trying to call attention to. It gets clicks, but those may not be the clicks you want. The less “personality” they have to work with, the less they can do that.
In almost all cases of 5 and 6, people spent atleast 3 years in prison. How good their opsec was did not matter, although some had much better opsec than others. IMO do not trust all the opsec guides on the internet that suggest otherwise.
There aren’t that many of these cases… and none of them have had anything close what I would call “good OPSEC”. Having extended conversations with random people is not OPSEC.
But it’s also true that you won’t learn how to do maintain OPSEC from some succinct “howto” guide, because it’s complicated and demands that you actually know how things work. There are an almost infinite number of ways to go wrong, so The Way cannot lie in trying to list them all.
The sysamdmins working for the NSA leadership internally track who downloads a document from a central database. If you make a document public, the NSA now has a small list of suspects who have downloaded that particular document from their databases in the last few months.
Any “high security” operation does this as an explicit policy. Many commercial companies do it. Most document storage servers keep equivalent logs as a matter of course anyway. Every Web access is logged. And nowadays there’s spyware/bossware/EDR on many business computers, so your local activities are also watched.
You have to assume everything you do anywhere is logged unless you know specifically why it isn’t.
Some of the more paranoid organizations also watermark the individual downloaded copies in various ways, or even vary the text. It may take AI companies a while to get there.
You may be able to identify in-text watermarks by getting your hands on multiple copies from different sources. Rendering documents to images (and processing those images with simple tools, and paying attention to things like what fonts you’re using) may be best.
If possible, you want to get your document via some back channel… one that doesn’t itself raise alarms. Which is much easier said than done and is beyond the scope of any brief guide.
This applies less to things that get broadcast internally.
The only recent case of someone avoiding prison while leaking US classified information is Edward Snowden, who got asylum from Russia. Leaving the US geopolitical sphere of influence is by far your best bet if you look at historical data.
Again, in public reporting, I think it’s more like “historical anecdotes” than “historical data”. That’s especially true because “spy swaps” are kind of out of scope; you don’t qualify for that consideration.
But this may be true if you can live with whoever you think might give you asylum. And remember that Russia wasn’t Snowden’s original plan.
If you’ve already obtained asylum in a foreign country, that govt is willing to protect you from the US govt.
You mean before you did your leaking? What if you ask them, saying you plan to leak, and they instead choose to rat you out? And you don’t know how much pressure will be applied or how they’ll respond. Governments aren’t monolithic and don’t have friends, only interests.
If you plan to leak and leave, you’re fundamentally just going to have to hope that somebody will shelter you, without any prearranged assurance of that.
How to leak classified documents and leave the US
The more complex a plan you’re following, the more planning is required. If you are willing to follow a more complex plan, you can ensure a slightly large window of time for yourself, from when you steal the documents to when you are deanonymised.
Subject to the assumption that you’re going to leave the US, I agree that you are going to get deanonymized. The mere fact that you, one of the relatively few people who had access in the first place, left the US at around that time is enough to paint a giant target on you. And once you’re an individualized target, you’re doomed with very high probability.
That’s why I actually believe that, if you’re going with an anonymity-based strategy, you want to stay in the US. And, yes, you will need much, much better OPSEC than any of the past cases have had.
Objective: leak US classified documents, leave the US, reveal identity to public outside the US, neither you nor anyone in your circle gets imprisoned
Not sure that’s adequate. Was Julian Assange “imprisoned”?
Here’a a more advanced plan that might get you a few more months of anonymity.
I can see the value of days or weeks of anonymity while you make your exit, and I can see the value of trying for permanent anonymity so you don’t have to exit. I’m not sure I see the value of trying for “a few more months of anonymity”.
So, looking at it from a more “let’s try for long-term anonymity” point of view:
redact documents yourself (don’t trust a journalist)
I’m not going to go point-by-point on the redaction guide, so I’ll put this here.
Remember that the specific information you choose to redact is a clue in figuring out who you are. In general it’s safer for you (as opposed to other people you may also need to protect), if you remove watermarks and metadata, but don’t remove “real content”.
One of the tradeoffs with removing either content or metadata is that too many visual changes make documents less credible. Turning a document with characteristic formatting into plain text will make people doubt it, beyond the actual evidentiary value of the change. Paraphrasing is going to be fatal to credibility; it’s too easy to spin that as your having fabricated the document or deliberately slanted the paraphrase.
encrypt the documents twice, first with your symmetric key and second with various journalists’ pgp public keys
I’m not sure what threat you’re trying to address with the double encryption. Is the idea that if the file somehow makes its way from the dead drop to the journalist before you tell them where to pick it up, then they still won’t be able to read it until you send them the symmetric key?
That seems like an oddly specific failure mode, and one that shouldn’t be fatal if it somehow does happen.
Note that if you do this with PGP, the outer layer of encryption will identify the intended recipient.
copy the encrypted documents to printed paper (or else USB)
Many printers watermark their output. Many USB sticks have serial numbers that may theoretically be traceable to where you bought the stick. This can thwart your metadata-stripping work. And I dislike the whole physical approach because...
setup 10-100 anonymous dead drops in the US
If you try to set up that many physical drops, you probably will get identified as soon as anybody tries in earnest to investigate. There are cameras everywhere nowadays. Meatspace is not safer any more. Not against a really angry major nation-state adversary.
wipe your house clean
Your house should never have been dirty. Seriously, from the moment you walk out the door with those documents, your house, except maybe for one very tiny, well-understood area, should be completely clean every second you’re not in it, not just of definitive evidence but of anything remotely unusual or suspicious. Which is hard to assure if it wasn’t also clean before you walked out.
And your person should be clean the vast majority of the time.
fly to country A
… or, again, stay in the US and try for long-term anonymity.
send anonymous messages to 10-100 journalists revealing dead drop locations and decryption keys (use a secure channel with pgp+airgap on both sides to communicate)
“Send anonymous messages”. Aye, there’s the rub. Available tools are limited, and using them safely requires real, detailed understanding of a whole lot of quite technical things. It’s especially hard if you want them to be able to reply (which I wouldn’t recommend). “Use Tails” isn’t remotely enough guidance.
Using both physical drops and Internet communication just means you now have two independent ways of being caught. Multiplying exposures is always a bad idea. If you have an anonymity system you’re willing to trust, you should probably just send them the raw document images, assuming they’ll fit in the available space, and dispense with drops entirely.
Or, if the files are too big and your anonymity mechanism permits it, use it to upload the files to cloud drops, and send the locations.
I doubt you’ll find 100 journalists who have active PGP keys in 2025, and you might not find 10. More have things like Signal nowadays, but chat systems like that are not effectively anonymous, not if you’re assuming that the spy resources of the US government are truly focused on you. Even the Tor ones can, under some circumstances, be vulnerable to traffic analysis.
If your redaction is good enough, you should be able to just publish the documents, along with any suggested ways of corroborating them. If there’s no way to corroborate them other than your say-so, then you may not get anywhere anyhow even you’re not anonymous, let alone if you *are.
Back-and-forth communication will get you in trouble sooner or later.
contact lawyers and retain atleast one
This step will be fatal to your anonymity. Possibly immediately so if you’re forced to disclose an intention to do some future illegal act. And you may not know that one of your necessary future acts is illegal.
It’s actually not necessary to do this in advance if you assume that the people who are after you are going to stay within the law. Just learn “I have nothing to say without my lawyer present”. You might want to mentally identify a lawyer to call, or somebody who could be asked to help retain a lawyer on your behalf, though.
walk into country B embassy in country A and apply for asylum
This step will probably be fatal to your anonymity. They’re not going to talk to you without knowing who you are, and they can’t be trusted to keep that secret.
The benefit is you might remain anonymous for a few months maximum before the NSA identifies you, because they need more to time to narrow down the pool of all suspects who downloaded that specific document.
Again, you should not be in that pool, at least not unless you have a lot of company.
Depending on your skills my guess is there’s still a >20% chance your identity is made public within one month of you sending the documents to journalists.
If you’re going to do this, you probably want to develop some skills first.
US border and airport security has increased in subsequent years and they’re a lot more likely to confiscate your electronics or demand decryption keys. (Snowden leak may or may not have influenced this.)
Nah, they’re just searching everything on principle.
I do not recommend trusting any journalists with your identity if you have the time and energy and skill to redact documents yourself. You can always involve journalists in the plan after your identity is public.
Perhaps the correct way to view this is that giving your identity to anybody, including a journalist, basically is making it public. So don’t do that unless you want to do that. The tradeoff being that your disclosure is far less credible, both to journalists and to their readers, if you’re anonymous.
A lot depends on what they can check, but you also have to be credible enough to make it worth their while to check.
Spend time to take a clear decision on who is in-the-loop on your plan to whistleblow. See below for my recommendations.
Spend no time on this. The right answer is always “nobody”.
If you have sufficient funds, leave some funds behind for your family members in the US. They will need this for legal expenses, until you have revealed your identity and can direct more funding towards them.
If you’re responsible for a family, you probably shouldn’t be doing any of this, especially not any of the “flee the country” versions.
Where are you going to be getting this “more funding”? You may not be in prison, but your job prospects are gonna be pretty limited. Although admittedly a lot of AI people nowadays have significant cash.
Read mental health resources as required.
As you point out below, your searching for these creates an evidentiary trail.
I would strongly recommend distancing from your social circle over a period of multiple months,
This is suspicious behavior that will be noticed and remembered.
Also, you probably shouldn’t be doing any detectable action related to your whole whistleblowing plan for “multiple months”. The longer you prolong your execution, the more chance you have of hitting trouble.
Apart from your lawyer, I do not recommend keeping anyone in-the-loop by default until you have obtained asylum.
Again, lawyers are required to report their clients’ credibly stated intentions to perform future illegal acts.
Your lawyer may be able to provide better advice on what information is appropriate to share with other people in your circle including your family members.
Lawyers aren’t spies or spymasters. They have a certain basic ability to not be completely stupid with supposedly confidential documents most of the time, but few of them can operate anywhere near this level.
Until your identity is safe to publicly reveal (and likely even after that), you cannot support anyone in your social circle living in the US sphere in any way. It could take many months before you can support them.
It may never be possible to support them.
If you get asylum in Russia, your family will likely be allowed to leave US and enter Russia.
I don’t think Russia’s in the business of handing out asylum all the time. Past Snowdens aren’t a guarantee of future performance.
Setting up a secure machine running tails does not by itself incriminate you. You are allowed to change your mind afterwards and decide not to whistleblow.
It’s kind of the idea of Tails that you don’t have to run it on a separate machine. Although it’s also true that if you use your main machine for anything you have risks like MAC address leakage from Tails bugs or unusual firmware behavior.
Be aware that Tor may not be an impenetrable barrier.
As of 2025, I have not been able to find any case with public evidence of a person becoming a person of interest due to search results alone. Usually search results are used to investigate only after you are already a person of interest.
Yes, but the thing is that there’s “more interest” and “less interest”. They(TM) don’t even have all of everybody’s search results, but if you manage to get into a pools small enough for Them(TM) to go get your search results, those results can further narrow the pool.
If you do finally decide to whistleblow, your search results starting from today could reduce the time required by the NSA to doxx you.
Indeed. In fact, so could your past search results. You have to think about your existing posture.
How to setup secure machine for planning and research
This whole section has its heart in the right place, but taken as a whole it causes you to do a lot of noticeable, suspicious things, and on net I think it puts you in danager.
Purchase a new windows/linux machine.
If you’re going to have a dedicated machine, it’s better to make it a used machine for bought for cash at a bricks-and-mortar store.
Physically disconnect the wires to the mic, camera, wireless adapter. Open the case and use a plier.
Better have a story about why you did that.
At least just unplug them so they can be plugged back in again later.
Only connect ethernet cable to router. No wireless signal.
This implies that you’re doing your Internet access in your own house. This may or may not be a good idea. There’s a lot to be said for public WiFi in secluded little nooks. Preferably nooks that would be in character for you to visit anyway.
Purchase a USB drive and install tails on it.
Actually, I would probably use Whonix from an amnesticized “live” USB stick… although that’s another knowledge barrier.
Reserve a separate room in your house where this machine is kept.
I rate that as impractical, unnecessary, and suspicious.
No mobile phone or other device allowed in this room.
Remember that as yet you’re not a person of interest. Nobody is going to be running covert channels or installing spy cameras… and if they do, you lose anyway. Not having your phone in the room while you’re doing secret things might be a good precaution. Turning it off might not be, by the way; that’s detectable and most people don’t do it much.
Even better, physically dismantle and destroy your phone, if you can manage to still keep your job and manage your life without a phone. No other person allowed in this room.
These are suspicious enough that all your acquaintances will remember you did them. You will come off as some kind of paranoid freak, you will jump to all of those people’s minds when your leak hits the news, and they may very well spontaneously report “tips” about you.
What specific threats are you trying to counter with this?
Important: Resist the urge to search whistleblower related info on your other devices or on home or corporate network in clearnet.
If you feel an “urge” to do that, as opposed to immediate horror at the mere idea, you haven’t internalized The Way.
… but also minimize your searches over Tor (or I2P or whatever). Get the information you need, and no more.
“Walk out of the building” guide
Do not raise any complaints whatsoever via internal channels.
Yep.
Make sure to access a large number of documents from the database, not just the ones you will be publishing.
Make sure not to look weird. If you’re downloading an unusual number of documents, with no obvious reason, that in itself is suspicious. You may get yourself watched heavily before you even try to grab or exfiltrate your actual target. And you’ll still be in the list of people who downloaded it. And if you download anything not clearly related to your job (including the target), that may be suspicious to anybody going through logs after the fact.
A standard SD card will do, as it is easy to smuggle. A USB drive or hard disk drive will also do.
Extra points if you’re actually allowed to have it.
In highly classified areas, such devices are forbidden, or subject to “once it checks in, it doesn’t check out” policies. They do search people, and they don’t tend to be forgiving if they find anything, especially if seems to have been deliberately concealed.
Also, even in standard commercial security, computers tend to have their USB and media ports disabled, in ways that aren’t easily bypassed without obvious physical attacks. And every USB device inserted may be logged… or even every file copied to and from such a device. And God help you if you try to boot from USB.
An actual whistleblower candidate will, or at least should, know, or be able to learn or infer, much more about their own facility’s security than even a very experienced “guide writer”, so really what’s important is to remind them that they need to watch for unobtrusive measures.
If you are releasing a lot of video content you may need to purchase multiple disks. As of 2025, it is not common to get disks larger than 12 TB. Prefer purchasing a disk with high throughput like 1 GB/s instead of 100 MB/s.
I don’t see how that’s likely to be relevant to AI… and I also don’t see how anybody is going to get away with walking out of a “secure” facility with stacks of 3.5-inch disk drives.
Video recording guide
Any recording you make will probably identify who you are, regardless of whether you speak or are officially a party to the conversation. The video angle identifies where you were. You can even often figure out where a microphone was. There may be identifying incidental sounds.
Your recording device will probably leave an individualizable signature on the captured data, and that may be used if you’re ever actually a target of investigation.
So this isn’t viable for any anonymous approach.
It is best to continue playing your old role at the company, and invent plausible reasons why a person in your role would need access to the leadership or to a specific meeting. For instance you may want to volunteer for additional responsibilities or attempt getting promoted.
Again, this is not viable if you want to remain anonymous after the fact. It may get you in the door, but people will realize after the disclosure comes out.
Spy hardware typically is designed to be hidden (in your shirt, in the wall etc) with an almost invisible opening.
Most of what’s sold to the public with explicity “spy” labels on it is also low-quality schlock. I’d be tempted to build my own.
But anyway, once you go beyond what you can do with your phone, you’re getting into a lot of very complicated, highly technical stuff. I would just leave this out unless you’re prepared to write a book about it.
I think a lot of the specific advice here is at best questionable, but I’m not going to argue point-by-point. Not my specialty anyhow.
Well, except for this:
Parabolic mics are designed for surveillnce and can pickup at >1 metre distance.
Laying blankets or padding behind the talker can help, for recordings taken at >1 metre distance.
“Hey, Boss, please stand in front of this anechoic backing while I point a one-meter dish at you?”
The Sting Book (1994) by Steven Frazier
Wearing a wire for law enforcement is very different from wearing a wire for whistleblowing… and the available hardware, at least near the “high end”, is almost unrecognizeably different after 30 years.
You need to do redaction (removal of private information) and metadata removal. Always do metadata removal first, redaction second.
Your redaction tools may introduce their own metadata. And that’s all I’m going to say about the redaction part. In general it needs a ton of work, and it’d be book-length in itself done right.
Travel paths
My naive guess
You probably want to leave out all naive guesses. There are procedures for getting asylum.
Ecuador and Russia are only of special interest if your initials are “E.S.”.
Really, this whole “fleeing the US” thing, including but not limited to asylum, is a huge crapshoot, and unlikely to work, unless you know of a specific political angle relating to whatever specific whistleblowing you’re doing.
It is possible to ask for more information from a lawyer before you leave the US. There is a low probability your lawyer will get you imprisoned.
Again, if you inform a lawyer that you actively intend to do something illegal in the future, that’s not privileged and they’re required to report it. You can say “I did this illegal thing in the past, where do I stand?”. You can say “Would it be legal for me to do this?”. You cannot say “I plan to break this specific law next Tuesday”.
Case study
These case studies are really situation-dependent, and amount to people getting asylum or not because various leaders were playing various political games that weren’t entirely, or even mainly, about those particular whistleblowers. It’s dangerous to try to generalize.
Legal expenses are by far your biggest expense, as per case studies.
Being cut off from your own funds is a potential risk.
Soon after the first meeting with your lawyer outside the US, they should help you contact organisations that can fund expenses on your behalf.
If you don’t know in advance of specific organizations that would be motivated and able to fund you, then assume there will be none. And make sure you have an actually detailed and sophisticated understanding of those organizations, not some kind of “Well, obviously X would want to...” generalities.
Don’t carry more than $1M as this makes you a target for theft.
A lot less than $1M will make you a target for theft. But what does it mean to “carry” cryptocurrency?
As long as they’re OK with the cryonics provider getting them post-autopsy a week after death.
I really doubt they’re going to get timely access, and the chance that the instructions on that dogtag will be followed is probably about zero.