Working with Whistleblowers 

as a Journalist

Whistleblowers who reach out to journalists with information generally aren’t activists. They are typical employees who have tried to raise concerns with their management and were frustrated by the response and perhaps harassed. However, because of their unique knowledge, they pose a threat to their employers and are especially vulnerable to reprisal. Journalists need to understand not only the value of a whistleblower’s information but also the challenges and risks faced by sources who are employees. 

What is Whistleblowing?

A whistleblower is an individual who discloses information that he or she reasonably believes evidences: a violation of law, rule or regulation; gross mismanagement; a gross waste of funds; abuse of authority; or a substantial and specific danger to public health or safety.

Understand the Risk of Reprisal

No matter how right they are about wrongdoing, corruption, and public safety threats, employees who speak out often suffer reprisals rather than thanks. Allies that support whistleblowers— including journalists and advocacy organizations—are also vulnerable to retaliation.

Reprisals against whistleblowers can take a range of forms, including: retaliatory investigations, gag orders, removal of duties or resources, reassignment, public humiliation, surveillance, management efforts to recruit complaints by peers, poor performance appraisals, threats, harassment, termination, violence, and lawsuits for defamation.

​

Understanding that whistleblower law is complicated can help protect your source.

Despite the standard legal definition of a whistleblower, no single law protects employees who disclose evidence of serious wrongdoing. Instead, a patchwork of more than 60 federal statutes and numerous state and local laws protect and provide redress for whistleblowers. While there may be legal protection available for your source, he or she could also fall through the cracks.

Figuring out what legal protection might be available to a specific whistleblower depends on several factors:

What is the nature of the information? The federal Whistleblower Protection Act (WPA) allows most federal employees to challenge nearly any significant abuse of authority with consequences for the public. Whether protection exists depends on whether the issue the whistleblower is disclosing relates to an area that is subject to regulations and rises to a level of severity to demonstrate a violation, abuse or threat of harm.

​

​Who is disclosing the information? Different protections apply depending on whether the whistleblower is a federal employee, a federal contractor, a corporate employee in a publicly traded versus a privately held company, an intelligence/national security employee, a state or municipal employee, a citizen of another country or an employee of an international organization.  

​

Is the information classified? In the United States, whistleblowers have no legal protection to publicly release classified information. Indeed, it is a criminal offense for which they could be prosecuted. Similarly, there is no protection to publicly share information whose confidentiality is specifically protected by a statute, such as the Trade Secrets Act or the Privacy Act.
  

​
Where was the disclosure made? Local and state protections vary significantly and can sometimes preempt federal remedies or limit the choice of venue for appeals.

How and to whom was the disclosure made? Whether protection exists might depend on whether the whistleblower disclosed concerns as part of their job duties or on personal initiative; whether they disclose internally to co-workers, supervisors, union representatives, ethics officers, ombudspersons; or whether they report externally to Congress, an Inspector General, an oversight agency, a watchdog organization, or the media. Certain laws may also mandate that the whistleblower report the concerns to specified parties in a prescribed order to receive protection.

What reprisal has the employee experienced? Different laws protect against differing kinds of retaliation taken in response to whistleblowing. The federal WPA outlines specific prohibited personnel actions that cannot be taken in retaliation for protected whistleblowing activity. Most federal corporate whistleblower laws protect against any discrimination sufficiently severe to create a chilling effect on the exercise of associated rights, a broader standard, while some state common law rights protect only against wrongful discharge but not reprisal short of termination. 

When did the employee became aware of the reprisal? Statutes of limitations differ widely, ranging from 30 days to three years or none.

Anonymity: Challenges & Consequences

Remaining anonymous is not always the best strategy for a whistleblower, particularly if they have raised the concern internally or if the employer would know from the nature of the disclosure that the employee was the likely source.

Often whistleblowers need or want anonymity since speaking out publicly may be illegal or invite retaliation. Be aware, even with strong efforts at protecting a whistleblower’s identity, they are still at risk while an employer searches for the internal source. Work with the whistleblower so they are not releasing possibly traceable information. Specific information only the whistleblower had access to or could have known can be as much of a signature as their name. 

If your source asks for anonymity, understand what that means for you. At minimum, it means choosing to make a human interest aspect of the story not about the whistleblower but about the risk or damage done to others by the wrongdoing your whistleblower exposes. 

More significantly though, it means recognizing the legal limitations on your ability to maintain the confidentiality of your source. In many states, journalists are protected by shield laws or courts recognize a reporter’s privilege to keep their sources and notes confidential when asked to reveal sources under demand of a subpoena. But there is no protection at the federal level, and like whistleblower laws, these are also a patchwork of protections that may differ state to state. If you are not protected by these laws and a judge orders you to name your source, you could end up in jail for contempt of court if you refuse.

Consult with a lawyer before you take on the story and work out details of any anonymity arrangement with your source at the beginning of the reporting project to make sure your responsibilities are clear. Government Accountability Project is able to act as a broker of information in certain cases, which can help protect both the journalist and the source.
 

Classified Information

Disclosing classified information is a felony. There is currently no public interest exception or defense available even to a whistleblower whose disclosures reveal illegality far more serious than release of classified information.

A few key points about working with classified information are worth noting. First, under the statutory definition in the Intelligence Identities Protection Act, the information must be marked as classified or specifically designated as such orally to qualify as classified information.

Second, whistleblowers are generally able to sanitize any classified knowledge by focusing on the consequences of the problem or pointing to relevant unclassified documents, so long as they do not disclose any classified information.

Finally, under Executive Order 13556, agency “pseudo classifications” such as “Controlled Unclassified Information,” “Sensitive Security Information” or over 100 other agency secrecy categories do not restrict a whistleblower’s right to disclose it publicly. On paper, liability requires explicit notice of classified information’s status. In practice, however, the government often ignores those distinctions. 

Asking a source directly for classified documents can also put a journalist at risk of prosecution.  Directly soliciting a classified document itself isn’t advised, for both you and your source’s sake.

Journalists who work with whistleblowers should realize that any story based on classified information may result in the whistleblower’s prosecution. The chances of reprisal are high, and even the most proficiently anonymous whistleblowers often can be traced based on work access or job duties.

Journalists should always encourage whistleblowers to seek the counsel of an experienced lawyer with specialized expertise in whistleblowing to report internally via approved channels.
 

Protecting Your Source

How should journalists balance the conflict of wanting to publish a potentially groundbreaking story while knowing that the whistleblower source may be best served by consulting with a lawyer first? Journalists should not hope their source avoids getting proper outside legal advice, or worse, discourage them from doing so. Instead, they should research and match-make potential whistleblowers with the right lawyers—those who support responsible whistleblowing but know where all the traps are. Most lawyers do not have experience with whistleblower law and do not fully appreciate that clients have competing interests: job security but also public-interest concerns. Lawyers should try to help the client weigh those competing interests rather than assuming job security is the employee’s only, or even primary, priority.

There are also occasions when blowing the whistle publicly may be the best recourse for the employee’s security. For example, if employees have already raised concerns internally, they are uniquely vulnerable, so blowing the whistle externally and loudly rather than retreating might be both the safest and legally strongest course of action. Depending on the circumstances, “half way” whistleblowing can easily leave the whistleblower with the worst of all worlds, isolated and unemployed, without having made a positive difference.

However, only lawyers with a thorough understanding of the law will be able recognize when to implement that strategy.

Government Accountability Project is unique in that we not only know how to blow the whistle safely, but our mission often relies on effective partnerships with NGOs, journalists, and agency and congressional staff. We have lawyers on staff to ensure whistleblowers have the benefit of attorney-client privilege, a heightened level of protected confidentiality. This can help whistleblowers work with journalists at less risk to themselves. 

Information Security

If an employee has come to you with information about serious wrongdoing, journalists should exercise special care in communicating with the employee source to ensure that the employee retains the flexibility to consider all options in making choices about the best, and safest, ways to disclose information. Below are some best practices that can help protect communications with whistleblowers

Sources should not contact advocacy groups using work-related email accounts, computers, or telephones. Whistleblowers who are current employees should use non-work computers scanned for monitoring software or malware that could be used to record their activities. They also should consider using both secure operating systems that the individual controls and an anonymous web browser (such as Tor).

​

Be careful about how you ask for documents. It’s always better to phrase a request as “How could I obtain documents to back up what you’re saying?” rather than directly ask a source to provide actual documents. For classified documents, note that it might be illegal to instruct or directly aid a source in sharing classified information with someone who does not have the proper clearances or “need to know.”
  

​
Handle electronic documents with care. Be careful about transmitting documents electronically, especially if they are going through a third party. Anything sent via email (e.g., Gmail), stored on Google Drive, or added to an internal calendar could be subject to a subpoena issued to the third-party service that may not be as committed to protecting the identities of its users.

​

Use Signal or encrypted email for communication and document exchange. Encrypting emails makes it so the content is only readable by you and the recipient. If encrypted properly and without compromise (i.e., free from malware that allows spying on your or the whistleblower’s computer activities), the government will only be able to see the metadata of the email (e.g., the header information containing details about the email recipient and sender, the date and the subject line), but the content of the message will remain encrypted and unreadable. 

​

Use SecureDrop for the most sensitive communications and documents. Journalists that actively communicate with whistleblower sources should consider employing SecureDrop to receive documents, a secure platform developed primarily to protect source communications with journalists. The information remains encrypted until it is transferred to an air-gapped computer that never connects to the Internet.​

Store sensitive documents securely. Ideally, sensitive paper documents should be stored in a secured office, safe or locked file cabinet. Electronic documents can be encrypted and stored on a flash drive that can then also be stored in the secured physical location after deleting unencrypted copies stored elsewhere.

​

Be cautious about original documents. Do not post the originals online, where identifying features could be discovered. Printers leave nearly invisible identifying markings that can be used to track down the source of the disclosure. If you insist on posting sensitive documents, consider re-creating or re-typing your own version for use or disclosure.

Remove metadata from documents or photos posted online. Make sure to remove the metadata, such as the location a photo was taken, a watermark, or track changes. You can use tools like Document Inspector (which can remove metadata from Microsoft Office files) to remove much of this information. If you are redacting names or other information from a PDF by covering it with black bars, make sure you’ve actually permanently hidden the information. Export your file as a JPEG, then make it a PDF again, otherwise someone will be able to delete the redactions you made and see the information hidden under them. When hiding an image, doing it with a full black block will always be safer than blurring it.

Do not give original documents, or anything else, to another source while verifying your source’s allegations. You may trust your other contact, but you should not take the risk—many agencies and businesses have implemented “insider threat” programs to deter and detect perceived threats to information security. These programs encourage employees to report suspicious activity. Be careful even describing the information and how you obtained it to avoid putting your verifying source in a position of choosing between loyalty to you or loyalty to their employer.

​

Protect your communication with your coworkers about your source. At times, the government and corporate sectors have spied on advocacy organizations to monitor their work and to find their information sources. Locking sensitive files in a dedicated room, locking computers, using encrypted tools to discuss sensitive issues or the source are all important best practices to implement in the workplace. 

​
Install an app to remotely wipe your phone if it is lost or stolen by activating the Android Device Manager for Android devices and the Find My iPhone on iCloud.com for iOS devices.

​

Be careful about crossing international borders, particularly U.S. borders, with sensitive information on your phone and computer, including names and contacts.

Developing Trust With Whistleblowers

If the magic word in real estate is “location, location, location,” for journalist-whistleblower working relationships it is “trust, trust, trust.” Often whistleblowers are bewildered and scared not only by the risks they have assumed, but by an alien world of strangers, new contexts and new rules of which they are unfamiliar. This usually is an entirely new world for people who do not think of themselves as whistleblowers and have no experience navigating the world of news, politics or advocacy.

Below are some pointers for journalists to earn trust, rooted in Government Accountability Project’s experience: 

Partner with a lawyer to protect the source if you plan to go public with information. In addition to analyzing rights, risks and strategies to maximize effective and safe disclosure, a lawyer can help issue warnings to an employer of zero tolerance for retaliation. This can create a presumption of misconduct for any reprisal tactics and also potentially protect witnesses who might support the whistleblower’s claims.

​

Honor all commitments, from scheduling to substantive, or provide advance notice if they must be adjusted. 
  

​
Be clear about confidentiality from the beginning, including your commitment to maintaining it along with the true limits of your ability to guarantee it. 

Be clear about what protection you can provide, and what you cannot, to prevent later charges of betrayal. 

​
Make whistleblowers’ protection a visible priority so they feel the relationship is a two-way street, rather than being mere “evidence objects” who will be discarded when no longer needed. 

​

Provide a safe environment for interviews and communications.

Engage in active listening during interviews. Feeling heard is significant for whistleblowers to open up further. 

​
Engage in visible quality control. Even if there will not be an affidavit attesting to concerns, have the whistleblower read and confirm that the report of interview is accurate. They must agree that they said what you say they did. 

​

Enfranchise the whistleblowers in the larger context by asking their opinions and brainstorming with them. They may have more to offer than expected or previously realized. 

​
Network to expand the scope of witnesses once trust with the pioneer whistleblower has been established. Sometimes a community will form around support for the investigation, which means you will almost certainly crack the case.

​

Sustain the relationship. Following through can earn a steady stream of new issues and updated evidence or cultivate a source of expertise for help with verification of other investigations in the future.

Advise Whistleblowers on Best Practices

You can help your source mitigate risks by alerting them to a few basic best practices he or she should consider when deciding to blow the whistle:

Advise Whistleblowers on Best Practices

You can help your source mitigate risks by alerting them to a few basic best practices he or she should consider when deciding to blow the whistle:  

Before exposing themselves to risks, whistleblowers should talk to an experienced lawyer so as to make an informed choice about taking those risks. Also, if an employee drops out in the middle after realizing the price of dissent, wrongdoers will be better off by being able to cover up evidence and chill future employees from blowing the whistle. 

They should consult with their loved ones, who will be sharing the consequences of the whistleblowing to a significant degree, before taking the risk. If whistleblowers make the decision alone to take on the power structure, they may well end up alone.  Loss of family is far worse than loss of job, but this is pain that whistleblowers may inflict upon themselves. 

They should continue to work within their system as long as possible without incurring suspicion.  It can backfire badly for a whistleblower to make aggressive internal allegations from a lonely perch of isolation. By contrast, without making charges, whistleblowers can be the insider eyes and ears that allow NGOs to stay one step ahead of their adversaries. If whistleblowers raise issues internally in a non-threatening manner, they can learn and share with NGOs the advance previews for cover-ups.

They should create a contemporaneous paper trail or diary of everything that happens, including when they raised complaints and issues, and whether they faced any retaliation.​

They should keep evidence in a safe place. Authorities usually are not limited in access to the whistleblower’s workplace, but home storage of documents can also be risky, potentially subjecting a whistleblower to a pretextual but seemingly valid discipline and harassment such as expanded retaliatory investigations. Since agencies have subpoenaed, searched and ransacked homes, the best choice is to secure the evidence with the whistleblower’s attorney, where it is shielded by attorney-client privilege. 

Without giving themselves away, they should test the waters and organize support for themselves among their colleagues,  if possible. This is necessary for quality control. A second set of eyes can ensure the accuracy and legitimacy of the concern. Seeking support can also determine whether there is a sufficient solidarity base of supporting witnesses for the disclosure to have an impact. If the whistleblower is isolated, making allegations alone again could backfire by guaranteeing that those engaging in misconduct will weather the storm.

If there are legitimate liability concerns attached to blowing the whistle, coach them on how to secure and protect evidence without removing it. Tactics such as taking cell phone pictures on a personal (not work) phone can secure documents that otherwise would be destroyed. Whistleblowers can also reproduce memorized documents at home. 

Keeping an index of critical documents is another strategy, as is hiding incriminating documents and electronic records in a camouflaged (misnamed) file in their work computer so that they are not lost and can be shown to law enforcement later if an employer tries to destroy evidence. These strategies can help prove the whistleblower’s claims while limiting vulnerability to charges of theft of records. If there is uncertainty, do not keep records without a legal opinion confirming lawfulness. 

If maintaining anonymity is a priority, they should communicate with you through secure means, including using Signal, SecureDrop, or snail mail with no return address.

Your source should not contact you while they are at work. A whistleblower should not use work equipment either, including office phones, computers, or even paper. Otherwise, he or she can be fired for engaging in personal business with the employer’s time and resources.​

They should turn off location tracking in their phone before taking any pictures of documents, and strip any metadata from documents before sending them. NGOs are well-advised to maintain a relationship or retainer with professionals experienced in removing traceability. 

​

They should make sure several others possess the documents they provide to a reporter to minimize the disclosures being traced back to them immediately.

Contact Government Accountability Project

 We are the international leader in whistleblower protection and advocacy.

A non-partisan, 501(c)(3) non-profit organization, Government Accountability Project actively promotes government and corporate accountability by providing legal representation to whistleblowers and ensuring their disclosures make a difference. Our longstanding work with more than 8,000 whistleblowers has involved working for decades in the areas of public health, food safety, national security, human rights, immigration, energy and the environment, finance and banking, and international institutions, as well as expanding whistleblower protections domestically and internationally.

​

Reach out to us; it won’t kill the story. Because the risk of reprisal for whistleblowers is high and the legal landscape is complex, both journalists and sources would be well served to consult or coordinate with Government Accountability Project or other lawyers versed in whistleblower law before acting on information supplied by an employee source. Lawyers can be important resources, serving as useful partners in their understanding of the facts and implications of the issues while also maintaining your exclusivity and nurturing your relationship with the whistleblower.