At AIWI, we don’t just build tools to support you—we embed operational security and cybersecurity into everything we do.
That same robust commitment extends to helping you protect yourself and navigate the challenging environment a whistleblower must steer through.
We’ve carefully curated resources and best practices to help you improve your digital safety. This toolkit represents our commitment to sharing knowledge that keeps you secure during your disclosure journey.
We prioritize operational security (OpSec) as our preventative strategy because it provides the comprehensive framework for protection. It also encompasses all aspects of our operations.
We’ve organized practical checklists and proven best practices covering the most critical areas of digital security. Each section provides actionable steps you can take to improve your security posture.
This toolkit provides carefully curated best practices and resources, but security isn’t one-size-fits-all. Your operational security is only as strong as its weakest link, and no collection of tools can guarantee absolute safety and security.
Use this as your guide, not your guarantee. Please note: We do not request or encourage potential whistleblowers to act unlawfully.
Protecting yourself starts with understanding your threat model. From there, you’ll need to elevate your privacy and operational security across all parts of your life.
Think of every place you leave traces or exchange data—whether with the outside world or between your own devices.
Below, we’ve provided essential context to help you map your threat model, along with recommended reading and carefully curated resources to support your next steps.
Threat modelling is a systematic approach to gaining comprehensive understanding about potential risks to your operations. It helps you identify:
What could go wrong
Who might pose a threat
How they might act against you
When vulnerabilities might be exploited
What countermeasures you can implement
The goal is to look ahead and understand possible scenarios before executing your plans and operation, allowing you to implement efficient countermeasures and understand your risks.
Think of it as a proactive strategy to defuse threats rather than attempting damage control after the fact.
Every effective threat model addresses four fundamental questions:
What important assets do I have? (Assets)
Who might try to compromise them? (Threat Actors)
How could they compromise them? (Threats/Vulnerabilities)
What can I do to stop them or make it harder for them? (Countermeasures)
Another valuable approach to threat modeling is the STRIDE Framework, which categorizes threats into six types: Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privileges.
For whistleblowers and security-conscious individuals, these translate to:
Spoofing: Someone impersonating you or a trusted contact
Tampering: Evidence being altered or destroyed; communications being intercepted and modified
Repudiation: Being unable to prove that you sent a message, or an adversary denying your actions
Information Disclosure: Confidential communications, identity, or evidence being exposed
Denial of Service: Getting locked out of accounts or communication channels
Elevation of Privileges: An adversary gaining unauthorized access to your accounts or devices
Understanding the relationship between different security disciplines is crucial for building a comprehensive protection strategy.
OpSec vs. CyberSec vs. InfoSec are intertwined, with each influencing and supporting the others. Cybersecurity and information security often overlap, and their methodologies are frequently applied within the realm of operational security. To help clarify these connections, this guide provides official definitions, source references, and an explanation of how these concepts interrelate.
OpSec is the process by which potential adversaries can be denied information about capabilities and intensions by identifying, controlling, and protecting generally unclassified evidence of the planning and execution of sensitive activities.
In practical terms, Operational Security encompasses the strategies and measures you apply to secure and identify important information, threats, risks, and weaknesses. By identifying and analyzing these elements, you can structure your operations to successfully defend against potential threat actors and achieve your goals—whether that’s maintaining personal security, preserving privacy or anonymity, or protecting sensitive assets and knowledge.
According to CISA, cybersecurity is “the art of protecting networks, devices, and data from unauthorized access or criminal use and the practice of ensuring confidentiality, integrity, and availability of information.”
Cybersecurity plays a crucial role in OpSec, as most of our work and information sharing occurs through computing devices and digital networks.
Information Security involves “the protection of information and systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide confidentiality, integrity, and availability.”
Information Security is fundamental to OpSec because, depending on your operation, you need to safeguard information, prevent unauthorized disclosure, or strategically control information release.
Privacy and anonymity are overlapping concepts that can be combined in various ways. Often, you’ll face situations where you cannot achieve both fully and simultaneously. This is where threat modeling becomes essential—it enables you to make informed decisions about where compromises may be necessary.
Outstandingly well composed recommendations, articles, and a full knowledge database about securing your privacy. If you want to deep-dive, this is the right place to do so. Compared to the digital-defense guide, expect less hand-holding, no checklists, but comprehensive, highly detailed, and up to date articles provided by a strong community. A volunteer driven non-profit that we recommend anyone (whistleblower or not) to get familiar with.
If you are looking for a general purpose digital defense checklist that you can work through step-by-step, then this is your go-to.
The Electronic Frontier Foundation fights for digital privacy, free speech, and innovation. They are a household name in the industry and a great resource. The Surveillance/Self-defense guide is a great starting point for any concerned individual.
The Security section bundles concise, expert-written playbooks on both information and physical security for tech employees – especially anyone considering or engaged in whistleblowing. It walks you through practical digital-self-defense against employer surveillance, and offers a stepwise escalation plan for handling personal threats, so you can protect your data, privacy and physical safety while acting responsibly.
Privacy protection is fundamental to securing your identity, your sources (if applicable), and any information you intend to disclose. The following five rules represent essential practices that deliver significant privacy improvements with relatively low effort.
Every online interaction creates data points about your identity, relationships, and behavior patterns. Adversaries can aggregate these seemingly harmless details to build comprehensive profiles for identification or targeting purposes.
Review all social media accounts and shut down every account you don’t absolutely need
Delete old accounts and unused applications. These can become security liabilities containing your personal data and are frequently targeted in breach attempts that enable impersonation and social engineering attacks
Configure privacy settings across all online platforms to restrict data sharing to the minimum required for functionality
Disable location sharing features on social media platforms and mobile applications
Review photo metadata settings to prevent automatic location tagging
Utilize pseudonyms or anonymous accounts for sensitive online activities to create separation from your real identity
Pursue opt-out procedures with data brokers and public record services to reduce the availability of personal information in searchable databases
Data brokers continuously collect and sell personal information. Regular removal requests significantly reduce your digital footprint and limit unauthorized access to your data.
Opt-Out Tools & Services:
For general-purpose opt-out tools and service providers (including both free and paid options), refer to the Privacy Guides’ section on data broker removals.
A word of caution:
When using data removal platforms, you will inevitably have to provide your personal information to the services that will attempt to remove them from broker lists. If you aren’t already on those lists, this is an unnecessary risk, since one more party now holds onto your data. It’s generally recommended to use broker/data removal services when you are already experiencing a flood of phishing attacks, scam, and advertisement calls/annoyances.
Temporary email addresses protect your primary accounts from spam and prevent tracking across services. Never use them for sensitive communications or accounts requiring long-term access.
Usage Guidelines:
Reducing your digital footprint shrinks the attack surface for adversaries using open-source intelligence (OSINT) or exploiting data breaches. This defensive measure makes it significantly harder to link your online personas or track your activities across platforms.
The data points you share across platforms create a comprehensive vulnerability profile. Location metadata from photos, social media check-ins, and background app tracking build detailed maps of your movements and habits. When adversaries attempt to identify you, this aggregated information provides crucial leads and corroborating evidence. Consciously limiting what you share and removing old data reduces the raw material available for such analysis. This approach denies threat actors the comprehensive dataset they need to build accurate profiles or establish reliable connections between your activities.
Account compromise typically begins with weak or reused passwords. Adding two-factor authentication (2FA) creates a second barrier that stops unauthorized access even when passwords are stolen.
Create unique passphrases for every account. Password managers generate and store complex credentials automatically. Strong passphrases combine random words rather than predictable patterns.
Enable 2FA on critical accounts first. Protect email, financial services, social media accounts, and other services you may use for whistleblowing activities. Use authenticator apps (TOTP) or hardware security keys over SMS-based 2FA where possible.
Secure your 2FA backup codes offline. Store 2FA recovery codes in a safe location separate from your devices. These codes restore access if your primary authentication method fails.
Choose a reputable password manager. This tool manages password complexity without requiring you to memorize dozens of unique credentials.
Using a password manager significantly reduces your risk of account takeover from threats like credential stuffing, password guessing, and phishing attacks. It protects the sensitive information stored in your online accounts.
A major vulnerability for many users is relying on a single, often weak, password across multiple services. If that password is exposed in a data breach, every account using it is at risk. A password manager solves this by automatically generating and storing strong, unique passwords for each service by eliminating the need for you to remember them all.
However, this convenience comes with a trade-off: the password manager itself becomes a high-value target. That’s why it’s crucial to secure it properly. Your master passphrase must be both extremely strong and memorable. In addition, the password manager account should be protected with the most secure form of two-factor authentication (2FA) available.
Hardware security keys offer the highest level of 2FA protection. Unlike SMS codes or authenticator apps, hardware keys are resistant to phishing and malware, making them the most robust defence against unauthorized access.
Depending on their threat model, individuals might have to consider creating strong passwords manually instead and storing them in a safe physical location – rather than on the cloud. EFF’s Dice-Generated Passphrases is a suitable method for this.
Encryption renders your data unreadable without the correct key (your password or passphrase). If your device is lost, stolen, or seized, full-disk encryption (FDE) protects the data stored on it. Encrypting your specific files or communications adds another layer of protection.
Full-disk encryption (FDE) protects your data at rest (when your device is powered off) against unauthorized physical access. If your device is lost or stolen, encryption keeps your data confidential.
FDE should be considered a non-negotiable baseline for security. Fortunately, most modern operating systems make it straightforward to enable.
However, it’s important to recognize the limits of FDE:
It does not protect data on a device that is already powered on and unlocked.
Therefore, using a strong password or PIN and enabling auto-lock features is equally critical.
Finally, don’t forget your backups, especially those stored off-site or in the cloud. Backups must be encrypted as well. An unencrypted backup can be just as dangerous as an unsecured device, particularly if it contains sensitive communications or evidence.
Every file you create (photos, documents, PDFs, videos) contains metadata: embedded information such as your name, device type, location, and timestamps. This data isn’t visible in the file itself but can be easily extracted. If left intact, it can expose your identity, location, or habits without your knowledge.
Assume metadata is present. Nearly all digital files include it.
Remove metadata from all shared files before sharing them, especially evident: Use metadata removal tools or built-in OS features.
Disable location tagging on your smartphone camera.
Be mindful when photographing documents. Avoid including reflections, identifying items, or background details that could reveal your identity.
Metadata clean up and sanitization prevent accidental exposure of identifying information embedded within your files. This practice protects your anonymity and maintains the confidentiality of your activities.
Digital files carry two types of signatures that can identify you. The content itself, the “facts are their signature,” can point to you through context and details. Metadata adds a technical signature, revealing the “who, when, where, and how” of file creation.
Specific examples include:
EXIF data in photos containing GPS coordinates of capture location
Camera model and serial number identification
Document properties listing author names and creation software
Timestamps establishing patterns of your digital activity
When you submit a document with your name in the author field, or share a photo with GPS data pointing to your location, your anonymity is immediately compromised. Removing this metadata creates an essential security barrier before sharing any evidence or sensitive files.
Your browsing activity creates a digital fingerprint. Standard web browsers and search engines continuously track your online behavior, building detailed profiles that include your interests, research patterns, and digital habits. This tracking data can identify you and compromise your protection as a whistleblower.
Websites and advertisers deploy multiple tracking techniques across the internet. These include cookies, browser fingerprinting, and embedded tracking scripts that monitor your every move. Browser fingerprinting presents a particular threat because it collects specific details about your browser configuration—fonts, plugins, user agent strings—to create a unique digital signature. This identifier persists even when you disable cookies.
The risk: Adversaries can use this tracking data to build comprehensive profiles of your activities and potentially link them to your disclosure activities.
Primary recommendation: Firefox with enhanced privacy configuration provides strong foundational protection. Configure it following established privacy guidelines to maximize security.
Alternative options:
Avoid: Chrome and Edge maintain extensive tracking mechanisms that compromise your privacy.
Your browser requires specific security configurations to protect your activity:
Recommended privacy-respecting alternatives:
Security principle: These alternatives claim not to track your searches, preventing the creation of search-based behavioral profiles.
Install these critical security tools:
Note: LibreWolf includes these protections by default. Mullvad Browser incorporates similar protections in its base configuration.
For high-sensitivity critical research activities, consider Tor Browser. This provides additional anonymity layers through encrypted routing networks.
Ephemeral environments offer maximum protection for sensitive work:
Hardware support: Contact us for assistance with secure hardware provisioning if needed.
Implementing these practices delivers multiple security benefits:
Reduces tracking exposure: Minimizes data collection about your browsing patterns
Prevents profile building: Makes it significantly harder for adversaries to construct behavioral profiles
Breaks activity correlation: Disrupts attempts to link your research to whistleblowing activities
Websites and advertisers use a variety of methods to track you online, including cookies, browser fingerprinting, and tracking scripts embedded in web pages. Browser fingerprinting, for example, gathers detailed information about your browser (such as installed fonts, plugins, and user agent) to create a unique identifier, even if cookies are disabled.
Privacy-focused browsers and extensions are designed to block these tracking methods and reduce how unique your browser appears. One example is Mullvad Browser, which aims to make all users look the same, creating a uniform digital identity that helps you blend in. This kind of anonymity is especially valuable if you’re researching sensitive topics related to your disclosure.
Operational Security (OpSec) is the contextual process of identifying critical information, analyzing potential threats, assessing vulnerabilities, and implementing measures to protect that information and associated activities. As a whistleblower, OpSec safeguards your communications, evidence, and disclosure methods you use.
Your whistleblowing communications with journalists, legal counsel, or oversight bodies are primary surveillance targets. Protecting the information and these channels preserves both your identity and the disclosure’s integrity.
Signal is a widely recommended option for your E2EE calls and messages
After connecting on Signal, tap on your contact’s name and select “Verify Safety Number”. This ensures you’re talking to the right person — not an imposter or a man-in-the-middle intercepting your messages.
Even with E2EE, some information (like who you contacted, how often, and when) can still be visible via:
Always assume metadata is not private.
Treat all accounts as if they are ephemeral and ready to be burned at any time. Whether due to a compromise or because a provider may comply with a cease and desist order.
Always operate under a zero trust policy.
This includes:
For high anonymity:
For maximum anonymity:
Need help? We provide preconfigured devices for individuals in need.
Additionally: Exchange a PGP key with your partner, encrypt your messages, and share only the encrypted content as a payload across all communication channels.
Secure your conversations from interception. When paired with anonymous setup, this also helps safeguard your identity. Choosing the right communication tool depends on two things:
The sensitivity of your information
Your personal threat model
SMS and standard email may be convenient, but they’re insecure and easily intercepted.
Tools with end-to-end encryption (E2EE) ensure that only you and your intended recipient can read the message and no one else.
Important: End-to-end encryption alone isn’t enough.
To stay truly secure, you also need to verify your contact’s identity, especially when initiating communication. For example, apps like Signal allow you to check safety numbers to confirm you’re speaking to the right person, not a man-in-the-middle impersonating them or intercepting your messages.
Even with E2EE, service providers can still collect metadata, like who you’re talking to and when.
Solution: For stronger privacy, use these tools over Tor to help obscure metadata and prevent network-level tracking.
When you are researching sensitive topics related to your disclosure, or when you are submitting information anonymously, it’s crucial for you to hide your IP address and browsing activity from your ISP, employer, and the websites you visit. Tor Browser is designed for this.
Use one of the following privacy-focused systems for your research:
Get Tor Browser only from the official website on your available device: https://www.torproject.org
When conducting sensitive online research related to your whistleblowing, always use Tor Browser to protect your anonymity.
Files downloaded through Tor (especially PDFs or Word docs), might make external network connections. To stay safe:
While Tor hides your IP from websites, your ISP can see you’re using Tor (unless you’re using a Tor bridge). If this is a concern:
Move into proximity of a location with a public wi-fi, such as near a café (e.g., Starbucks)
Do not enter the location to avoid their CCTV recording your presence, and use the public wi-fi
Makes it significantly harder for your online research or anonymous submissions to be traced back to your real IP address and identity.
Tor Browser makes it much harder for your online activity, like research or anonymous submissions to be traced back to your real IP address or identity.
Tor routes your internet traffic through a global network of volunteer-operated relays. At each step, your data is encrypted, so no single relay knows both who you are and what you’re doing. This layered approach makes tracking your activity extremely difficult.
Tor greatly enhances your privacy, but it’s not a magic shield. How you use it matters.
Don’t log into personal accounts like Gmail while using Tor. Doing so reveals your identity to those services.
Avoid downloading and opening suspicious files. A malicious file could compromise your device and undo Tor’s protections.
Use the “Safest” security setting for maximum protection. It disables many web features like JavaScript, which can break some websites but significantly reduces the attack surface for sophisticated exploits.
The evidence you gather is critical. You must protect it from tampering, unauthorized access, or destruction. Equally important, your process of acquiring and storing evidence must not inadvertently lead back to you.
Act before suspicion to your whistleblowing activities arises. Once your intentions are detected, access could be revoked or materials destroyed.
Encrypt everything. Use tools like VeraCrypt, encrypted USB drives, or if absolutely necessary, encrypted cloud storage only if you’ve configured it securely yourself.
Store physical documents in a safe, discreet place.
Consider hardware-encrypted USBs (e.g., Aegis Secure Key) for high security.
Especially unclassified documents.
Before sharing any digital file, remove identifying metadata (timestamps, author info, location data, etc.).
Use burner phones, clean laptops, or similar tools exclusively for handling and transmitting highly sensitive evidence.
Never use work-issued or personal devices tied to your identity. (Refer back to Rule 2: Use Secure Browsing for Your Anonymous Research and Submissions for more on this.)
If your evidence involves classified data, you must only disclose it via authorized, secure channels to designated recipients.
Mishandling classified information could result in severe legal consequences.
Protects the integrity and confidentiality of your evidence and minimizes the risk of the evidence being traced back to you through careless handling or digital forensics.
The act of you acquiring or copying evidence is often a high-risk phase. Common actions like accessing files on a work network, copying to a USB drive, or printing documents can all leave behind digital logs that your employer might scrutinize during an investigation, such as:
File access logs
Printer history
USB connection records
Using your personal phone to photograph documents might seem safer. It avoids work system logs, but there is a risk you should be aware of. If your phone is later compromised, or if you forget to remove photo metadata, it can still link the evidence back to you.
That’s why planning your method of evidence collection is critical to minimize these traces, considering the surveillance capabilities of the organization. The concept of “plausible deniability” applies. If the evidence you gathered cannot be irrefutably tied to you through digital fingerprints or other means, it provides a crucial layer of protection, even if suspicion falls on you. This ties back to the idea that “facts are their signature”; if your handling of those facts also leaves a traceable signature, your deniability is significantly weakened.
Whether you’re looking to connect safely with journalists, support organizations, or need expert opinions on your security posture — we’re here to help.
Your security is our priority — we’re here to support you every step of your journey.
