Whistleblowers first contact

What is this Interview Script for?

It is a 60 minutes Interview to provide you with basic understanding of how whistleblowers first contact relate to technology. It may also be an opportunity for further dialogue with them. These can then be used to carry out further, more focused research.

Essential parts of the interview are:

Introduction (to explain to the participant who you are, why you are talking to them)
Get consent (to establish trust with the participant)
About the participant (to learn about the participant, and their organisation)
About the tools, and Usage of the tools (to learn about their uderstanding)
Security concepts (to find what people know (e.g. if someone uses encrypted email... we cannot assume they know what a public key is, if they use protonmail for instance) and get a glimpse of the mental model people have for a given concept).
Conclusion questions

Tools needed

way to take notes (paper, or laptop)
audio recorder (optional)

Interview script

Introduction

Hello there, my name is [interviewer]. I am a volunteer helping non-profit improve how they use technology to assist whistleblowers, this is the focus of the Enough project. Thank you for agreeing to speak with me. I'd like to speak to you about the tools you use when you communicate with whistleblowers.

Get consent for recording the audio of the session

I would like to ask you for your permission to record our discussion today. Recording allows me to focus my attention on you. I will use this recording to make notes of our discussion today. Once I've made the notes, I will delete the recording.

May I record our discussion?

Get consent for questions and sharing notes

You can answer my questions to the extent that you feel comfortable. You're free to choose not to answer a question, or to stop the interview at any moment. OK?

We want to keep information from interiews available for the Enough UX team members. With all our interview we can remove personally identifiable information, like names, organisations, countries. We will send you the notes for review and wait for your approval to share them. It would be perfectly ok for you to decide at that time that you don't want them shared with anyone after all.

Do you have any questions before we begin?

About the participant

Can you tell me your occupation?
- Alternative: or what do you spend your time doing most?
Could you describe what your organization does, in generic terms?
When you have a technical problem, how do you get help?
- How often do you need help?
- How long does it take to fix a problem?
- What is most difficult when facing a technical problem?
Does your organization provide you with equipement?
Do you feel documents and communications are adequately protected?
- What is the most important aspect of this protection?
- What is the most important weakness of this protection?
Could you describe the security policy of the organization?
- Did you participate in defining this policy?
- Do you fully understand all aspects of the security policy?
Do you sometime find yourself unable to comply with the security policy?
- When working with people within the organization
- When communicating with people outside of the organization
- What prevented you from complying?
What do you do when a service or software misbehaves and you don't know why?
- Have you looked at the threat model of your organization?
- Do you participate in the making of the threat model of your organization?
Could you explain how your first contact with whistleblowers happen, step by step?
Is this your only activity in the organization?
How long have you been working for this organization?
How long will you be involved?
When you are not the first contact, how do you get information?
How did you select the organization?
Did you know what you would be working on
What kind of training did you get regarding the contact with whistleblowers?
- Psychological
- Technical
- Legal
When you're not working directly with a whistleblower what are your other activities?

About your vision of whistleblowing ?

Could you define in your own words what whistleblowing is?
How did whistleblowing develop in the past 50 years?
Where do you see whistleblowing in the next decade?

First contact simulation

Situation 1

I send an email with a Signal phone number 12345, from foobar@protonmail.com
I need a letter from your organization stating I have rights because I'm a whistleblower and the law protects me
How can I send you the documents ?
How is my anonymity protected ?

Situation 2

I send an email with my mobile number, from first.last@name.com
I need legal assistance, my company, a defense contractor obtained a contract bribing a government official. I'm being followed
I don't have Signal, nor Whatsapp, technology is not my thing

About your practices

Can you describe, from memory, the tools involved in the first contact?
Can you describe, from memory, the process to get documents?
How do you establish the most secure communication protocol with a whistleblower?
How long does it take for the whistleblower to upload their first document?
How do you proceed when a whistleblower requires anonymity?
How do you proceed to ensure the contact is secure?
What if a whistleblower requires a very high level of confidentiality?
What is, in your own words, RGPD? What are the obligation and benefits for your organization?
How much time do you spend learning about security or dealing with security?
What tools do you use when discussing a case within the organization?
How often do you make exceptions and use your own devices instead of those of the organization?
What would it take for you to never make an exception and comply 100% with the security guidelines?
How do you verify the completness of the information in a case?
What do the documented procedures cover?
How often did you review the procedures in place?
How ofter did you modify the procedures in place?
How many simulations did you run to learn the procedures? How long did it take?
What are the three most important things that hindered your work?
- technical tools
- methods
- lack of (hardware, expertise, guidance, ...)
If you had time, what would you change in how you do your work?

About the tools

About your work environement:

What is Free Software?
- How does it benefit your organization to use Free Software
What is a technical intermediary? (reformulation)
What is a VPN good for?
Can you tell me what tools you use when you communicate with your whistleblowers?
- Further prompt if necessary: Describe what is does/what does it allow you to do?

Concept quizz

Could you explain, in your own words, the following concepts. When the interviewee knows the concept, ask for a tool that implements the concept and ask them to explain how it can help protect privacy and/or security. Pick at most five concepts and stop after two concepts are cannot be explained. For those unexplained concepts, give a very short explanation of what it is:
- Brute force attack
- Encrypted e-mail
- Internet blocking or censorship
- An encryption key
  - A public key
  - A private key
  - A key fingerprint
- Cloud
  - Shared hosting vs dedicated hosting
  - Hosted physical machine
  - Virtual machine
  - Self-hosted
- Backup and restore
- Tor
  - Tor browser
  - A .onion URL
  - HTTPS in Tor
- 2FA
  - TOTP and HOTP
- An encrypted disk versus a locked session
- Metadata
  - file metadata
  - mobile device metadata
  - computers metadata
  - cleaning metadata on files
- E2E
- passphrase vs password
- passphrase strength
- Live system, tails
- Airgap machine
- If someone steals the disk from your computer (not the whole computer), can they read your files without your password?
- A whistleblower communication system
- how is a USB storage key different from an SSD or a hard drive
- A cryptographic signature
- A checksum
  - Checksum collision attack
- A threat model
  - An adversary in the context of a thread model
- HTTP
  - HTTPS compare HTTP
  - A referer in the context of visiting a web site
  - The logs of a website
  - The logs of a service en ligne
- Intrusion Detection System
- GSM
- GSM antenna
- Security update for an operating system
- Device/machine compromission
- Malware/virus
- Man in the middle
- Fingerprinting of a Tor Browser
  - JavaScript
  - JavaScript virtual machine
  - What happens when a web page displays an advertisement? Where does the ad comes from? How is it chosen?
- Online service fingerprinting
- Internet filtering
- What is a third party? And why it matters for security.
- Which third party do you need to trust when using:
  - Signal?
  - Tor?
  - HTTPS?
  - Encrypted Email?
  - Facebook?
  - Twitter?
  - Mastodon?
  - OTR?
- Safely erasing a file or a disk
- Perfect Forward Secrecy
- Encryption strength

Communication tools

Definition & examples

Mail
Mailing list
Audio and visio-conférence
Instant messenging
MOOCs
Polling
Agenda
Contact
CRM
CMS
URL shortener
Password management
Software forge
Collaborative writing
Collaborative spreadsheet
Collaborative presentation
Whiteboard
Kanban
Form
Mindmap
Project management
File storage and sharing
Temporary file sharing
Temporary image sharing
Web site hosting
Video distribution
Social network

Learning tools

Tell me about how you started to use these tools.
- Further prompt if necessary: why did you start using it?
- Who helped you get started?
When was the last time you used them? Tell me about that time, describe what you did.
- Further prompt if necessary: what were you trying to do?
Do you work with other journalists who use the same tools?
If you have questions about the tools, who answers them?
- Do you help anyone with their tools?

Usability

Imagine you have a magic wand. You can use it to change anything in one tool you use. What would that be?
- Why do you want to change that?
Is there anything that works well with these tools?
- Further prompt if necessary: tell me about that.

Conclusive remarks

What is the most costly (time, money, efforts, etc) part of answering whistleblower?
Which ways of funding are feasible and appropriate to improve call centers?

Finishing

Thanks very much [NAME/ALIAS] for your time and patience. As a little thank you, I'd like to give you this sticker.

Would it be OK if I asked you for an email address so I can contact you about welcoming whistleblowers?

If you'd like to use PGP encrypted email I will send you my PGP key.

Is there anybody you know who uses tools to communicate with their sources? Would it be OK to introduce me to them so we can talk?

Thanks again.