Some of the most important breakthroughs we’ve had at SumOfUs in stopping corporate abuse have come from tip-offs from inside those companies.
Right now, employees of some of the world’s most powerful tech companies are speaking out with concerns about how these companies operate and the consequences for democracy and social justice. We are actively seeking employee tip-offs from within the industry. If you work in tech and have something sensitive to share with us, here’s how to get in touch securely.
If you are able, the safest way to contact us initially is via Signal (text or call) on +1 415 960 7920 using a phone that is not connected to your employer.
We treat all tip-offs with utmost confidentiality.
You can also send us information via email or post if you prefer - confidentially and/or anonymously.
Anything you share with us is encrypted and no third party (ie. an employer or Government) can intercept it. However, certain identifiers (for instance your phone number) may be viewable even though the content of your message will not.
Same level of encryption as confidential, however your name will not be shared with SumOfUs.
Initially, you just want to speak with someone.
You have files that you would like to send to the SumOfUs electronically.
You have paper, disks or other physical media that you want to give us.
Use a tailor-made email account with PGP encryption to protect your messages and attachments against prying eyes. Unlike regular email, PGP encrypted email cannot be intercepted by your employer, Government or any third party.
● Encrypted emails and documents are protected by both encryption keys and passwords. The bad guys would need to know both to read your stuff.
● You can send long messages and attachments, which is difficult using phone apps.
● It’s easy to communicate directly with a specific SumOfUs staff member.
● PGP requires a bit of technical know-how to set up.
● If you lose your keys or forget your password, you won’t be able to read your own communication.
If you plan to write an email to a SumOfUs staff about a sensitive matter, look into PGP encryption. Used properly, PGP should make a message or document unreadable to anyone except the person who sent it and the person for whom it was encrypted. You will use a public key that belongs to the person you are writing to, but is freely available on the internet. This key turns your message into an unreadable jumble. Your recipient – and no one else – has a corresponding private key which can unlock messages that were encrypted by their public key.
Don’t use your regular email address. Create a new email account solely for corresponding with the SumOfUs. Do it on a computer that isn’t being monitored, and make sure the sign-up information you provide doesn’t tie the account back to you.
If you’re using a browser-based service such as Gmail, Yahoo! Mail or GMX webmail, look into Mailvelope for encrypting messages in your browser. Two popular applications for encrypting text and documents, which you can then paste or attach to emails, are Gpg4win for Windows and GPGSuite for Mac.
Once you have installed one of these tools you can use it to create your own PGP keys. Keep your private key and password safe and don’t store the two together.
You should encrypt your messages and attachments using both your public key and that of the person you are writing to. All being well, this means that only you and the SumOfUs staff on the other end will be able to decrypt them. These are SumOfUs' PGP keys:
Fingerprint: 7C12 H40F 54C9 0A78 64D6 BDBB D957 3E25 94EF
Email: secure-hello[@]sumofus.org
Information carried with an email message can reveal your IP address. If you don’t want the location you’ll send from to be traceable, connect to your email service over the Tor network.
Email your encrypted material to us, along with a copy of your public key so we can reply to you also under encryption. Don’t encrypt the public key itself.
Remember to log out after sending the message. You may also wish to delete the history of the correspondence from your browser or email software. Keep your computer secure.
Secure messaging apps are the easiest way to start a confidential dialogue with a SumOfUs staff member.
● Apps such as Signal and Threema are encrypted in transit and on the providers’ servers, so only the sender and recipient can read them.
● Once you have set them up, they’re as easy to use as regular text messaging.
● All phone communication involves the phone disclosing its identity and location, so mobile apps aren’t great for anonymity.
● Mobile apps often rely on the phone’s own security to protect messages stored on the phone. So if someone gets your phone and manages to unlock it, they’ll be able to read undeleted messages.
● Long messages and attachments are tricky.
Secure messaging apps are easy to use and the staff is likely to see your message very quickly. They can be useful as a way to discuss what might be the best strategy for ongoing communication. But you should avoid them if you wish to remain completely anonymous or don’t want anyone to know you’re speaking to the SumOfUs.
Decide whether you want to do this on your normal phone or if you want to buy a less easily traceable phone for this purpose. Then install an app such as Signal (which has excellent security but requires you to disclose your phone number) or Threema. If the app has a disappearing messages feature, consider activating it so your messages automatically delete after a predetermined time. Before you use the app for anything serious, familiarise yourself with it by sending innocuous test messages to someone.
Add the SumOfUs investigations teams’ Signal account to your phone contacts:
● US: +1 415 960 7920
You will then be able to message those accounts using Signal.
Please don’t phone or send ordinary text messages to those numbers. You won’t get a reply.
Although telephone communication is far from secure, it can be a practical way to get a conversation started and to exchange secure messaging identities.
● Requires no technical prowess.
● Useful to initiate communication with a staff to exchange contact information for more secure channels.
● Telephone communication is easily hackable and can reveal your identity and/or location.
● It’s not always easy to verify that the person you’re speaking to is who they say they are.
Before you get in touch, find the name of the staff you want to speak to, and decide in advance exactly how much you want to tell us about who you are and how we can get back to you. The staff you want may not be available when you call, so you may have to leave a message. Be prepared for that.
If you will need to share documents with us later, look at some of the other options in this guide before calling so you can tell the staff how you’d prefer to do that.
Consider whether or not it is safe to call us from your work or home phone, or from any mobile phone that is associated with you. If you buy a pay-as-you-go sim card to call us from a new number, think carefully about where and when you buy it, and how you pay for it. And remember that mobile phone calls disclose the handset ID as well as the sim card.
Call us on one of these numbers:
● London office: +44 (0)20 3353 2000
● New York office: +1 212 231 7762
Post still has its uses, especially if you want to send us hard copies.
● If appropriate measures are taken, conventional mail can be a reasonably good way to hide who you are.
● If you don’t want to meet a staff member in person, it’s the only reliable way to hand over physical objects.
● It’s slow.
● Post can get hijacked or at least scanned in transit.
● Post can get lost.
If you’re not actually being followed it’s fairly unlikely that an envelope or small package will get intercepted.
Stuff can go missing in the post, so consider how bad it would be to lose the material you’re planning to send us. Can you make copies?
Think about whether or not you need to preserve your anonymity. Could the posting location give you up? How about the materials and packaging? If you’re very worried about the package being traced back to you, post it somewhere busy and make sure there is nothing memorable about your or the package’s appearance.
Mail is scanned for dangerous compounds and objects. Don’t include anything that could cause problems with delivery. International mail needs a customs declaration, and registered mail requires you to provide sender details.
SumOfUs US postal address
The SumOfUs
PO Box 1128
New York
NY 10156
USA