Infosec masters capstone ideas: supporting the closeted whistleblower

I’m a long way from having to choose a capstone but I want it to be meaningful. Focusing on an end goal is ideal so I can actively apply the concepts of my coursework to my capstone. Since learning about global surveillance systems (thank you Edward Snowden), I’ve been impassioned about learning about these systems and teaching people about them. Abused populations like journalists and whistleblowers are the groups that I identify with the most because of their importance for a democratic society.

Tor and Tor hidden services, in general, are intriguing, and there is a lot of existing academic work on them. However, there are four equally interesting software projects that are dependent on Tor’s success. We have Ricochet, an instant messaging client and soon to be file sharing client. There’s OnionShare, a file sharing client. There’s Pond, an email-like messaging client. Add there’s SecureDrop, a fire sharing and email-like messaging system.

Simply put, anonymity tools are required for information and metadata control; be it maximal deniability or maximal influence, whistleblowers need to control what is and is not exposed. Journalists are a tool of whistleblowers, not the other way around.

I am not a software developer or a cryptographer. I never want to be because my brain is not developed for those types of information manipulation. However, educators (technology trainers), which I have been valued for since I started using and understanding general purpose computers, are an important part of the information security ecosystem. As a surveillance self defense instructor for Seattle Privacy Coalition, it is clear that educators are a required part of trusted crypto tool adoption.

There is a societal need for people that understand information infrastructures, the operations of journalists, the threats of surveillance, crypto and software specialists, and how to boil all of that down into consumable information for the lay person. Not to mention be a valuable feedback loop for crypto and software developers.


Nothing in information security can ever be perfect because information security tools are always targeted at specific problems. Problems will always shift. Crypto and software developers need to solve many unique problems, and sources and journalists need to solve many unique problems. How do they work together?

As it stands, the problem that I want to tackle is helping bridge the gap between sources and journalists. Edward Snowden was largely successful as a whistleblower because his skill set is technical in nature. Knowledge of various systems allowed him to reap maximal control, albeit he was not alone. Snowden had a native advantage in the process of whistleblowing. Most people that are exposed to information presumed to have public interest are not technical and therefore do not have a native advantage. To leak something to a reporter they respect requires comfortability with their own crypto tool knowledge, if any, and they have to commit to a journalist they think they can trust. Closeted whistleblowers are not going to pick a journalist just because they publish a PGP key or because their organization hosts a SecureDrop site.

The “closeted” whistleblower

‘Closeted’ and ‘in the closet’ are adjectives for lesbian, gay, bisexual, transgender etc. (LGBT) people who have not disclosed their sexual orientation or gender identity and aspects thereof, including sexual identity and sexual behavior.

This is applicable to a person who is conscious of organized wrong-doing, has information or access to information that is presumed to be in the public interest, and needs to leak said material to a publication organization.

The solution then must be education and awareness. Something structured yet easily adaptive. Should we develop source curriculum?

Semantic information–be it verbal or written, without hands-on workshops–probably transitions best into tacit knowledge if it is formed into scenarios. Source curriculum must avoid explicit information (regurgitation) wherever possible.


Can whistleblower threat modeling training be accomplished without in-person education?

SecureDrop landing pages are very specific. They do not offer hypotheticals, they focus purely on the “best” way to use a specific system. Is that enough to help turn a closeted whistleblower into a whistleblower?

Does SecureDrop support all forms of direct-to-journalist whistleblowing? If not, what’s missing?

Can web-based curriculum be designed well enough to turn computer users into secure whistleblowers?

Trust is always a required foundation in security. How do we teach “how to trust”?

I’ll think of more and better questions.