Warning to Spanish (and Other) Whistleblowers: Anonymous Boxes which ARE NOT ANONYMOUS

url: proliferacion-buzones-anonimos-no-lo-son

Citizens’ victories in the struggle against corruption, sometimes requiring information to be provided through safe anonymous channels like Xnet’s Mailbox for reporting corruption, have catalysed a proliferation of similar initiatives within governments and institutions.

However, whether out of ignorance or demagoguery, some of these mailboxes are being launched without complying with even the basic requirements for guaranteeing the protection of whistleblowers and their anonymity. No mailbox for reporting corruption can promise anonymity unless it involves the use of tools like Tor and Globaleaks, which make it possible to anonymize the whistleblower’s IP address. Why? Because discovering a person’s identity on the basis of an IP address is child’s play. Neither should “anonymized” be confused with “anonymous”. An anonymized mailbox only promises that, once the complaint is made, it will delete data that might indicate the identity of the whistleblower, but not that the complaint itself will be anonymous. This requires an act of faith on the part of the whistleblower, who is expected to trust the person or people running the mailbox. This is unacceptable.

At present, the only institutional mailbox in Spain which permits anonymity in user→institution communication is the ethical Anti-Corruption Complaint Box which was set up by Xnet. Any proposal that does not meet these standards must be regarded as not secure and, worse, it could even be a trap intentionally set to catch whistleblowers.

Here are some examples in this proliferation of non-anonymous mailboxes which claim to be anonymous:

+ Mailbox to Combat Employment Fraud – Ministry of Employment and Social Security

At the launch of the Mailbox to Combat Employment Fraud, the Ministry for Employment and Social Security claimed to the media that the mailbox is anonymous, and this was duly reported in all the press.

However, this mailbox is by no means anonymous:

+ Complaints Box – Union of Public Employees of the Region of Valencia.

+ Ethical Box – FERROVIAL

+ Self-Diagnosis Security Tool – Spanish National Cybersecurity Institute (INCIBE)

This tool recently promised, as shown in the screenshot and at archive.org: Note on privacy: this tool is totally anonymous. The tool was clearly not anonymous because the IP of the person using it was exposed. Such carelessness is alarming given that we’re talking about the Cybersecurity Institute.

The page has now been removed from the INCIBE website.

+ Anonymous Mailbox – General Workers Union (UGT) Catalonia

+ App for mobiles to work with us anonymously – Guardia Civil

+ Anonymous Mailbox – Catalan Civil Society

And there are many cases more like these.