David Huerta

Senior Digital Security Trainer

Last updated

Photo by PetrVod. CC-BY-SA 4.0

At the close of 2019 in Wuhan, China, local doctor Li Wenliang began to notice an uptick in patients experiencing flu-like symptoms, many reportedly feeling ill after visiting the Huanan seafood market. Concerned about the possibility of a SARS-like outbreak, he shared his observations with his medical school alumni group on WeChat, a messaging app widely used in China, to discuss them privately with his colleagues. As his posts escaped the private group and were shared elsewhere, it quickly spread into other social media in China and caught the attention of the Wuhan police. The police unilaterally decided Li’s observations were rumor-mongering and forced him to admonish his claims, even though it turned out he was speaking the truth.

As Li’s “rumors” became widely recognized as an observation of reality, the consequences of delayed action on the facts Li discovered began to take their toll. Unfortunately, this included Li himself, who became exposed to COVID-19 while treating infected patients. Near the height of China’s COVID-19 infections in February, Li was vindicated by the Chinese Supreme People’s Court, admitting “it might have been a fortunate thing if the public had believed the 'rumors' then and started to wear masks...” Li died from COVID-19 a few days later on February 7th.

The Wuhan Police Bureau’s treatment of Li Wenliang serves as a teachable moment — it demonstrates how institutions pledged to public safety can harm it by preventing the free expression of something true.

It’s also a lesson on what whistleblowers may need to consider when sharing their revelations with the public or the press.

The Wuhan Police Bureau’s capacity to surveil social media is not unique, even if their mandate differs from law enforcement in other countries. In the U.S., city police and other agencies have programs devoted to creating dossiers of people of interest attending protests, for example, corroborated with their social media presences.

Outside of China, spreading awareness of potential health hazards may not always be against the law, but may lead to a reprimand by your employer if you spoke out.

In the U.S. and elsewhere, many employers replicate many of the same features in China’s internet surveillance apparatus within their own facilities’ computer networks. This means that while law enforcement might not have direct access to your online activities in your work devices, your employer generally will.

If you plan on bringing your story to the press, it would be best to avoid using any device owned by your employer if you’d rather they not be in the loop. Here’s why.

Your boss can see who you’re emailing

Medical staff in health care facilities typically have much of the same IT infrastructure one would expect in many offices, including work-issued email and other online work accounts and work-issued devices like mobile phones and laptops.

Image by Exchangepedia.

Employer-provisioned email accounts, just as with any email account, store copies of your email in an intermediate email server, which sends your email from your computer to its recipients. Typically, an email server will keep a copy of your sent, received, draft and even deleted emails so they can then be viewed from other devices you use to access your email. This also means the administrator of that server has the technical capability of reading them too.

Your boss can see your activity on work accounts

Typically, work email accounts aren’t just used for email. They’re also used to log into work phones and laptops, and online collaboration tools such as Yammer, Sharepoint, Teams and more. Usually, this means that records of your activity while logged in is, to some degree, recorded and viewable by administrators. How much is kept and for how long depends on what an administrator has set up and what retention periods are mandated by compliance with regulatory requirements. Because of this, your communications with your work account is viewable by any manager in your workplace with the authority to ask the administrator for it.

Photo by Microsoft.

Mobile apps your employer may ask you to install for tracking things like gas mileage or in-building location tracking may also record your physical location as you move through a hospital or make house calls with patients. There may be no harm in legitimate uses of location tracking in some cases, but it may be a risk to have these devices track you if you are meeting with a journalist, and want to do so without your employer tracking your location as you are doing so.

Talking to the press without the boss involved

Screenshot of iOS Supervised Device Permissions

Most media outlets and independent journalists will have a tips page with a few different options for reaching out to them, including email and more secure apps like Signal, for example. Because your employer owns your work devices however, they may have more visibility into those devices than you may expect by using IT tools to remotely monitor your activity. Your employer’s Wi-Fi network and work-provisioned VPN may also track websites you visit while using it, and some tips pages may fall short on protecting your privacy from this situation.

Caveats all the way down

Some workplaces may have a “bring your own device” policy, and your personal smartphone might have, at some point, been configured by your employer’s IT department to be “managed” by your employer. If that’s the case, it’s worth double-checking what your employer can see, which can be found easily on iPhones and iPads. Android devices may have been provisioned with a “work” profile by your employer, which tracks activities done within that work profile, but is designed to stay out of personal Android profile activities in non-work-owned Android phones. However, some features, like remote wipe can be initiated by an employer and affect the whole phone.

Third-party apps can track more of your activities than what’s available through employer-installed settings. Those apps may have more pervasive surveillance capabilities than what normal device provisioning allows. If you see any apps on your phone that were installed at the request of your employer, it may be worth checking the permissions for each of those apps and turn off what you can.

If your personal device is not being managed by your employer, either via managed device systems, and it’s free of third-party apps with too many permissions granted, that’s great news! Before dropping a scoop to your favorite media outlet however, it helps to make sure your smartphone is up to speed on general smartphone security, which we have a primer on to get you started.

No single set of advice can guarantee your privacy, but you can err on the side of caution

Every situation for every whistleblower is different. While some whistleblowers may only need to worry about their job and could expect safety from their non-work devices, others may have bigger consequences or more invasive surveillance to consider. The best means of reaching out to the press may vary depending on who they work for and what, if any, protection they may get from the laws where they live.

For sensitive situations where it makes sense to assume broad online surveillance, we recommend reaching out to the media outlet of your choice with SecureDrop, a whistleblowing platform developed in part by us and used by media outlets worldwide. Using a device that was not issued to you by your employer and not connected to your employer’s W-Fi network, you can find media outlets using SecureDrop in its directory of instances, each of which will have instructions on how to securely reach out.

Donate to support press freedom

Your support is more important than ever.