Taking Anonymous Online Whistleblowing Global

Learn about recent developments made by the team at secure submission platform GlobaLeaks
Thu, 2019-12-19 16:11

Whistleblowing represents a vital check on human rights abuses, corporate malfeasance, and government corruption. Yet many countries still lack the legal frameworks necessary to protect whistleblower rights and freedom of the press. Individuals with critical information to share (as well as receivers of that information) are often deterred from coming forward due to the risks of prosecution and persecution. In response, GlobaLeaks was developed in partnership with the Hermes Center for Transparency and Digital Human Rights to allow whistleblowers to safely, securely, and anonymously communicate with journalists and anti-corruption organizations online. GlobaLeaks thereby became the first open-source whistleblowing framework in the world. Virtually anyone can now install the GlobaLeaks software and set up their own online platform to receive critical information from anonymous sources. Each GlobaLeaks instance can even be tailored by users to address their specific audience and subject matter. Thanks to tools like GlobaLeaks, secure online whistleblowing has never been more localized or accessible for members of the media, public agencies, and activist groups.

An Evolving Project

To date, OTF has supported GlobaLeaks through three distinct rounds of funding. This long-term support allowed the GlobaLeaks team to invest years in software development and research—ensuring their end product would not only be as safe and secure as possible for those seeking to report malfeasance online, but also be responsive to user needs. During the initial round of funding in 2012, the GlobaLeaks prototype was built. At the time, the nascent application had just 14 use cases—almost all of which needed to receive direct support from the GlobaLeaks team. For the second round of funding in 2014, the GlobaLeaks team sought to re-engineer their prototype based on early-adopter feedback. By the end of 2016, the budding application had 100 projects up and running—demonstrating not only the need for this type of software, but also the application’s resonance with users. Still, more needed to be done. The software, as developed, was not yet mature enough to be used for long-term projects handling numerous submissions.

The latest round of OTF support sought to optimize interface usability and turn GlobaLeaks into a “product-level” software—ready to be accessed and relied upon by thousands of users around the world. If the goals of the final round of funding were met, the end result would be a user-friendly software capable of effectively and efficiently handling large sets of whistleblowing submissions across multiple years. All the while, of course, maintaining the highest possible level of security and anonymity.

Project Goals: Updating Software, Increasing Security and Usability, and Making Installation Easier

To achieve these ambitious goals, four primary objectives were set forth at the outset of the projectThe first objective was to replace old, no-longer-maintained software components to improve overall stability and allow for long-term support. After years of development, certain components utilized by GlobaLeaks had fallen by the wayside and were no longer capable of being maintained as the program prepared to expand its scope and userbase. The second objective was to simplify HTTPS integration in order to allow users to more easily access the GlobaLeaks whistleblowing platform in a relatively secure manner. Prior to this development, users were required to access the program by installing and configuring the Tor Browser, which helped ensure users’ security and safety but also added a step to the process—potentially deterring successful adoption. The third objective was to create standardized formats for common whistleblowing scenarios. In theory, pre-packaged configuration sets would make it easier for organizations to create their initial platforms and get the most information out of their whistleblowers. The fourth and final objective was to make it easier to install and maintain GlobaLeaks by packaging the software to be released on the Ubuntu platform. Prior to this development, a Linux system administrator was required to support installation (which sometimes was an obstacle for organizations lacking in technical expertise). Taken together, these four key objectives sought to improve GlobaLeaks’ software infrastructure while simultaneously making it easier for users to install and maintain the program.

4 goals.png

Four project goals: 1) replace outdated software; 2) simplify HTTPS integration; 3) create pre-made whistleblowing templates; 4) package GlobaLeaks software for Ubuntu

The 18-month project commenced in April 2017. By July, the second objective was completed when HTTPS was successfully integrated into the GlobaLeaks platform. This development allows for many more organizations to use GlobaLeaks (in countries with low Internet penetration or advanced surveillance, using HTTPS is often less risky than employing Tor to protect anonymity online). While integrating an up-to-date encryption model into the software, the team used Let’s Encrypt to create automatic enrollment and TLS/SSL certificate renewal for each GlobaLeaks system. This helps individual users bypass the complexities of setting up and maintaining a HTTPS certificate themselves (TLS/SSL certificates facilitate authenticated, encrypted connections between browsers and web servers).

Progress on the remaining three objectives was steady but required more time. In May 2018, the fourth objective was completed—albeit in a slightly different form than initially anticipated. The team was able to make it easier for non-technical users to install and maintain the GlobaLeaks software, but it proved impossible to integrate the program into the Ubuntu Graphical Setup interface as initially planned. Two separate versions of Ubuntu (Xenial and Bionic) were released during the project’s run time, complicating matters. Nonetheless, the unofficial Ubuntu packaging in Debian was improved. At the same time, multitenancy support was also integrated into the platform, allowing a single GlobaLeaks setup to support multiple projects. This upgrade enables GlobaLeaks to scale in a far more efficient and widespread manner.

The third objective was completed in August 2018. In addition to configuration support being embedded into the GlobaLeaks application, three default profiles were created. The first profile was for users interested in creating a setup capable of hosting a single project (i.e., single tenancy). The second profile was for users who wanted to build a setup capable of hosting multiple independent projects (i.e., multitenancy). The third profile was for users looking to create a setup that could host multiple platforms that were all part of the same project. This default profile allows related projects to share part of the same configuration base before branching out into their own specific needs. Such a profile can be utilized by public agencies that may need to follow similar initial patterns, but will ultimately need to address separate audiences or subject matter. In the end, creating these three default profiles—instead of many hyper-specific pre-packaged configuration sets—allowed GlobaLeaks to best serve the needs of its different users.

Finally, in September 2018, the last objective was completed when all out-of-date software components were replaced with new ones capable of being maintained going forward. Replacing and fixing these old libraries allowed GlobaLeaks to ensure the long-term stability of its projects and eliminate future headaches for users. Although some of the deliverables were completed in a slightly different form than originally described, the core threads of all four primary objectives were therefore accomplished by the close of the project. GlobaLeaks had been substantially improved and was ready to expand its footprint as a fully functional software. Thanks to the latest round of upgrades, it is now far easier for users to deploy their own GlobaLeaks instance capable of effectively supporting a long-term project. And thanks to Localization Lab, GlobaLeaks software has been translated and localized into nearly 60 different languages. This advancement is essential for encouraging individuals with information to speak up. When whistleblowing options are too far removed—or altogether inaccessible due to language barriers—the information never comes to light. Indeed, the initial development of GlobaLeaks was driven by the desire to make whistleblowing as local as possible in order to give a voice to concerned citizens in their home environment.


Growth Challenges and Effective Scaling

Throughout the project’s 18-month process, several obstacles were overcome thanks to the diligent work of the GlobaLeaks team and other OTF community collaborators. Perhaps the largest of these was finding a way to expand and evolve the platform’s software without alienating or disrupting the capabilities of pre-existing users. Updating the overall platform required keeping track of a host of compatibility issues and needs—but GlobaLeaks managed to instigate meaningful, long-lasting change without causing disruption to those already using the platform. And throughout the process of improving usability and accessibility, the team was able to maintain the high level of security that GlobaLeaks users need.

In the months since wrapping the project, GlobaLeaks has taken important next steps as a fully functional software. What began as just an idea—and evolved into a prototype supporting a handful of instances—today services more than 2,000 implementations around the world. GlobaLeaks software is now being used in countries like Ukraine, Angola, and Madagascar. The International Criminal Court is using it to help investigate war crimes and crimes against humanity in the Central African Republic. And in Italy, GlobaLeaks’ new multitenancy feature allowed for the creation of a single platform that offers every public agency in the country the ability to have their own online anti-corruption complaint box. The initiative, dubbed “whistleblowing.it,” currently hosts over 600 projects—with many more on the way. Simply put, the streamlined encryption model and multitenancy capability has resulted in massive, organic scaling across the board. Today, more than 60% of the software’s projects are created by external users without any assistance from the GlobaLeaks team. With threats to a free press, human rights defenders, and Internet freedom on the rise globally, the need for the services GlobaLeaks provides has never been more apparent.

So, what’s next for GlobaLeaks? The team’s goal is to keep serving users, allowing them to act as a light in the darkness. Ideally, they want their efforts to impact the policies and procedures being shaped on whistleblower and source protection around the world. And the best way to do that is to keep spreading. Concerned about human rights violations in Indonesia? Now, thanks to GlobaLeaks, there’s a website to receive information related to that very issue. How about Africa-related matters? There’s a website for that now, too. Go here to create your own today.

About the project: GlobaLeaks is an open-source, secure whistleblowing framework that allows media organizations, activist groups, and public agencies to easily set up and maintain an online platform to receive critical information from anonymous whistleblowers.

This blog post was created through OTF’s Learning Lab, which helps technology-focused internet freedom projects effectively communicate updates and findings, educate users, and reach core audiences.