Tor for Whistleblowers - How to Disclose Safely and Anonymously

Tor protects your network-level identity during transmission. Your ISP cannot see which websites you visit through Tor. The organization you are exposing cannot see your IP address when you access their systems through Tor or contact journalists through a Tor-accessible channel. The journalist receiving documents through SecureDrop cannot see your real IP address.

Tor does not protect you from:

Documents you submit that contain identifying metadata - Word documents with your name in author fields, PDFs with printer dots that identify the printer serial number, photos with GPS coordinates or device information in EXIF data. Always strip metadata before submission.

Behavioral patterns - If you only access whistleblowing resources during your lunch break on the work WiFi, correlation with your workplace network logs narrows the suspect pool regardless of Tor. Access sensitive resources from networks unconnected to your identity.

Account activity on the organization's internal systems - If you download documents from a corporate system while logged in as yourself, access logs record your activity regardless of what network you use for the submission itself.

Device compromise - If the organization has deployed monitoring software on work devices, all activity on those devices is logged locally. Never use work devices or work accounts for any whistleblowing-related activity.

Document metadata is the most common deanonymization vector in high-profile whistleblowing cases. Chelsea Manning's documents were traced partly through printer metadata. Reality Winner was identified through printer dot codes on a document she printed. John Young at Cryptome has documented dozens of cases where document metadata identified sources.

Remove all metadata before submission. For Microsoft Office documents: File > Check for Issues > Inspect Document, then remove all personal information. For PDFs: use ExifTool with exiftool -all= document.pdf or use a dedicated PDF metadata remover. For images: exiftool -all= image.jpg and verify with exiftool image.jpg that all fields are empty.

Print and re-scan as a last resort if thorough metadata removal is not achievable electronically. A printed and rescanned document loses most electronic metadata, though physical printer dots may remain. Some organizations recommend this step specifically for mitigating printer dot tracking, which requires either knowing your printer's specific dot pattern or using a printer unconnected to your identity.

Avoid screenshots of internal systems. Screenshot files capture screen resolution, timestamp, and in some cases active application names in file metadata. If visual documentation is needed, photograph the screen from a separate personal device. This creates a photographic copy rather than a file with system-specific metadata.

The appropriate disclosure channel depends on your documents' nature, the jurisdiction, and the outcome you want to achieve:

SecureDrop for journalism: if your goal is media publication, SecureDrop instances run by major news organizations are the standard. Access the Freedom of the Press Foundation's SecureDrop directory to find the correct address for your target publication. Verify the address through the publication's own website before submitting. Never submit through a SecureDrop address obtained from any other source.

Regulatory bodies: some wrongdoing is better reported directly to regulatory bodies (SEC Whistleblower Program, CFTC, etc.) that have legal protections and financial awards for valid submissions. These bodies may require identifying yourself, which removes anonymity but provides legal protection. Consult an attorney before proceeding with non-anonymous regulatory disclosure.

Civil society organizations: organizations like EFF, ACLU, Global Witness, and transparency nonprofits sometimes receive sensitive documents and have experience handling them responsibly. Contact them through their secure channels (many have PGP-encrypted email or secure contact forms) before submitting to understand their handling procedures.

Whistleblowing is not a single event but an operational security challenge that spans preparation, disclosure, and the subsequent investigation period. Each phase has specific requirements:

Before disclosure: gather and copy documents on systems you control, not work systems. Remove metadata. Identify your disclosure channel and verify addresses. Do not discuss the disclosure with anyone who does not have an absolute need to know. Do not search for information about the topic using work devices or accounts. Establish a communication channel with the journalist or organization through Tor before submitting documents.

During disclosure: use Tor from a network not associated with your identity (public WiFi, not home or work). Use the Safest security level in Tor Browser. Do not log into any personal accounts during the same Tor session. Do not browse to any sites that could fingerprint your session. Submit documents only through verified secure channels.

After disclosure: the investigation period is when most sources are identified - not during the submission but during the inquiry that follows publication. Maintain behavioral consistency. Do not change any routines noticeably. Do not suddenly search for news about the story using any network associated with you. Consult an attorney before speaking to anyone from law enforcement or the organization being exposed.

Whistleblower legal protections vary dramatically by country and context. The US has specific whistleblower protection statutes for certain categories of federal workers and certain types of disclosure. The EU Whistleblower Directive provides some protections for EU-based whistleblowers. Most countries have some legal protection for disclosures in the public interest, but the specific scope, procedures, and practical enforcement vary widely.

Legal protection and anonymity are not mutually exclusive. Anonymous disclosure through Tor can trigger a protected investigation even when the source's identity is not known initially. If the investigation leads to the source being identified, legal protections may apply based on the nature of the disclosure rather than the method of submission.

Consult an attorney specializing in whistleblower law before any disclosure involving potential personal legal exposure. The Fund for Investigative Journalism, the Government Accountability Project, and the National Whistleblower Center (US) provide referrals to attorneys specializing in whistleblower cases. This legal consultation is separate from the technical operational security and should not be conducted through any channel connected to your work identity.