Threat model

GlobaLeaks is a free and open-source whistleblowing software designed for various usage scenarios, each requiring a balance between strong security and high usability. These two requirements are crucial for managing whistleblowing procedures effectively, protecting whistleblowers, and achieving specific project goals. Given the variety of use cases and associated risks, the software can be configured to address the specific threat model detailed here.

This document is intended for organizations implementing a whistleblowing procedure using GlobaLeaks. It supports the analysis and understanding of the specific threat model relevant to their context and risks and guides users in selecting best practices for their project.

Users matrix

The first step is to define the types of users interacting with a GlobaLeaks platform.

User

Definition

Whistleblower

The user who submits an anonymous report through the platform. Whistleblowers may operate under various threat models depending on the usage scenario and the nature of the information submitted.

Recipient

The user who receives and analyzes anonymous reports from Whistleblowers. Recipients act in good faith and are considered trusted parties concerning the protection of Whistleblowers’ confidentiality.

Administrator

Users responsible for setting up, managing, and monitoring the platform’s security. Administrators may not be the same entities running or managing the whistleblowing initiatives (e.g., hosted solutions, multiple stakeholder projects). Administrators are trusted entities but do not have direct access to reports and advise Recipients on best practices.

It is crucial to apply security measures relative to the users of the platform, aiming to achieve an appropriate tradeoff between security and usability.

Anonymity matrix

The anonymity of users must be classified depending on the context of use, as follows:

User

Definition

Anonymous

The user accesses the platform via the Tor Browser and follows best practices to protect their identity, minimizing the risk of tracking by any system involved in the operation. The user has not disclosed their identity to Recipients.

Confidential

The user accesses the platform via a common browser. While third parties might log their IP address, the platform protects the content of their communication. The user may choose to disclose their identity to Recipients confidentially.

The platform always informs users of their current anonymity status and provides guidance on best practices for anonymous access via the Tor Browser. Administrators may enforce the requirement that Whistleblowers use the Tor Browser to file reports, depending on the use case.

Communication security matrix

The security of communication concerning third-party monitoring varies based on the context of use.

Security level

Description

High security

Tor is used, and communication is encrypted end-to-end with the GlobaLeaks platform, ensuring that no third party can eavesdrop on the communication.

Medium security

HTTPS is used, and communication is encrypted end-to-end with the GlobaLeaks platform. A third party capable of manipulating HTTPS security (e.g., re-issuing TLS certificates) could eavesdrop on the communication. If HTTPS security is maintained, monitoring the user’s communication line or the GlobaLeaks platform’s communication line is not feasible.

Identity disclosure matrix

Regardless of the anonymity matrix, users may choose or be required to disclose their identity.

Identity disclosure matrix

Definition

Undisclosed

The user’s identity is not disclosed and is unlikely to be disclosed.

Optionally disclosed

The user’s identity is not disclosed by default but may be voluntarily disclosed (e.g., an anonymous tip-off MAY receive a follow-up, whereas a formal report with disclosed identity MUST receive a follow-up).

Disclosed

The user chooses or is required to disclose their identity to other users.

Identity disclosure is crucial because even in an Anonymous High security environment, disclosing one’s identity may be a valuable option for specific whistleblowing workflows.

Users starting with an anonymity setting of “Anonymous” and an “Undisclosed Identity” can decide later to disclose their identity. Conversely, this cannot be undone. This consideration is key to ensuring user protection in GlobaLeaks.

Voluntary identity disclosure may be required in certain whistleblowing procedures because:

  • A tip-off MAY receive a follow-up and can be anonymous;

  • Formal reports MUST receive a follow-up and cannot be anonymous.

The distinction between “MAY” and “MUST” refers to the actions of recipients and is a fundamental element of the guarantees provided to whistleblowers in many initiatives (e.g., a corporate or institutional whistleblowing platform should not follow a MUST approach for anonymous submission follow-up, treating such submissions as tip-offs rather than formal reports).

Usage scenarios matrix

This section provides examples of how different anonymity levels for users can be combined depending on the context of use.

Use case

Description

Media outlet

A media outlet with a disclosed identity initiates a whistleblowing project. The outlet’s recipients are disclosed to Whistleblowers, allowing them to trust a specific journalist rather than the outlet itself. Full anonymity must be assured to whistleblowers, and their identity cannot be disclosed in connection with anonymous submissions. Whistleblowers MAY choose to disclose their identity if they trust the journalist’s source-protection record.

Corporate compliance

A corporation implements transparency or anti-bribery law compliance by promoting initiatives to employees, consultants, and providers. Recipients are part of a company division (e.g., Internal Audit office). Whistleblowers are guaranteed full anonymity but may optionally disclose their identity.

Human Rights Activism Initiative

A human rights group initiates a whistleblowing project to expose violations in a dangerous area. The organization requires anonymity to avoid retaliation and operates under a pseudonym. Recipients MUST not be disclosed to Whistleblowers, but partial disclosure by pseudonym is acceptable to establish trust. The Whistleblower MUST be guaranteed anonymity and their identity cannot be disclosed.

Citizen media initiative

A citizen media initiative with a public identity seeks reports on specific topics (e.g., political, environmental malpractice, corruption) in a medium-low risk operational context. Recipients may use pseudonyms or remain public to avoid complete exposure. Whistleblowers, if the topic is not life-threatening, may submit reports confidentially to lower the entry barrier.

The following matrix illustrates how different usage scenarios can require various anonymity levels, communication security requirements, and identity disclosures for different users.

GlobaLeaks will provide appropriate security awareness information through its user interface and enforce specific requirements based on clear configuration guidelines.

Scenario

User

Anonymity level

Identity disclosure

Communication security

Media outlet

Whistleblower

Anonymous

Undisclosed

High security

Recipient

No anonymity

Disclosed

Medium security

Admin

No anonymity

Disclosed

Medium security

Corporate compliance

Whistleblower

Anonymous

Optionally disclosed

High security

Recipient

No anonymity

Partially disclosed

Medium security

Admin

No anonymity

Disclosed

Medium security

Human Rights Activism Initiative

Whistleblower

Anonymous

Undisclosed

High security

Recipient

Anonymous

Partially disclosed

High security

Admin

Anonymous

Partially disclosed

High security

Citizen media initiative

Whistleblower

Confidential

Optionally disclosed

Medium security

Recipient

Confidential

Confidential

Medium security

Admin

No anonymity

Disclosed

Medium security

Data security matrix

This section highlights the data handled by GlobaLeaks and the protection schemes applied to it.

The following information types are involved in GlobaLeaks:

Information type

Description

Questionnaire answers

Data associated with a submission, including the filled forms and options selected by the Whistleblower.

Submission attachments

Files associated with a submission.

Platform configuration

Data for configuring and customizing the platform.

Software files

All files required for the software to function, including default configurations.

Email notifications

Data sent to notify recipients of new reports via email.

Below is a matrix showing the different security measures applied to data.

Information type

Encryption

Filters

Sanitization

Questionnaire answers

Encrypted in the database with per-user/per-submission keys

Keyword filters

Antispam, Anti-XSS

Submission attachments

Encrypted on the filesystem with per-user/per-submission keys

Extension blocking, Antivirus

N/A

Email notifications

Encrypted with PGP when recipient keys are available

Antispam to prevent flooding

N/A

Threats to anonymity and confidentiality

This section highlights various threats that require specific consideration.

Browser history and cache

GlobaLeaks uses crafted HTTP headers and other techniques to minimize leaking information into a user’s browser history or cache. While this privacy feature enhances safety, it cannot guarantee protection against forensic analysis of browser cache and history but serves as an additional safety measure.

Metadata

Files may contain metadata related to the author or whistleblower. Cleaning metadata from submitted files helps protect an “unaware” whistleblower from inadvertently including information that may compromise their anonymity. GlobaLeaks does not automatically clean metadata by default, as metadata is considered a fundamental part of the original evidence that should be preserved. Metadata cleanup is an optional step that may be suggested to Whistleblowers or performed by Recipients when sharing documents with others. When sharing files with external parties, Recipients are advised to print the document and provide a hard copy to ensure that only visible information is shared, avoiding the risk of sharing sensitive metadata. For more on metadata and redacting digital files, see the article Everything you wanted to know about media metadata, but were afraid to ask by Harlo Holmes. A useful tool for these procedures is the Metadata Anonymization Toolkit.

Malware and trojans

GlobaLeaks cannot prevent an attacker from using the platform maliciously to target recipients with malware or trojans. To mitigate risks of data exfiltration through trojans, Recipients should implement proper operational security by using dedicated laptops for report viewing and opening file attachments on offline computers. Wherever possible, they should use specialized secure operating systems like QubesOS or Tails and ensure up-to-date antivirus software is running.

Network and reverse proxies

GlobaLeaks is designed for use with direct Tor or TLS connections from the user’s browser to the application backend. The use of Network and Reverse Proxies in front of the application is discouraged as they can interfere with the application and compromise confidentiality and anonymity measures implemented in GlobaLeaks.

Data stored outside the platform

GlobaLeaks does not provide security for data stored outside the GlobaLeaks system. It is the responsibility of Recipients to protect data downloaded from the platform or shared via external USB drives. The operating system used or the USB drive should offer encryption to ensure that, in case of device loss or theft, the data remains inaccessible.

Environmental factors

GlobaLeaks does not protect against environmental factors related to users’ physical locations or social relationships. For example, if a user has a surveillance device in their home, GlobaLeaks cannot provide protection. Similarly, if a whistleblower, who is supposed to be anonymous, shares their story with friends or coworkers, GlobaLeaks cannot offer protection.

Incorrect data retention policies

GlobaLeaks implements a strict default data retention policy of 90 days to allow users to manage reports within a limited time frame necessary for investigations. If the platform is configured to retain reports for an extended period and Recipients do not manually delete unnecessary reports, the value of the data increases, along with the risk of exposure.

Human negligence

While GlobaLeaks provides Administrators with the ability to fine-tune security configurations and continuously informs users about their security context, it cannot protect against major security threats resulting from human negligence. For instance, if a Whistleblower submits data that can identify them as the unique owner or recent viewer, GlobaLeaks cannot protect their identity.

Advanced traffic analysis

An attacker monitoring HTTPS traffic, without the ability to decrypt it, can still identify user roles based on different network traffic patterns generated by Whistleblowers, Recipients, and Administrators. GlobaLeaks does not offer protection against this type of threat. We recommend using Tor pluggable transports or other methods that provide additional protection against such attacks.