Threat Model
GlobaLeaks is an free and open source whistleblowing software that can be used in many different usage scenarios that may require very different approaches to obtain at the same time strong security and high usability. This two requirements are necessary to safely handle a whistleblowing procedure by protecting whistleblowers and at the same time achieve specific project goals. For this reasons considering the variety of different use cases and risks the software supports the possibility to be configured o respond to the specific threat model here detailed.
This document is intended to be used by organizations that want to implement a whistleblowing procedure based on Globaleaks and support the analysis and comprehension of the specific threat model of their context of use and of the risks involved and guide users through the selection of the best practices to be used within their own project.
Users Matrix
As a first step we define the type of users that can interact with a GlobaLeaks platform.
User |
Definition |
|---|---|
Whistleblower |
The user who submits an anonymous report through the platform. Whistleblowers are persons operating in a wide range of different threat models depending on the usage scenario and the nature of information being submitted. |
Recipient |
The user receiving anonymous reports submitted by Whistleblowers and responsible for their analysis. Recipients act reasonably in good faith and have to be considered in all scenarios described as trusted party with reference to the protection of Whistleblowers’ and the confidentiality of the information by them communicated. |
Administrator |
The users supporting the setup, the management and monitoring the security of the platform. Administrator may not represent the same entity running, promoting and managing the whistleblowing initiatives (e.g., hosted solutions, multiple stakeholders projects, etc). The Administrator has to be considered in all scenarios described as a trusted entity. They do not have direct access to reports and they are responsible for advising Recipients on the best practices to be adopted in their work. |
It’s highly relevant to apply each of the security measures always in relationship to the users using the platorm, trying to identify an adequate security and usability tradeoff.
Anonymity Matrix
The anonymity of different users must be differentiated and classified depending on the context of use represented by the following definitions:
User |
Definition |
|---|---|
Anonymous |
The user has accessed the platform via the Tor Browser and following the best practices for protecting their identity reducing to the maximum the possibility that a system involved in the operation has tracked their activities and their own IP address. The user has not provided any information about their own identity to Recipients. |
Confidential |
The user has used the platform by using a common browser. In this case, third parties could have logged their IP address during their operations but the platform has protected the content of their communication. The user may have possibly opted for disclosing confidentially their own identity to Recipients. |
The platform always reports to users their current anonymity state and inform them about the best practices for accessing anonymously via the Tor Browser. Depending on the use case Administrators could possibly enforce the requirement that Whistleblowers could file reports only by using the Tor Browser.
Communication Security Matrix
The security of communication with respect to third party transmission monitoring may have different requirements depending on its context of use.
Identity disclosure is a highly relevant topic, because even in an Anonymous High security environment, identity disclosure may be an valuable option for specific whistleblowing initiative workflows.
If a user starts dealing with an Anonymity set “Anonymous” and with an “Undisclosed Identity” they can always decide, at a later stage, to disclose their identity. The opposite is not possible. This is one of the key considerations to provide users protection around GlobaLeaks.
Voluntary identity disclosure may be required in certain whisteblowing procedures because, generally:
A tip off MAY receive a follow-up and can be anonymous;
Formal reports MUST receive a follow-up and in that case cannot be anonymous.
The “MAY” vs. “MUST” is with respect to the actions of recipients and is a fundamental element of the guarantee provided to whistleblowers in many initiatives (e.g., a corporate or institutional whistleblowing platform should not follow a MUST approach for Anonymous submission follow-up, considering such submissions just tip offs and not formal reports).
Usage Scenarios Matrix
In this section you will find examples that show how different anonymity levels of different users can be mixed together depending on the context of use.
Use case |
Description |
|---|---|
Media outlet |
A Media outlet, whose identity is disclosed, decides to start a Whistleblowing initiative. The outlet’s recipients are disclosed to Whistleblowers, so that they can trust a specific journalist rather than the outlet itself. Full anonymity must be assured to whistleblowers and their identity cannot be disclosed in connection with anonymous submissions. The whistleblower MAY choose to willingly disclose their identity (e.g. when the journalist’s source-protection record is trusted). |
Corporate compliance |
A Corporation needs to implement transparency, or anti-bribery law compliance, by promoting its initiatives to employees, consultants and providers. The recipients are part of a division of the company (e.g. Internal Audit office). The Whistleblower is guaranteed full anonymity, but they can optionally disclose their identity. |
Human Rights Activism Initiative |
A Human Rights Group starts a Whistleblowing initiative to spot human rights violations in a dangerous place. The organization requires anonymity to avoid retaliations and takedowns, and operates under a pseudonym. The Recipients MUST not be disclosed to the Whistleblowers, but a Partial Disclosure by pseudonym can be acceptable in order to give proper trust to “Who the whistleblower is submitting to” . The Whistleblower MUST be guaranteed anonymity and their identity cannot be disclosed. |
Citizen media initiative |
A Citizen media initiative with it’s own public identity wants to collect reports on a specific topic (political, environmental malpractice, corruption, etc) in a medium-low risk operational context. The recipients could be public or use Pseudonym in order to avoid complete exposure. The Whistleblower, if the topic is not life-threatening, can be allowed to submit also in a Confidential way to lower the entrance barrier. |
Below we show how different usage scenarios can require different anonymity levels, communication security requirements and identity disclosures for different users.
GlobaLeaks, through its user interface, will enable each user with appropriate security awareness information, and will enforce specific requirements to specific users by the application of clear configuration guidelines.
Scenario |
User |
Anonymity level |
Identity disclosure |
Communication security |
|---|---|---|---|---|
Media outlet |
Whistleblower |
Anonymous |
Undisclosed |
High security |
Recipient |
No anonymity |
Disclosed |
Medium security |
|
Admin |
No anonymity |
Disclosed |
Medium security |
|
Corporate compliance |
Whistleblower |
Anonymous |
Optionally disclosed |
High security |
Recipient |
No anonymity |
Partially disclosed |
Medium security |
|
Admin |
No anonymity |
Disclosed |
Medium security |
|
Human Rights Activism initiative |
Whistleblower |
Anonymous |
Undisclosed |
High security |
Recipient |
Anonymous |
Partially disclosed |
High security |
|
Admin |
Anonymous |
Partially disclosed |
High security |
|
Citizen media initiative |
Whistleblower |
Confidential |
Optionally disclosed |
Medium security |
Recipient |
Confidential |
Confidential |
Medium security |
|
Admin |
No anonymity |
Disclosed |
Medium security |
Data Security Matrix
This section highlights the data that is handled by GlobaLeaks and how different protection schemes are applied to GlobaLeaks handled data.
The following information types are the one involved within GlobaLeaks:
Information type |
Description |
|---|---|
Questionnaire answers |
The data associated with a submission such as the filled forms and selectors provided by the Whistleblower. |
Submission attachments |
The files associated with a submission. |
Platform configuration |
The data for the configuration and customization of the platform. |
Software files |
All the files that the software requires to work, including configuration defaults. |
Email notifications |
Data sent to notify recipients of a new report via email |
Below a matrix showing different security measures applied on data.
Information type |
Encryption |
Filters |
Sanitization |
|---|---|---|---|
Questionnaire answers |
Encrypted on the database with per-user / per-submissions keys |
Keyword filters |
Antispam, Anti XSS |
Submission attachments |
Encrypted on the filesystem with per-user / per/submissions keys |
Extension blocking, Antivirus |
N/A |
Email notifications |
Encrypted with PGP when recipients keys are available |
Antispam to prevent flooding |
N/A |
Threats to Anonymity and Confidentiality
In this section we highlight several threats that require specific explanation.
Browser History and Cache
GlobaLeaks tries to avoid, by using properly crafted HTTP headers and other techniques, leaking information into any user’s browser history or cache. This privacy feature cannot guarantee the safety of the user against a forensics analysis of their browser cache and/or history, but it is provided as an additional safety measure.
Metadata
Every file can contain metadata related to the author or the whistleblower. The cleanup of metadata of submitted files is a particular topic that attempts to protect an “unaware” whistleblower from including information in a document that may put their anonymity at risk. In the context of GlobaLeaks, by default no automatic metadata cleanup is implemented because metadata is considered fundamental part of the original evidence that shall be preserved and not invalidated. For this reason metadata cleanup is an optional operation that could be suggested to Whistleblowers or operated by Recipients when sharing the document with other persons. When sharing files to external third parties Recipients are invited to print the document and provide a hard copy. This process is helpful to ensure that recipients only share what they see without risking to share sensitive information contained in the metadata of the files of which they may not be aware of. To get to know more about metadata and the best practices on redacting metadata from digital files we recommend reading the article Everything you wanted to know about media metadata, but were afraid to ask by Harlo Holmes. A valuable tool supporting these advanced procedures is the Metadata Anonymization Toolkit
Malware and Trojans
GlobaLeaks could not prevent an attacker to use the platform maliciously trying to target recipients users with malware and trojans in general. Considering this and in order to be less vulnerable to risks of data exfiltration perpretrated with trojans, Recipients should always implement proper operation security by possibly using a laptop dedicated to reports visualization and open file attachments on computers disconnected from the network and other sensible information. Wherever possible in their operation they should adopt specialized secure operation systems like QubesOS or Tails or and at least run an up-to-date Anti-Virus software.
Network and Reverse Proxies
GlobaLeaks is intended to be used by end users with a direct Tor or TLS connection from the browser of the user to the application backend. Any use of Network and Reverse Proxies in front of the application is discouraged; those appliances could significatively interfere with the application and lower its security vanishing any confidentility and anonimity measure implemented within GlobaLeaks.
Data Stored Outside the Platform
GlobaLeaks does not provide any kind of security for data that is stored outside the GlobaLeaks system. Is responsibility of Recipients to protect the data they download from the platform on their personal computer or that they share with other persons with external usb drives. The operatin system used or the pen drive adoptet should offer encryption and guarantee that in case of device loss or stealing no one could access the data therein contained.
Environmental Factors
GlobaLeaks does not protect against environmental factors related to actors’ physical locations and/or their social relationships. For example if a user has a video bug installed in their house to monitor all their activity, GlobaLeaks cannot protect them. Likewise, if a whistleblower, who is supposed to be anonymous, tells their story to friends or coworkers, GlobaLeaks cannot protect them.
Incorrect Data Retention Policies
GlobaLeaks implements by default a strict data retention policy of 90 days to enable users to operate on the report for a limited time necessary for the investigations. If the platform is configured to retain every report for a long time and Recipients do not manually delete the unnecessary reports, the value of the platform data for an attacker increases and so too does the risk.
Human Negligence
While we do provide the Administrator the ability to fine tune their security related configurations, and while we do continuously inform the users about their security related context at every step of interactions, GlobaLeaks cannot protect against any major security threats coming from human negligence. For example, if a Whistleblower submits data that a third party (carrying on an ex-post facto investigation) can use to identify them as the unique owner or recent viewer of that data, then the Whistleblower cannot be protected by GlobaLeaks.
Advanced Traffic Analysis
An attacker monitoring HTTPS traffic, with no ability to decrypt it, can still identify the role of the intercepted users, because the Whistleblower, Recipient and Administrator interfaces generate different network traffic patterns. GlobaLeaks does not provide protection against this threat. We suggest using Tor pluggable transports or other methods that provide additional protection against this kind of attack.