|Home » Security
Whistleblower Warning: Expressen
STOCKHOLM (Rixstep) — Thomas Mattsson and his Expressen are building up their own whistleblower facility. Whistleblowers beware.
'Send us SMS messages! And use MMS to send us pictures and films!' says the Expressen come-on. 'Send them to 71717 and tell us if you want to be contacted by a reporter in our investigation group!'
email@example.com, firstname.lastname@example.org, email@example.com
Or you can ring them on +46 (0)8 738 30 00. Or you can write to them at:
Sweden, United States
Here comes the good stuff - the questions, Expressen's answers, then the truth.
- Can I be anonymous?
Expressen's answer: You can always be anonymous! But if you tell us who you are, your identity is still protected by our constitution. Expressen will never out a source!
The truth: You're outsourcing your anonymity if you fall for this. Expressen make no effort to explain to you how you protect your anonymity, such as by using Tor or another anonymiser service. They don't bother to explain anything about data trails either. The Swedish constitution be damned: anyone can out you at any time, no matter what any law says, if your identity is known. Don't forget it. The WikiLeaks type of system guarantees your anonymity because you cannot be traced even if someone should want to. Telling people they're protected even if they reveal their identity is like telling christians in the Coliseum that it's cool because the lions have just been fed.
- If this is about very sensitive information, perhaps something about my employer, what do I need to think about when I send in a tip?
Expressen's answer: Don't use your email system at work. Your employer can be checking the traffic. Do not contact us on your work mobile for the same reason. Send us mail from Hotmail! Or ring from your private telephone. If you want to be completely safe, buy a SIM card to your private mobile.
The truth: You're being fed to the lions here. Hotmail, owned and run today by Microsoft, reveals your sender-IP. Hotmail will also collate demographic data on you. Hotmail is also notoriously easy to crack. Given a single message from Hotmail, any agency can go in and identify you with name, terrestrial address, phone numbers, 'personnummer', anything they like. You are, in a word, toast.
The very fact Expressen let the word 'Hotmail' slip in a sensitive tutorial such as this shows how inept they are - all the more reason to not trust them. Webmail services such as Google's Gmail will not reveal sender-IPs, but you can be sure they have them stored somewhere: try logging into Gmail from halfway around the planet and the system will immediately burp and spit up your previous sender-IPs. Google can at any time choose to turn this information over to anyone they please. Best of all is to choose a webmail provider not in the US and not in Sweden and use Tor to access the service.
- Will I get paid for my contribution?
Expressen's answer: Good tips that lead to publication are rewarded. The amount varies. The best tip of the year is rewarded with SEK 71717.
The truth: That's US$ 10,712.84 at time of publication. That's for the best tip of the year. Some reporters in Sweden's tabloid media get paid nearly $100,000 for a single article of 800-1000 words. And they have to know who you are if you want them to send the money. It's probably not worth it.
- Should I send you original documents?
Expressen's answer: Sure if you want to! But it's best if you send us copies and keep the originals. In some cases we'll need the originals for fact-checking. We always return original documents if you so wish.
The truth: Hardcopy documents contain 'watermarks' and other data trails. Electronic documents can contain reams of these. The author of the computer malware known as Melissa was found by inspecting the 'metadata' in the documents it infected.
You have to be very careful when submitting anything. You have no reason to trust anyone at Expressen with such confidential information. Where are your documents stored? Are they protected by lock and key or by password? How many others at Expressen's offices are able to access your documents? And so forth.
- I sent you a tip, how long will I wait before you reply?
Expressen's answer: You can count on us contacting you immediately. Give us your mailing address if you want us to keep you in the loop. We endeavour to take good care of our sources!
The truth: See above. Also: your 'tip' will rarely go directly to a reporter - they assign researchers who may or may not choose to forthwith file your tip in the 'circular file'.
Make sure you can't be traced through the address you give them. Never give them a terrestrial address. Do not use your ISP mail service. Make sure you are anonymised all the way through your registration and use of a secure offshore webmail service. You'll see if they publish anyway.
- Will you tell me how you plan to quote me?
Expressen's answer: It's not certain we'll quote you even if you are our source. If you want to contribute, either anonymously or with your name and a photo, you'll always get to read your own quotes in the context they'll be used. We try to keep our sources as informed as possible in regards to our work.
Subtotal: If you want to tell Expressen you found a tin of cat food past expiry date in your supermarket, go ahead and blast your name all over the InterWebs. But if you're talking about very serious matters, don't contact them at all.
Expressen used to have a reputation of printing real news stories no one else wanted to touch. This was back before the widespread use of the InterWebs. Things have changed, and so has Expressen. Not only have they turned into a sleaze rag, they're also bewilderingly clueless when it comes to privacy issues. The people running this show at Expressen are hopeless in that regard. Sorry.