The Pitfalls of Closed-Source Whistleblowing Software

5 August 2022 

WIN is delighted to publish this Spotlight by Giovanni Pellerano, a computer engineer and whistleblowing hacktivist. Giovanni co-founded GlobaLeaks, a software that provides flexible and secure gateways for journalists, individuals, and NGOs to enable whistleblowing.

Since founding the free and open-source whistleblowing software, GlobaLeaks, I am often asked by organisations to have a review and comment on the various proprietary whistleblowing solutions software being advertised to organisations.

When tasked with this, I find it more professional to avoid talking about the specifics of the technology because - as voluntary external auditors -we have no way of offering concrete solutions without risking criticism. Instead, I push the value of open-source software, explaining that much-needed trust can be built over time, based on continuous peer review of such software, as well as the availability of track records of edits and independent audits, made possible by opting for open-source technology

However, I was recently approached by a partner anticorruption NGO to give my assessment of the whistleblowing platform of the European Commission called the EU Sanctions Whistleblower Tool – to facilitate anonymous reporting of sanctions violations - developed on the basis of the Integrity Line software by EQS Group AG. At first, I replied with my ‘go-to’ arguments, pointing out that with a technology like this, we could not provide any real evaluation because - as citizens and users - we have no way to peer review the technology without hacking it, which is illegal.

Read more: European Commission introduces EU Sanctions Whistleblower Tool

However, on considering the widespread adoption of this technology and the growing risks for whistleblowers if the software is not as secure as advertised, coupled with my experience with responsible security audits, I decided that it was worth attempting to ethically “hack” and therefore verify the purported security of the platform. 

Read more: Coordinated Vulnerability Disclosure

The result was not what I expected. Within minutes of starting my review, I found that the technology was suffering from a major vulnerability - and without any possible mitigation of the risks its exploitation - thus making the software extraordinarily, and worryingly, insecure.

Following what is known as a “responsible disclosure procedure,” I contacted the Massachusetts Institute of Technology Research and Engineering (MITRE) asking for support in the analysis of the insecurity I had uncovered and for their advice on proper ways to contact to the vendor. MITRE confirmed and acknowledged the relevance of the vulnerability and issued a Common Vulnerabilities and Exposure ID (CVE-2022-34007) to organise for a proper vulnerability disclosure after full remediation by the vendor. I then tried to contact the vendor of this technology by looking for a confidential reporting procedure which we typical when implementing open-source projects to try to follow security best practices. I discovered the company had also not implemented such a dedicated security channel. I had to therefore contact the vendor via email, and file a security audit report, informing them of my findings and offering guidance on how to fix and improve the security of their technology:

I would like to stress that the identified problems found are not unique to the EQS Integrity Line software. Every system has, or will have, bugs which can occur regardless of whether the software is closed-source or open-source. However, with open-source software, as is widely known and expressed by the open-source community, we are able to see a) when a bug was added b) how and when it was fixed, and, importantly, we can continue to monitor for any ongoing vulnerabilities with continuous peer review. With closed-source software, however, we only know that critical information when the company chooses to publicly disclose that an issue has happened and that it was somehow fixed -  and users have no way of knowing the exact remediation implemented, nor how it could impact the software.

I believe this is an important issue to raise - not to just talk about this technology in particular - but to open a public discussion, and stress the requirement that whistleblowing software should be open-source.

It is not a problem if a software has an issue as long as the issue is swiftly and responsibly resolved. And it doesn't matter if the software is privately and commercially licensed or if it is freely available, as long the code utilised by that software is open source and publicly auditable.

It is my firm opinion - and I would say common to the whistleblower protection community - that whistleblowers deserve maximum security and care, and that this is only possible by increasing the contribution and the capacity for peer review of the best practices that we build, recommend and implement. For this reason, I believe that all interested whistleblower activists, and lawyers, users and developers should be included in this discussion and have full access to the details of whistleblowing technology.  This is an important safeguard and catalyst for innovations and improvement and one of the major advantages of technologies like GlobaLeaks - for which I stand.

A comment from the WIN Team:

Whistleblowers are the first to spot when wrongdoing has occurred and may be the only witness to malpractice. Often, when a whistleblower is considering resorting to anonymous reporting, they have very real risk of retaliation. As Giovanni points out – whistleblowers deserve the upmost care and security – any promise of identity protection must be as secure as advertised to be.

Whistleblowers can face professional and personal risks and may not have any alternatives to silence. Anonymous reporting platforms can be an important tool to encourage whistleblowers to speak up and are being increasingly acknowledged in legal frameworks, and by employers looking to encourage staff to raise concerns of malpractice. In 2019, WIN hosted its inaugural conference and invited whistleblowing practitioners and NGOs from around the world to discuss the practices they have developed to support and defend whistleblowers – including the folks at GlobaLeaks, which has been an important tool adopted by many WIN members to encourage hesitant reporters to make contact and seek advice without exposing their identity before they are comfortable.

It has been impossible to ignore the burgeoning number of whistleblowing solution services which have flooded the market. Whilst these will have a place in a national or institutional whistleblowing framework – to properly advise whistleblowers, we need these commercial ventures – increasingly adopted by public authorities - to ensure transparency and accountability in their systems, to uphold the public’s right to know public interest information – and to avoid undermining the necessary trust and confidence in systems to promote witnesses to come forward and stop risk of harm.