Five + Five Digital Security Tools

Five digital security tools to protect your work and sources
An article from the International Consortium of Investigative Journalists

1. Signal and other end-to-end encrypted apps
2. Secure file storage and encrypted sharing
3. Password managers
4. Two-factor authentication and its innovations
5. Slack alternatives for your office

. and .

Five EFF Tools to Help You Protect Yourself Online

1. Privacy Badger
2. Panopticlick
3. Https:// Everywhere
4. Certbot
5. Surveillance Self-Defense

Spying on Democracy

Spying on Democracy:
Government Surveillance, Corporate Power and Public Resistance

By Heidi Boghosian

"In Spying on Democracy, National Lawyers Guild Executive Director Heidi Boghosian documents the disturbing increase in surveillance of ordinary citizens and the danger it poses to our privacy, our civil liberties, and to the future of democracy itself. Boghosian reveals how technology is being used to categorize and monitor people based on their associations, their movements, their purchases, and their perceived political beliefs. She shows how corporations and government intelligence agencies mine data from sources as diverse as surveillance cameras and unmanned drones to iris scans and medical records, while combing websites, email, phone records and social media for resale to third parties, including U.S. intelligence agencies."

* (pp. 108-109)  A civilian employee of the Fort Lewis Force Protection Division in Washington State, struck up friendships with many peace activists. For at least two years he posed as an activist... He gave information... to his supervisor Thomas Rudd, who wrote threat assessments that local law enforcement officials used in harassment campaigns that included "preemptive arrests and physical attacks on peaceful demonstrations, as well as other harassment." In the words of the government agencies involved, they aimed to neutralize PMR [a local political / activist group] through a pattern of false arrest and detentions, attacks on homes and friendships, and attempting to impede members from peacefully assembling and demonstrating anywhere, at any time."

I thought that "Spying on Democracy: Government Surveillance, Corporate Power and Public Resistance" was very well-written and highlights concerns that many in our communities have about invasions of our personal privacy and abuse of our civil liberties.

WhatsApp

WhatsApp is a very popular messaging application, with more than 1-billion registered users.
WhatsApp messages are end-to-end encrypted, using the Signal encryption protocol developed by Open Whisper Systems. The encryption protocol is very secure, and Signal has its own messaging app, separate from WhatsApp.

Because of WhatsApp’s immense popularity, WhatsApp is an easy way to get your family, friends, and co-workers to begin using a encrypted communications. WhatsApp messages are far more secure than unencrypted text (SMS) messages and unencrypted chats.

According to the WhatsApp web-site, "When end-to-end encrypted, your messages, photos, videos, voice messages, documents, and calls are secured from falling into the wrong hands."

Control What you Share

You can also decide what to share with your contacts on WhatsApp, and we encourage you to think carefully before you decide to share something. Ask yourself: would you want others to see what you've sent?

Please be advised that we do not retain messages after they have been delivered, in the ordinary course of providing our service. Once a message is delivered over WhatsApp, to help ensure the safety, confidentiality and security of the messages you send we do not store the message.

However, when you share a chat, photo, video, file or voice message with someone else on WhatsApp, they will have a copy of these messages. They will have the ability to re-share these messages with others on and off WhatsApp.

WhatsApp also has a location feature that you can use to share your then-current location via a WhatsApp message. You should only share your location with people you trust.

WhatsApp Weaknesses and Vulnerabilities

WhatsApp’s parent company is Facebook, and information from your WhatsApp account, such as the telephone number you used to verify your account and the last time you logged on, may be shared with Facebook. While this doesn’t expose the content of any of your WhatsApp encrypted messages, it does associate your WhatsApp contacts with your Facebook profile.

The messages you send via WhatsApp are end-to-end encrypted meaning that only your device has the ability to decode them. This prevents your messages being intercepted during transmission, but says nothing of their safety while on your device. On both iOS and Android it is possible to create a backup of your messages to either iCloud or Google Drive. The backups that WhatsApp create contain the decrypted messages on your device. The backup itself is not encrypted. If someone wanted access to your messages, they would only need the latest copy of your daily backup. It is also vulnerable as there is no ability to change your backup location, meaning that you are at the mercy of the cloud service to keep your data protected. iCloud in particular has suffered a poor reputation for security, especially after its role in the largest celebrity leak in history. One of the supposed benefits of encryption is, for better or worse, being able to prevent government and law enforcement from being able to access your data. As the unencrypted backup is available on one of two US based cloud storage providers, all it would need is a warrant and they would have unfettered access to your messages. In many instances, this renders the end-to-end messaging encryption as redundant.

I recommend that you turn off backups of your WhatsApp messages.  Also, don’t keep messages stored in your phone. Once you have read, replied, and no longer need a message - Delete It!

WhatsApp - Should You Use It?

While nothing can be 100% secure, I believe that the security offered by WhatsApp is a significant improvement over unencrypted text messages, chats, and telephone calls. Because of WhatsApp’s popularity, many people with whom you wish to communicate may already be using WhatsApp, but if they are not, WhatsApp is a free, easy, cross-platform application that anyone can quickly install.

By encouraging everyone with whom you communicate to use an encrypted means of communication - like WhatsApp - you greatly improve the security and privacy of your personal communications. 

Key Scrambler

 

Protect yourself against keyloggers. A keylogger is a piece of malicious software, usually called "spyware" or "malware," that records every keystroke you make on a keyboard. Keyloggers can be installed without your knowledge or consent, and once installed, the keylogger records all your keystrokes, and then e-mails the information and other data to whomever is targeting you.

 

One way to defend against keyloggers is to install software, such as Key Scrambler (Personal) from QFX Software that encrypts your keystrokes as you type. The basic version of Key Scrambler is available for free, and works well at protecting your keystrokes without slowing down your system. A short YouTube video introduces Key Scrambler. I have used Key Scrambler for a few years now, and recommend it as important security software, if you run Windows as your operating system. Key Scrambler runs on Windows 10, 8.1, 8, 7, 2003, XP, and Vista (32-bit and 64-bit).

Get Copies of Your Government Records

Do you know what records the government has about you? You are likely aware of the most common records, such as your birth certificate, driver’s license, passport, etc., but what other records are out there? Does your local police department have a file about you? Does the FBI? If you served in the military, do you know what’s in your Official Military Personnel File, and what’s in your Background Investigation Records?

The Privacy Act of 1974 (Pub.L. 93-579, 88 Stat. 1896, enacted December 31, 1974, 5 U.S.C. § 552a), a United States federal law, establishes a Code of Fair Information Practice that governs the collection, maintenance, use, and dissemination of personally identifiable information about individuals that is maintained in systems of records by federal agencies. The Act also provides individuals with a means by which to seek access to and amendment of their records and sets forth various agency record-keeping requirements. Additionally, with people granted the right to review what was documented with their name, they are also able to find out if the "records have been disclosed".. and are also given the rights to make corrections.

The Freedom of Information Act (FOIA) is a United States federal law that grants the public access to information possessed by government agencies. Upon written request, U.S. government agencies are required to release information unless it falls under one of nine exemptions listed in the Act. 

Most states also have similar public records laws, allowing you to access records from state and local governments, to review records about yourself and to make corrections to those records when necessary. The Open Government Guide can help you find the laws and procedures to obtain records from your state. 

To access records under the Privacy Act or the Freedom of Information Act you need to submit a request to the agency holding those records.  The following web-sites, by way of example, provide information on requesting information from the agencies listed:

Requesting FBI Records

BATF - How to Request ATF Records

Access to Official Military Personnel Files (OMPF) for the General Public

How Can I Get a Copy of Background Investigation Records NBIB May Have On Me?

US Department of State - How to Make a Request for Personal Records

View your U.S. arrival and departure history for the past 5 years on-line

Social Security Administration Guide to FOIA

There are numerous other government agencies, and you will have to determine which ones are likely to have information about you. Even if you have had no interaction with an agency, it is still possible that you are included in that agency's records as we saw in Social Media Surveillance of U.S. Persons by the Police and Military.

If you have never requested a copy of your government records, it is worth your time to submit requests to review and if necessary correct the information the government has about you. Submit requests to Federal agencies, your state agencies (such as your state police), and county agencies (such as your sheriff's office).

Like checking your credit report annually, I believe that it is also important to use FOIA and the Privacy Act (and the equivalent laws in your state) to determine what records government agencies hold about you. At a minimum check with your state and local police departments, and county sheriff's office to determine if any records have been created about you during the year.

 

 

Creepy Tech - Google is Tracking You

On February 7, 2018, carrying two identical Android phones, with no SIM card in either of two phones and one set on Airplane Mode, Fox News Headlines 24/7 anchor Brett Larson visited several major landmarks in Washington D.C., from the Fox News bureau on North Capitol Street, to the Children's Hospital in the north, the Washington National Cathedral in the northwest and back to Capitol Hill. During that time, he was not connected to WiFi and only took photos at the cathedral. Back at the Fox News Channel bureau, Larson hooked the phones up to a device that copied the data the phones sent to Google. He found it knew exactly where he was throughout the day. "It knows when I got out of the car!" he exclaimed, examining metadata in the report.

Google uses a methodology called "Surveillance Capitalism" to capture and track your movements and habits.  Even with your phone turned off it has the ability to track your movements and transmit that data to Google as soon as it connects to the network or internet.   

Read the complete story and watch the video at Fox News.
'It Knows When I Got Out of the Car!': Tucker's Special Report on How Google's Tracking You

Turning off ‘Location Services’ provides some limited protection, but to ensure that your phone isn’t gathering data to transmit to Google the next time it connects you have to block all signals to the phone. This means removing the battery so that it has no power whatsoever, or placing your phone in a Faraday Bag so that it blocks all signals to and from your phone.

 

New York Times Confidential Tips

The New York Times is one of the leading newspapers in the United States. At least some part of its reporting comes from tips provided by confidential sources. To facilitate receiving confidential tips, the New York Times provides a number of ways to provide information to the newspaper confidentially.

Now I am not suggesting that you become a confidential source for the New York Time. Sure, if you found out that some out-of-control government employee was sitting a basement office somewhere keeping illegal files about you... well this might be a story for the New York Times. For most of us however, the reason we want to look at how the New York Times receives confidential tips is to see how one of the most powerful newspapers in the country protects its sources.

The New York Times recommends the following means of communicating with them securely:

WhatsApp - WhatsApp is a free messaging app owned by Facebook that allows full end-to-end encryption for its service. Only the sender and recipient can read messages, photos, videos, voice messages, documents and calls. Though you can limit some account information shared to Facebook, WhatsApp still keeps records of the phone numbers involved in the exchange and the users’ metadata, including timestamps on messages.

Signal - The free and open source messaging app offers end-to-end encryption to send messages, photos, video and calls. Signal retains only your phone number, when you first registered with the service and when you were last active. No metadata surrounding communications is retained. The app also allows messages to self-destruct, removing them from the recipient’s and sender’s phones (once it’s been seen) after a set amount of time. I wrote about Signal here in the blog in November 2017.

PGP Encrypted E-mail - Pretty Good Privacy (PGP) is an encryption software that allows you to send encrypted emails and documents. Mailvelope is a browser extension for Chrome and Firefox that makes it easy to use PGP. The extension will only encrypt the contents of the email you’re sending. Mailvelope will not encrypt metadata such as sender, recipient, subject or information about when the email was sent. This metadata will be available to your email provider. I strongly recommend PGP and have mentioned it in the blog here and here.

Postal Mail - Mail delivered through the postal service is another secure means of communication. The New York Times recommends that you use a public mailbox, not a post office.

Secure Drop - This encrypted submission system set up by The Times uses the Tor anonymity software to protect your identity, location and the information you send us. We do not ask for or require any identifiable information, nor do we track or log information surrounding our communication.  I previously wrote about Secure Drop here in the blog. 

Are there other means of secure and anonymous communication? Of course there are. But, if you need to set up some way of receiving information securely, the techniques recommended by the New York Times are good places to start.

I also note that the New York Times Onion Service on http://nytimes3xbfgragh.onion  is a more secure way to access the website over Tor.

A Guide for Operating in Hostile and Non-Permissive Environments

 

Military personnel deployed to a combat area, their supporting contractors overseas, government civilian employees overseas, non-government organizations (NGOs), businesses attempting to establish a foothold in developing countries, and individual travelers to remote areas of the world can all find themselves in hostile and non-permissive environments. Aircraft go down, vehicles become separated from convoys or break down in remote areas, individuals miss their scheduled transportation, or that transportation never arrives.  Sometimes missions fail and when they fail you may find yourself alone and isolated in a remote and hostile area.

The Guide for Military Personnel Isolated from U.S. Control makes the following recommendations for personnel operating in hostile and non-permissive environments:

1. Follow all local force protection guidance to avoid hazardous situations.

2. Develop a plan to communicate, flee, and fight, if necessary. Holding out for a short span of time may make the difference in being taken prisoner or not.

3. Develop a plan of action with several backup plans before departing a secure area.

4. Be familiar with the route and map --study it in detail.

5. Ensure vehicles are reliable and have all necessary emergency equipment.

6. Study the local norms and be alert to situations and changes in behaviors of the locals that may signal that something bad is about to happen --clear the area.

7. Have a "grab and go" kit. It should include a communications device (cell phone or radio), water, basic first aid kit, etc. Consider including local clothing to assist in any necessary improvised disguise. A weapon with extra ammunition may be appropriate if local conditions permit lawful possession.

8. Have personal affairs in order, and prepare family members for the potential of isolation.

9. Develop the will to survive and resist. Mental preparation is invaluable, and demonstrating a strong will can help overcome seemingly overwhelming obstacles.

In addition, in expeditionary locations, work with local military officials to:

1. Develop an emergency communications plan that provides connectivity to military or governmental support units. Include potential emergency contact ground-to-air signals. Ensure all personnel know how to implement the plan.

2. Maintain situational awareness: blocked streets or someone trying to direct traffic down a side street could be a funneling effort for an ambush or toward an improvised explosive device.

Evasion. Successfully evading capture by hostile forces depends upon personal preparation, planning for the contingency, and to some degree, fortunate circumstances or luck. Attention to detail when preparing an emergency action plan, complete familiarity with communications devices and emergency procedures, and knowledge of personal survival kit items, indigenous personnel, and regional knowledge (flora, fauna, topography, climate, etc.) will aid in successful evasion. Isolated persons should carefully consider contact with indigenous people. The United States is currently operating in areas where there is strong potential for mixed attitudes towards foreigners, especially Americans. There may be a high-risk of indigenous persons responding negatively or even violently, and your presence may result in personal danger to them regardless of their sympathies. Areas controlled by insurgents and illegally armed groups or criminals, locations of mob activity, roads, railroads, trails, rivers, border crossings, and heavily populated areas are normally considered high-threat evasion environments. Individuals must take great care to prevent exposure or capture. As a first move, isolated persons should attempt to establish contact with friendly forces, break visual contact with hostile elements, and move to a secure hiding site. If in a damaged vehicle, move away for as long and as far as possible. If forced to abandon the vehicle, the isolated person should move fast and change directions frequently. When possible, the isolated person should evaluate the immediate situation and again establish communication with friendly forces. Only after careful consideration of their situation should they attempt to evade to an area to initiate recovery. Isolated persons should treat all travel as evasion.

Emergency Contact Signaling. If isolated, individuals should consider improvising a ground-to-air signal. Standard survival manuals describe effective ground-to-air signals being geometric patterns, such as triangles, straight lines, circles, and Xs. Signals should be as large as possible and made of material that contrasts with the background to improve their visibility by rescue forces. As stated above, the isolated person should annotate their pre-mission emergency plan with the shape or type of signal they plan on using.

Imminent Capture. If faced with imminent capture by hostile forces, personnel must assess their options and take action quickly. Initial contact may be the most dangerous and unpredictable of situations. The adversary will likely use as much force as deemed necessary to gain complete control. If hostile contact is unavoidable, offensive driving may be the best or only option to break contact --plan not to stop when under attack. Even a partially disabled vehicle allows for leaving the kill zone and movement to a more defensible position. Personnel should hide, destroy, or neutralize all equipment and information having intelligence and/or military value. Consume any water and food available. If given no opportunity for evasion or escape, personnel should attempt to contact friendly forces, transmit a distress signal, or even leave a note at the scene before capture to verify or validate their status. Isolated persons should let friendly forces know they are facing imminent capture, as it improves potential for rescue or initiates a response by a recovery team. It also facilitates accountability and allows the United States to fight for their release by name. If captured, the individual should remain calm and follow directions while remaining alert for escape opportunities. Captives should consider and plan for escape at all times and realize the best opportunity for escape is usually in the very early stages of captivity during initial capture and movement.

Escape. Escape is a fundamental survival and resistance tool. Escape is risky, especially under hostage conditions but may become necessary if conditions deteriorate to the point that the risks associated with escape are less than the risks of remaining a captive, including credible threats of torture and death. Certain extremist groups are now more willing to execute hostages than hold them for ransom or exploitation. Captives are in the best position to determine if escape offers the best chance for survival. They should think about escape and remain alert for opportunities at all times. Captives should begin planning for escape before and immediately after capture. They must not take escape lightly; and deciding when to escape can be very difficult. In a group situation, captives should attempt to communicate with others to evaluate and assist with escape possibilities. They should base any decision to escape on a careful consideration of the unique circumstances of the situation. Escape planning includes an assessment of the captors' security, the conditions of captivity, the risk of retaliation if recaptured, and the impact of an escape on captives remaining behind.

A copy of Air Force Handbook 10-644 (652 pages), "Survival Evasion Resistance Escape (SERE) Operations" (27 March 2017) is available here: https://fas.org/irp/doddir/usaf/afh10-644.pdf

Multi-Service Tactics, Techniques, and Procedures for Survival, Evasion and Recovery (March 2007) https://fas.org/irp/doddir/army/fm3-50-3.pdf is also worth studying.

The Federal Aviation Administration has posted Aircrew Survival Videos to provide information to pilots and air crew on how to survive following a crash or disabled aircraft:

• Cold Land Survival (20:42 min)
• Hot Land Survival (24:26 min)
• Survival Kits: Rafts & Accessories (15:13)
• Survival Medicine (23:14 min)
• Surviving on Open Water (25:22 min)
• Survival Signaling (15:52 min)
• The Will To Survive (17:44 min)
• Tropical Survival (11:31 min)

The 'Serving Abroad for Families and Employees (SAFE)' course (5 hours) is designed by the US Department of State and provides guidance on security practices while working overseas. There is a tuition rate to take this course through the State Department, but it is available for free on JKO (for those personnel with a DOD CAC). The course consists of the following ten modules:

• Safety Module
• Security Module
• Crisis Management Module
• Evacuation Module
• Sexual Assault Module
• Counterintelligence Module
• Hostage Survival Module
• Radio Communication Module
• Weapons of Mass Destruction Module
• Improvise Explosive Device Module

Level A SERE Education and Training in Support of the Code of Conduct (FOUO) - (4 hours) is also available for those with access to JKO (J3T A-US1329-SERE 100.2).
 

The more security education you have, the greater your ability to recognize threats and employ countermeasures to mitigate those threats. However just having education, knowledge, or awareness of a particular topic will not protect you from threats - you must actually employ security techniques and integrate those techniques into the routine of your daily life.  

Social Media Surveillance of U.S. Persons by the Police and Military



According to a February 2018 report by the American Civil Liberties Union (ACLU) of Massachusetts "the Boston Police Department (BPD) used a social media surveillance system to conduct online surveillance over three years, explicitly targeting users’ First Amendment protected speech and association... the BPD - using a social media surveillance system called Geofeedia - collected thousands of social media posts about political and social activism, current events, religious issues, and personal matters from January 2014 through May 2016." The documents provide no indication that the social media surveillance conducted using Geofeedia’s automated monitoring service was ever instrumental in preempting terrorism or other violence.

But social media monitoring by law enforcement is nothing new. We can travel from Boston to Seattle and see How the Seattle Police Secretly -and Illegally- Purchased a Tool for Tracking Your Social Media Posts. According to an article in 'The Stranger' "the Seattle Police Department headquarters on Third Avenue acquired the ability to watch your social media posts in real time, using software that can place those posts on a digital map. This tracking software, which the SPD purchased in October 2014 from a CIA-funded company called Geofeedia, is designed to tell officers where you posted from and what you said. It can also show hundreds of other tweets, Instagrams, and other social media posts from anyone else in the vicinity, and then file all of that information into one big database."

It’s not just law enforcement agencies that are tracking your social media posts. In March 2017, Indy Bay News reported The CIA May Be Able to Hack You... but JBLM is Monitoring Everything You Do. According to the article “In the summer 2016 we found that the Joint Base Lewis-McChord Force Protection Division was gathering information from the social media accounts of Black Lives Matters participants, and later that year, and into 2017, collecting information about people who supported Seattle Council member Sawant’s initiatives for a better Seattle.” And... “according to a November 2015 article in Bloomberg, the Naval Criminal Investigative Service used special software to spy on every computer in Washington state, regardless of whether those computers were owned by a member of the armed forces, or not.”

Military Intelligence personnel, and other government employees performing intelligence activities, must comply with Intelligence Oversight regulations.  One activity that is considered “questionable” and should be reported is “Collecting information on U.S. persons, even through open source, when it is not part of the unit's mission.”

In the vast majority of cases it will NOT be part of a unit's mission to collect open source information about U.S. Persons. It is virtually certain that the G-2 (G-2 refers to the military intelligence staff of a unit in the United States Army) at your locally military installation, the installation's anti-terrorism / force protection office, and personnel in the local security office have no mission or lawful authority to collect open source information about U.S. Persons.

The Department of Defense (DOD) recognizes that the privacy of an individual is directly affected by the collection, maintenance, use, and dissemination of personal information by Federal agencies; and that the increasing use of computers and sophisticated information technology, while essential to the efficient operations of the Government, has greatly magnified the harm to individual privacy that can occur from any collection, maintenance, use, or dissemination of personal information. (DCMA Privacy & Civil Liberties Office).

DOD policy prohibits collecting, reporting, processing, or storing information on individuals or organizations not affiliated with the Department of Defense, except in those limited circumstances where such information is essential to the accomplishment of the DOD mission.

DOD will not maintain information on how an individual exercises rights protected by the First Amendment to the Constitution of the United States, including the freedoms of speech, assembly, press, and religion...

No information shall be acquired about a person or organization solely because of lawful advocacy of measures in opposition to Government policy. (DoDD 5200.27)

Simply put, if an employee of the DOD is collecting information about you, without your knowledge or consent, and you are a U.S. Person, it is almost certain that that collection is in violation of DOD regulations and Federal law.

But this prohibition on collection of information doesn't just apply to the DOD. Other Federal agencies have similar policies prohibiting the unwarranted collection of information about American citizens.

The U.S. Department of Justice, Office of Justice Programs, Bureau of Justice Assistance lists as prohibited conduct:

• Investigating and collecting, maintaining, using, or sharing information regarding persons or groups solely because they are involved in constitutionally protected activity.
• Collecting, maintaining, using, or sharing information without evaluating its reliability and validity (i.e. copied and reported as found without evaluation and analysis). 
• Collecting, maintaining, using, or sharing information (such as names) in political petitions, mailing lists, organizational memberships, or writings espousing a particular view that is protected by the First Amendment.

Now you may ask, what's the problem with the police, or even the military, looking at open source (public) information, even if that information is about U.S. Persons? It's not like they have secret files about you hidden away on some government computer network, or are collecting this information and posting it to intelligence databases. Oh, wait... Yes they do, and yes they are! And... as we have seen your privacy "is directly affected by the collection, maintenance, use, and dissemination of personal information by Federal agencies."

The Berkeley Technology Law Journal and the Internet Policy Review Journal has concluded that government online surveillance has a chilling effect on 1st Amendment rights of free expression. "With internet regulation and censorship on the rise, states increasingly engaging in online surveillance, and state cyber-policing capabilities rapidly evolving globally, concerns about regulatory "chilling effects" online - the idea that laws, regulations, or state surveillance can deter people from exercising their freedoms or engaging in legal activities on the internet have taken on greater urgency and public importance."

 

What Can You Do To Protect Yourself?

Unfortunately, this is a very difficult question to answer? You may, of course, choose not to use social media, or to keep your posts restricted and viewable by only your close circle of friends and family. But, with either of these choices we see the "chilling effects" of government surveillance as you limit your public expression for fear of ending up in police or intelligence databases, or being tracked in some secret government file.

Now, the government can't easily track what it can't see, so there may be advantages to using on-line sites and services that protect your privacy. Regardless of your view on government social media surveillance, it is important that you always take precautions to safeguard your on-line communications and protect your personal privacy. Many such techniques are discussed here in my blog, Chesbro-on-Security, but my commentary on the topic is by no means exhaustive or necessarily the best for your particular circumstances.

Most importantly, if you find that some government employee, office, or agency is engaging in questionable surveillance, collection, and dissemination of information - Report It! Contact the agency head where the violations are occurring and request that they investigate and stop the questionable activity. Report it to the Office of the Inspector General (IG) for the agency involved in the questionable activity. Ask that the IG investigate and take appropriate corrective action. If you find that the agency is unresponsive, consider seeking legal assistance from organizations such as the ACLU and the EFF. As with the articles above, you may disclose government misconduct to the press and see if news agencies will investigate and report on the questionable activity. While you may fear retaliation from government agencies for reporting their misconduct, remember that you have some security provided by the Whistleblower Protection Act, or you may choose to submit your information to major news agencies anonymously using programs like Secure Drop.