The Council of the European Union adopted a directive on the protection of persons who report breaches of the law, i.e., the Whistleblower Protection Directive.
The Whistleblower Protection Directive became effective in 2019. It obligates organizations to better protect whistleblowers from reprisals, such as dismissal, intimidation, or transfer. It also seeks to establish an internal procedure that specifies the appointment of a whistleblowing and follow-up unit and indicates the method of submitting reports (e.g., via an electronic channel) or the obligation to provide understandable and easily accessible information on the submission of external reports.
The Whistleblower Protection Directive applies to any organization, either private or public. In the U.S., a person who exposes any kind of information or activity that is illegal, unethical, or not correct within an organization, is protected by the Whistleblower Protection Act of 1989.
According to the 2020 survey conducted by Ernst & Young “Global Business Integrity Survey,” the main reasons why employees do not report irregularities in their organizations are: 39% fear of further career development, 50% belief that reporting suspicions will not trigger a reaction, 39% fear for their own safety and 29% feel pressure from management not to report.
Organizations should take steps to ensure that reporting of irregularities takes place — which, as can be seen, will only occur when appropriate procedures and technological measures are designed to provide employees with a secure, encrypted, and anonymous communication channel.
It is also worth ensuring the confidentiality of the reports’ content as disclosures may have specific consequences for the concerned organization. One can imagine a situation that information about irregularities (or more likely suspicions) will reach the competition that may want to discredit such organization.
Such harm can manifest itself in social or in traditional media. The information itself can be used as interesting by the news outlets, which will not necessarily check and explain the matter thoroughly. Thus, for the organization affected by the irregularities, the leakage of information about reports may mean loss of credibility among contractors, loss of customers, and, as a consequence, a decrease in revenues, image problems and tensions within the organization.
When deciding to choose a specific method of receiving reports from whistleblowers, remember that companies are required by law to maintain the confidentiality of the reporting person and person/persons mentioned in the report. Such companies are also bound by the provisions of the GDPR. How to ensure the confidentiality of notifications and any attachments in a safe and simple way? It is worth looking at technological solutions that allow you to maintain the confidentiality of notifications and manage them (NO access for the solution provider / producer!).
The methods implemented in the Polish solution of Sygnanet are described below, guaranteeing the exemplary level of security of applications and protection against unauthorized access.
Encryption of the report should be performed on the whistleblower’s device, i.e., it is only open there, where it was created. In encrypted form, it should be transferred to the server. The only person who has the right to download the declaration should be the authorized recipient only on his computer, where the declaration is decrypted. An open whistleblower declaration is visible only to the person for whom it was intended.
The owner of the reporting management and transmission system should not have access to the content of the reports sent by whistleblowers or to the content of any attachments added by whistleblowers to their reports. All reports and tags should be encrypted locally, on the whistleblower’s device, not on the tool provider’s server.
The whistleblower should be able to correspond with the recipient of the reports via the whistleblower’s inbox. The login and password are determined at the time of sending the application, each whistleblower receives an individual login and password that apply only to this single application. The server does not store passwords, but the result of the one-way function on the applicable password’s content. This means that the server can check if the password is correct without knowing the password itself.
The software provider should not have access to the reports’ content and attachments sent by whistleblowers to authorize recipients. This also applies to the passwords used to log into the system and decrypt the reports. As in the case of the whistleblower’s password, the server should not store the passwords, but the result of the one-way function on the applicable password’s content (the so-called password hash).
All reports in the system — only received, during the procedure and completed cases should be stored in the system in an encrypted form and only a person with a password may have access to them.
The system should provide different authorizations for different authorized persons for different operations. This means that a given user may only have access to certain activities (for example, he cannot manage the entire system) or that he has access only to selected tickets. This is another utility that protects the reports’ content and attachments from unauthorized access.
It is also important that it is not enough to log into the system to process reports — each report that the recipient wants to have access to must be additionally decrypted with such recipient’s password.
To ensure the security of the reports’ content and attachments, the encryption and decryption process is based on asymmetric methods using the RSA algorithm. The RSA encryption algorithm consists of three parts: key generation, encryption, and decryption. In the first stage, a pair of keys is created — private and public. The public key is used to encrypt files and the private key is used to decrypt them. To sum up — asymmetric encryption means that anyone who comes into possession of a public key can encrypt any file or directory with it, but only one person who knows the private key can decrypt such message. It’s like having a latch door — anyone can lock it, but only the person with the key will enter.
In typical online encryption solutions, the unencrypted file is transferred to the server and then encrypted there. It is not uncommon for the marketing message to say that this is a secure process because the link is encrypted — but that is a simplistic and misleading statement.
The file with the explicit content of the notification is safely transferred to the server, where a new encrypted file is created on its basis and stored. It is worth asking several questions: what happens to the file transferred from the sender? How can you be sure it has been deleted? What is the guarantee that the site administrator or malware will not find it? This situation arises when the file is decrypted and transferred to the recipient. What happens to the decrypted file remaining on the server after it has been delivered to the recipient? Does the content of the reports really remain confidential on such a server?
In a well-designed and implemented tool for accepting reports, encryption is performed on the whistleblower’s computer, i.e., only there is it explicit, where it was created. It is sent to the server in an encrypted form. The authorized recipient downloads reports to his computer and decrypts them there. That is, in an open form, it is visible only to the person for whom it was intended.
Ensuring anonymity for whistleblowers is a must because without it many irregularities will simply never be reported. Ensuring the confidentiality of reports is in the interest of the organization, as leakage of the reports’ content may have serious consequences, including bankruptcy of the company. It is worth paying attention to the cryptographic methods and algorithms used by solution producers so that the technology used in the created tools guarantees full protection of people and information.
Author: Przemysław Kucharzewski
About Przemek Kucharzewski
Przemek is a co-founder and VP of Sales at Cypherdog Security Inc., a vendor of solutions for encrypted communication. Przemek has 26 years of experience in building sales channels, marketing, and commercialization of IT solutions. In recent years, he has been focusing on cybersecurity and cloud solutions. Earlier in his career, he mainly worked for the largest IT distributors in the CEE region. He also worked as Interim Manager for IT system integrators and vendors in advanced solutions selling. He is the author of many articles in the IT & business media, speaker, lecturer, and podcaster.