This is a surprisingly common situation.
It’s also surprisingly easy to get caught, even if you do take steps to stay hidden.
I’ll review some of the approaches and some of the risks.
Become a Patron of Ask Leo! and go ad-free!
Sending an anonymous email
You’ve got a classic whistleblower problem. You’re someone working in an organization who needs to safely, securely — and most important of all, anonymously — inform someone about a problem at that organization. If you’re found out as the source, you run the risk of retribution, termination, or worse.
Clearly, you should not do this from a computer at work.
Regardless of what “anonymizing” technologies you use, it’s likely your activity can still be traced. The organization could have many different technologies in place, including but not limited to spyware, that allows them to identify which computer was used to send an email, and potentially even who was at the computer at the time.
Your home is not anonymous
You should not use your personal email — that much is also clear.
In fact, you shouldn’t do this from your home computer at all.
While email messages don’t typically include the IP address of their origination, there’s enough information in the email headers you don’t normally see to allow the email to be traced to the location it came from.
It’s not always easy, might require your ISP, and in some cases requires law enforcement to get involved, but it’s possible that any email sent from your home could be traced. So what to do?
Hiding your email address
Probably the easiest thing to do is to hide your email address.
The right way to solve the problem is to set up a brand-new free email account, using Gmail, Outlook.com, or other popular free services. An interesting option might be ProtonMail, billed as “secure email based in Switzerland”. Encryption is baked into ProtonMail, and being located in Switzerland makes some of the legal approaches to discovering who you are more difficult.
When you set up the account, use completely bogus information. Use none of your personal information; make sure the name is fake, the recovery information is fake, everything associated with that account is fake.
Home is where the danger lives
Once again, don’t set it up from home, because your home IP address could be associated with the account. That could be allow you to be discovered, particularly if law enforcement is involved.
Go to a library, or any place not your home or company that has a public computer you can use without identifying yourself. Set up the account and send your email from there.
There’s still no guarantee
There’s still risk. All we’ve really done is stack the deck in favor of not being discovered.
For example, if you use a public computer at a library, it’s conceivable there are security cameras that record your presence. If they can tell your message was sent at 10:30 a.m. on Tuesday, they could go back and look at security cameras to see you sitting at the computer.
But the bottom line remains:
- Use a different computer.
- Use a different account.
- Make sure all the account information is fake.
That’s the best you can do.
Will the email be seen?
My assumption is that the content of your message will make it clear you have something legitimate to say.
However, it’s important to understand that they may not pay attention at all. They may get these all the time and ignore them out of hand, or they may assume if you’re not willing to be identified, you lack legitimacy. There are many, many reasons your anonymous note may not have its intended effect.
What about a letter?
My honest recommendation? Send a letter. A physical, put-it-in-the-mail, anonymous letter.1
This bypasses all the technology that could be used to thwart your attempts to communicate or be used to trace back to you.
It’s also possible a physical letter might get more attention and stand a better chance of achieving the desired results.
Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.
I'll see you there!