Do you have confidential information for Reporters United?

Send it to greekleaks.

What is greekleaks?

The first open whistleblower submission platform in Greece.

Greekleaks is an online platform that allows citizens to send messages, information and/or material (documents, videos, audio recordings, photos, etc.), anonymously and securely to Reporters United.

Greekleaks was created by Reporters United in cooperation with the Open Technologies Alliance (GFOSS).

Among other ways of communicating with whistleblowers, greekleaks uses the SecureDrop whistleblower submission system, adhering to the protocol of the Freedom of the Press Foundation (FPF) that currently manages SecureDrop.

Four ways to use greekleaks

Choose the most appropriate way to send your message to greekleaks.

Choosing the best way to send your message with greekleaks depends on several factors: how confident you are with technology; the type and volume of information you want to convey; and the nature of the person/entity who may have an interest in preventing the information from becoming public.

Below are four different ways you can use greekleaks to communicate with journalists from the Reporters United network. We are committed to doing all we can to ensure that the information you share with greekleaks remains uncompromised, and to help you to choose the communication channel that is most appropriate for you. In order to communicate securely and anonymously, you must follow these guidelines carefully.

mail icon

Although it may seem outdated, sending mail through the post office is considered secure. The only limitation is the amount of information you can send. Of course, as an alternative to paper documents, you can put a data storage device (i.e., a USB drive) in an envelope.

Through the post office you can send your mail to greekleaks at the following address:

P.O. BOX 13606
Syntagma – Athens, 10563 – Greece
What to look out for

If you choose to communicate by traditional mail, here are some additional precautions you can take:

  • It would be best to not send your mail as registered mail, as this process would require you to give personal information to the Post Service.
  • Post your message from a public mailbox rather than the post office.
  • If you are able to, use a prepaid envelope.
  • Do not write the sender's name or address on the envelope. If you want us to have your contact details, provide them inside the envelope, or provide a telephone number so that we can contact you using the secure Signal application.
  • If you want to contact a particular reporter from the Reporters United network, you can note their name on or inside the envelope.
  • In case you are printing files to send to greekleaks, be careful with the printer you choose to use. Be aware that paper documents may reveal traces about the origin of a document, through the so-called printer tracking dots.
SecureDrop logo

SecureDrop is the most secure way to share your information with us, but it does require a certain level of familiarity with technology.

It is an open-source whistleblower submission system that allows to share securely and anonymously information of public interest with Reporters United. It was created by Freedom of the Press Foundation, where Edward Snowden is a member of the Board of Directors. SecureDrop is used by some of the world's leading news organizations and investigative journalism platforms (such as the New York Times, The Guardian, and Mediapart).

Reporters United is the first and only organization in Greece to install SecureDrop, in strict accordance with the protocol provided by the Freedom of the Press Foundation (FPF). After careful review, FPF included Reporters United in the global directory of media organizations that have active SecureDrop instances.

Through SecureDrop's servers, anyone can securely send messages, information and/or files without the recipient (in this case Reporters United) knowing the identity of the sender or details such as IP address and location. SecureDrop instead assigns a unique "code name" to the sender. The only information provided to the recipient is the date and time the message was sent, while the message itself is encrypted with GPG (GNU Privacy Guard).

A prerequisite to use SecureDrop is accessing it over the Tor network, and from a computer to which only the user has exclusive access (for example, not an employer-provided device). All information is transferred encrypted through the Tor software that guarantees the user's anonymity. For additional security, all submissions we receive are decrypted on a device that is isolated from both the internet and our internal networks ("air-gapped").

How to use SecureDrop
  1. Download and install software to access the Tor network: https://www.torproject.org (Tor software guarantees user anonymity).
  2. Open the Tor browser, select "connect to Tor" and wait until you are connected.
  3. Once connected, please copy and paste one of the following "onion link" addresses to Reporters United's SecureDrop instance:
    greekleaks.securedrop.tor.onion
    jatasaqcoe7lqdpcyxo7vl3e5tdvl5jgmtadfat77i25qdj6z6a4ulad.onion
  4. From there, follow the instructions (which are also available in Greek) to connect to Reporters United's SecureDrop. If you are logging in for the first time, select "First Submission" and write down the code name assigned to you. Keep this code name safe and don't share it with anyone. You will be able to use this code name if you want to log back in and send another message or view our response. This way, the recipient journalist will know that the message was sent by the same sender, but will still not know your identity.
  5. If you are returning to Reporters United's SecureDrop, select "Return Visit" and enter the code name you received on your first visit.
  6. You can now securely send us your message or any file of up to 500MB. Your data is encrypted by the software and will be securely decrypted by trained members of the Reporters United team. If our team wants to contact you about the information you have submitted, they will leave a message for you in SecureDrop. The messages can only be accessed using your code name, so it's important you keep that secure from the start.
  7. Reporters United will decrypt and read each message offline. All messages and files submitted via SecureDrop will be deleted from the server at regular intervals.
  8. We recommend that you also delete any replies you receive from greekleaks once they have been read.
For even greater security
  • To protect your anonymity when using SecureDrop, it is essential that you do not use a network or device that can easily be traced back to your real identity. Instead, use public wifi networks and devices you control. This means, you should not access SecureDrop on your employer's network, and/or using your employer's hardware, or your home network. It is best to access SecureDrop through a network not associated with you, like the wifi at a library or cafe.
  • Keep in mind that the files you send us may also have metadata that may reveal information about the origin of the files.
  • Ensure that your computer is free of viruses and malware, as these may compromise SecureDrop's communication security.
  • Similarly, if a third party has gained access to your computer, using SecureDrop will not ensure your security.
  • Do not use the onion link in any browser other than Tor. It will not work, and it will leave an electronic trail behind.
  • For even more security, you can use an alternate operating system like Tails, which boots from a USB drive and erases your activity at the end of every session. You can scrub metadata from some files prior to submission using the Metadata Anonymization Toolkit featured in Tails.
  • Finally, keep in mind that like any software, SecureDrop can experience problems, and no one can ever guarantee 100% secure transmissions. However, our team is committed to constantly testing and updating the software to ensure the system is running smoothly.
Signal logo

Signal is a very simple communication platform, through which you can talk, send messages (chat) and attach files.

It features advanced, end-to-end encryption. Unlike apps developed by large tech companies, Signal comes from an independent, non-profit organisation and uses open source code, a practice that increases the security of communications. Edward Snowden has repeatedly praised Signal and the security it provides, saying, "I use it every day and I'm not dead yet."

Unlike WhatsApp and Viber, Signal is committed to not retain the metadata of communications.

You can contact Reporters United by sending a message to the greekleaks Signal number: +30 6981 968309

How to use Signal
  1. Download the app on your Android or iPhone.
  2. Connect Signal to your phone number.
  3. Save greekleaks signal number on your device and send a message.
  4. In case you don't wish to share your phone number with greekleaks, make sure that in the "Phone Number" option in the Privacy Settings, you have selected that others cannot see your number.
  5. To secure more anonymity, you can choose a pseudonym as your username within the app. Keep in mind that this will change the username for all your chats in Signal.
  6. For additional security, you can enable the "disappearing messages" feature available in Signal, which automatically deletes messages after a user-defined period of time.
  7. Warning: Signal promises that your messages or speech will be transmitted securely, but that doesn't protect them if someone gains access to your phone. Here are some additional tips to protect your phone.
PGP logo

Sending an email to greekleaks (greekleaks@proton.me) can be done with a significant degree of security when done with PGP encryption.

PGP stands for "Pretty Good Privacy". It is to date the most secure system for encrypting electronic mail, allowing files and messages to be exchanged while preventing the telecommunications provider from accessing the content of the email, and thus ensuring the confidentiality of the communication.

PGP is based on the commonly accepted encryption technology "public key cryptography", which requires the use of a public/private key pair to conduct secure communications. According to this method, the user must encrypt their message using the recipient's public key. The recipient in turn can decrypt the message using only their private key. In the event that the sender or the recipient does not know their respective key, the procedure fails.

If implemented correctly, however, the PGP method encrypts the contents of messages during transmission in such a way that no one except the sender and the recipient are able to see them.

PGP via Protonmail
  1. ProtonMail is a secure email service which provides the ability to send end-to-end PGP encrypted emails between its users. The technology is built into the email sending/receiving system, so ProtonMail users don't need to do anything else to encrypt their email. This is the easiest method to communicate securely with Reporters United for those who are not particularly confident with technology.
  2. If you don't have a Protonmail email account, it is easy to create one. Then send your email from there to greekleaks@proton.me.
  3. Do not fill in the "Subject" field in the email. Although the content of the email is secure when using PGP, the email provider still has access to the metadata of the communication, i.e., the address of the sender and recipient, the subject of the message and the date of sending.
  4. For even greater security you can use ProtonMail over the Tor network.
PGP emails through other applications

The second way of securing emails via PGP is through a PGP application such as Mailvelope, which can also be used as an extension to your browser, depending on whether you use Mozilla Firefox, Google Chrome or Microsoft Edge.

  1. To use Mailvelope, you will need to follow the installation instructions.
  2. Once you have generated your PGP public key, send an email with it to greekleaks. Be careful not to send us your private key, which is unique to you and is used to decrypt messages encrypted with your public key.
  3. You can download the greekleaks public PGP key here, and use it to email us via Mailvelope.
  4. If you want to contact a specific reporter in the Reporters United team directly, use the PGP public key posted next to their name.

FAQ

What is greekleaks?

Greekleaks is the first open platform for whistleblowers in Greece: it consists of an online platform that allows citizens, through the open source SecureDrop system to anonymously and securely transmit messages and files (documents, videos, audio, photos, etc.), and it also offers other secure communication options via more "conventional" methods, such as the greekleaks P.O. box, sending a message to the Reporters United Signal number or sending an encrypted PGP email to our team.

How are greekleaks, Reporters United and GFOSS connected?

Greekleaks is the product of a collaboration between Reporters United and the Open Technologies Alliance (GFOSS). Regarding the technical aspects, Reporters United developed the greekleaks website in collaboration with the Open Technologies Alliance (GFOSS), and installed SecureDrop adhering strictly to the protocol of the San-Francisco based Freedom of the Press Foundation (FPF).

Journalists, developers and lawyers were involved in the development of greekleaks, with the support of GFOSS that carried out an external evaluation of the project.

Why did you create it?

Because, despite the fact that such platforms are widely used by the biggest media outlets in the world, there was still no platform in Greece allowing whistleblowers to securely share information with journalists. In modern journalism the role of whistleblowers (persons who, because of their position, come to know and want to reveal information about incidents of abuse of power in the public and private sector) and leaks is extremely important, as has been shown in recent large international stories such as the Panama Papers and the Football Leaks, as well as Greek stories (e.g., the Lagarde list revelations and the wiretapping scandal).

Through greekleaks we aim to provide a secure way for potential whistleblowers to leak information about wrongdoing in matters of public interest. More generally, and in cooperation with other bodies in Greece and abroad, we aim to stimulate public debate in Greece around the issue of whistleblowers, journalistic ethics in dealing with leaks and the legal protection of sources.

How come you're the first? Why has no one else created something similar?

We can only speculate. Others may not know that this technology exists, or it may appear overly complicated. Or perhaps it is simply a matter of differing priorities. It could also be down to a fear of receiving material that may come into conflict with the political and business relationships that many media outlets are dependent on.

Is communication via SecureDrop 100% secure?

SecureDrop is to date considered unbreakable, but no one can guarantee 100% security. Its own FAQs states: "While we can't guarantee 100% security (no organisation or product can), the goal of SecureDrop is to create a significantly more secure environment for sources to share information than exists through normal digital channels. Of course, there are always risks. That said, each release of SecureDrop with major architectural changes goes through a security audit by a reputable third party security firm."

We must remind you that regardless of your level of familiarity with the technology, it is important to follow the guidelines carefully to achieve secure communication.

We are committed to doing all we can to ensure that the information you share with greekleaks is not compromised in any way.

Is it possible for the whistleblower to contact a specific journalist from Reporters United?

Of course. Whichever way you choose to communicate with us, you may address your message specifically to any journalist on our team. The message will immediately be delivered to them.

Where is SecureDrop installed? Can someone gain physical access to it, compromising the confidentiality of the whistleblower's identity and any information shared?

We cannot disclose the location where SecureDrop is installed. However, even if someone - whether a burglar or a prosecutor - were to gain access to the computers used to operate it, they would not have any access to the data. This is because the messages and their attachments are encrypted, and only accredited users of the system have access to the decryption key.

Do you publish everything you receive? How do you decide what to publish and what not to publish?

Of course not. Reporters United is committed to the "The Perugia Principles for Journalists Working with Whistleblowers in the Digital Age." This document was created during the International Festival of Journalism in Perugia, Italy in April 2018, as the result of a collaboration between 20 journalists and experts from around the world, and was subsequently enhanced by consultation with the wider investigative journalism community, lawyers and academics.

Reporters United and the journalists who make up its community are committed to following the Perugia Principles as a code of conduct for working with whistleblowers, focusing on the protection of sources, but also on the general journalistic management of leaks in the context of the greekleaks platform.

Where will you publish?

On the Reporters United website, always in Greek, often in English. We also occasionally collaborate with other media outlets, in Greece and abroad.

Who is funding greekleaks?

Greekleaks is a project fully self-funded by Reporters United.

What is the legal framework in Greece regarding whistleblowers?

In November 2022, Law 4990/2022 on the "Protection of persons who report breaches of EU law" was passed by the Greek parliament, implementing EU Directive 2019/1937 of the European Parliament and of the Council of 23 October 2019 (L 305). This law constitutes the first framework legally protecting whistleblowers, or individuals who leak information about violations of EU law in the public or private sector, in Greece. However, despite this introduction of safeguards to prevent prosecution or retaliation against these public interest whistleblowers, concerns persist that the current legal framework does not do enough to protect whistleblowers.

In November 2020, Reporters United, in collaboration with Transparency International Greece, Vouliwatch and 16 other organizations launched the #Speak-out initiative. As part of this project, we sent a letter to the Prime Minister, urging that a strong, inclusive, progressive and modern institutional framework be created for the protection of whistleblowers. Whistleblowing has proven a powerful tool in preventing and combating actions that undermine the public interest. Unfortunately, the Greek government chose to leave whistleblowers unprotected by delaying the transposition of the European directive for two whole years. Even today, following the adoption of the bill, the implementation of the legislation needs careful monitoring.

What would happen if the authorities intervened and demanded access to data or even confiscated the SecureDrop system?

Even in the worst case scenario, that SecureDrop was seized by the authorities, there would be no trace of the messages or files we have received on the system (see above for more on this). If we were formally asked for information about the identity of a source, we would not be able to answer, because thanks to the way SecureDrop works, we would not know the identity of the source unless the source has chosen to disclose it to us. In any case, we pledge that we will not give the authorities any information about either our sources or the information they have chosen to share with greekleaks.

We are a media outlet/non-profit organization interested in using your platform. Can this be done?

Reporters United did not build greekleaks to monopolize its use. If any media outlet or non-profit organization is interested in setting up such a platform, or in making use of SecureDrop, we would be happy to assist.

The configuration and code of this site is also available on our GitHub page.