Error Detection Week — Tuesday
So, You Want To Blow The Whistle
I get a few emails from people in the following basic structure:
“Dear Weirdo,
I have found a great big problem in the work of XYZ. It has the following features ABC. This is obviously very serious, and I want to tell people, but I am also concerned about getting involved. Researcher DEF is well-known and I am just a 23-year-old grad student who lives in a tree.
What do I do now?
Yours,
Concerned in Connecticut”
My answer is usually ‘that isn’t going anywhere’, as in, the problem that you’ve found can’t really be investigated any further due to the nature of the issues involved. Generally, this falls under the heading of Hilgard’s Lament:
Basically, Hilgard’s Lament says ‘I have found a result I think is unhinged or impossible or unbelievable, but I cannot prove there is anything NECESSARILY wrong with it.
Sometimes, my answer has been ‘let me handle it’.
However.
Recently, I’ve been considering replying with a different approach, which is: release the information anonymously, in public, by yourself.
Publicly, because you almost certainly do not want the fuss of going behind the scenes and trying to get your concerns heard the old-fashioned way. It is very hard to get journal editors et al. to take anonymous complaints seriously. By all means try, but bear in mind of how you’ll come across — anonymous communications of problems smack of retaliation and hint at some kind of fractious interpersonal history, even if there isn’t one. Letting people make up their own minds is infinitely easier.
Anonymously, well, for a lot of reasons. Fear of retaliation, friction at work, potential legal action, annoying the government, or just the simple desire for privacy are all good reasons not to be identifiable online. So is the fact that you might have found problems which are very definitely in the public interest to disclose, but you have agreed implicitly or explicitly not to do so.
It is pretty rational not to want to get involved in formal academic investigations, which have all the drudgery of being a 12th Century peasant, and potentially the same hygiene. It is much easier to call attention to the problem and walk away, especially if it’s serious enough to make other people pay attention.
So, here are some general principles and resources that will allow you to be extraordinarily, luminously, brutally anonymous.
[1] Tor Browser. Use it.
If you’re one of the last people on the planet who doesn’t know what Tor is, it’s a secure browser that uses distributed traffic to hide your online identity.
Using Tor protects you against a common form of Internet surveillance known as “traffic analysis.” Traffic analysis can be used to infer who is talking to whom over a public network. Knowing the source and destination of your Internet traffic allows others to track your behavior and interests. This can impact your checkbook if, for example, an e-commerce site uses price discrimination based on your country or institution of origin. It can even threaten your job and physical safety by revealing who and where you are. For example, if you’re travelling abroad and you connect to your employer’s computers to check or send mail, you can inadvertently reveal your national origin and professional affiliation to anyone observing the network, even if the connection is encrypted.
You can get it here.
[2] ProtonMail. Get one.
ProtonMail is a free email service offering end-to-end encryption. Also, they are based in Switzerland, not the USA/EU, and are subject to Swiss privacy laws. The company, and the Swiss in general, take privacy very, very seriously.
Read about their attitude towards that here. (Signup is on the top bar).
[3] Don’t take photos unless you have to.
Photos contain EXIF data, and this contains potentially the make and model of the camera you used, potentially your geolocation, and some other stuff which makes you identifiable.
However, a variety of evidence often requires digital photos. So, if you have to take them…
[4] Leave your photos on Imgur
Imgur is an image hosting website. It allows anonymous uploading of photos, and strips the EXIF details out of your photos on upload. (Note: you can do this yourself, there are dozens of free tools for doing so).
If you upload photos anonymously to Imgur, they will become publicly accessible via the URL. This is most likely what you want.
Imgur is here.
[5] Don’t use PDFs
The PDF is bad for a lot of reasons, but in this context we’re primarily concerned with the file being dangerous to anonymity.
While it’s the standard format for scientific document, it’s also a big bag full of identifiable information. PDFs contain edits, annotation, form fields, author information etc. Also, if the copies of a document you have in copyright, then you are not allowed to distribute them (even if you’re pointing out problems with them). So, either save relevant text as text, or if you have an old-school PDF with images, use the screen capture.
DO NOT screencap anything identifiable, like your browser bar, program settings, etc.
(Note: the same goes for any Microsoft Office document. Full of redundant information and identifiable garbage.)
[6] Use AnonPaste
A pastebin is a public repository where you dump text. There is one called PasteBin, and as far as I’m aware, they aren’t particularly concerned with privacy.
However, AnonPaste — as might be thought from the name — performs the same function, but without the possibility of discovery. As far as I can tell, they keep no identifying information from people using the site whatsoever.
And when you do, deidentify your language. Do not use local or cultural idioms, do not snark, do not gloat, do not write a goddamn essay about truth and justice. Do not include anything except the raw facts of the matter at hand.
Also bear in mind that in a whistleblowing context, whoever has access to the data or information that is released in the first place is generally a great indication of who released it. So, if you’re worried about being exposed, do not include information which is only accessible to an exclusive group of people. Stick to publicly obtainable facts, if you can.
[7] Use PubPeer
PubPeer is an online journal club which allows you to comment on a dedicated page for any given article. While it started as a discussion group, it quickly morphed into a platform for researchers to discuss serious problems they found within research. Biologists are particularly active on it.
PubPeer are also serious about privacy — they went to the mattresses to protect an anonymous user when they were sued by a researcher who wasn’t happy at being publicly identified as committing fraud.
PubPeer is the place people expect to read about serious problems in research, so it’s the natural home of various forms of whistleblowing.
[8] Tell someone
PubPeer, AnonPaste and Imgur all accept anonymous uploads, but they will just make obscure URLs with your information available on them. They will not tell anyone for you — that’s something you’ll need to do yourself.
Find relevant parties, and tell them what’s up. Again, use ProtonMail.
Putting it all together
So, Amy (in Ascot) is reading the work of Bob et al. (in Boise), and notices a serious problem with one of his figures consistent with image manipulation. She wants to tell Charles (in Cincinnati), the senior author, but she is afraid of any potential backlash.
Amy downloads and installs Tor browser, then signs up for a ProtonMail account (note: these two work fine together). She write an ANONYMOUS email, outlining her concerns.
Charles tells Amy to get stuffed. He construes her email as a threat, and issues his own — to sue her back to the Stone Age and kick her dog (note: Amy does not have a dog, Charles is just a really mean guy). He also includes a very suspicious response to her question, which exonerates Bob but implicates Charles.
Consequently, Amy determines that (a) Charles is almost certainly the center of the problem, (b) the problem is a deliberate misdeed and not a mistake, and thus she will get nowhere from communicating further with Charles.
Amy takes screenshots of the images in the paper which are problematic, taking care not to include any identifying information. She uploads those images to Imgur (still using Tor).
Then she writes a text document, with links to the Imgur images where necessary, and pastes it into an AnonPaste URL.
When she has that URL, she posts the same thing on the relevant article page within PubPeer, with a link to the AnonPaste document.
She then sends an email to a few of the usual suspects who care about this sort of thing — Bob (of course), Derek, the editor of the relevant journal, the ORI, and the Research Integrity Office at Charles’ university. And me, and lots of other people like me.
Amy then burns her email account, and disappears into a puff of digital smoke, having done her best without exposing herself.
Conclusion
This isn’t the paranoid rantings of a madman, and a lot less cloak and dagger than it sounds. It’s simply replacing all your normal tools for working on the internet (browser, email, text hosting, image hosting) with ones which offer vastly increased privacy.
It is also all very easy to do, and it’s entirely worthwhile if you need to protect yourself, even if it’s a step or two more stringent than usual. There’s nothing like peace of mind, and you get that from protecting yourself properly in a sensitive situation.
Also never forget that there are strange, mean, and vindictive people in the world, and if you have to point out their misdeeds they will not be delighted. It doesn’t matter if you’re correct or not.
And, of course, this all raises the question should you stand publicly behind your criticisms?
Well, I try to personally, but I do understand there are a hundred reasons people might not have the opportunity to do so themselves. I think you are more likely to get taken seriously by both journals and the wider scientific public if you’re representing criticisms you make under your own name (you have skin in the game!) but that depends on the nature and seriousness of the problems you’ve found.
So, if you have to, protect yourself and speak the truth.
P.S. Consider this something of an open book if you’re one of those net sec types who has better ways of handling information release etc. anonymously. Leave a comment to suggest any additional resources, or correct anything I could have said better.
