Top 5 Privacy Rules
Rule 1: Minimize Your Digital Footprint
Rationale
Every action you take online creates data. This data, when aggregated, can reveal your personal habits, associations, and even your identity. Reducing the amount of unnecessary personal data you share online limits what adversaries can discover about you.
Key Content
- Take inventory of your social media accounts, close what you can afford to shut down. Delete all old, unused accounts and apps: These can be forgotten liabilities containing your personal data and are often targets of hacks, allowing impersonation and social engineering attacks
- Review and adjust your privacy settings on all your online accounts (social media, apps, etc.): Limit your data sharing to the minimum necessary.
- Turn off location sharing on social media, mobile apps, etc.
- Be mindful of information you share publicly: Avoid posting your sensitive personal details, routines, or locations on public forums or social media. Assume anything you post online can become permanent and public. Do not rely on your right of data deletion, various court rulings have forced technology providers to keep logs. And many companies do not have adequate deletion strategies
- Use pseudonyms or anonymous accounts for your sensitive online activities: This helps disassociate these activities from your real identity
- Opt-out of data broker lists and public records where possible: Reduce the amount of your personal information available in searchable databases
Recommended tools
Anonymous E-mail
Mailbox: well known E-Mail Provider from Germany with good PGP support.
ProtonMail – well known E-Mail Provider from Switzerland with good PGP support & cash payment (https://proton.me/support/payment-options#cash) -> anonymous email account creation possible by signing-up using a free account and using a temp mail (tested with guerillamail.com) for verification
Tuta – well known E-Mail Provider from Germany with E2E encryption and zero-knowledge-calendar
Data-removal
Privacy Guides: For general opt-out tooling and providers please refer to the
“Big Ass Data Broker Opt Out List” – a good starting point to work yourself through
Impact
Reduces the attack surface for adversaries trying to gather information about you through open-source intelligence (OSINT) or data breaches. It makes it harder to link your online personas or track your activities.
The seemingly innocuous data points you share across various platforms can be pieced together like a puzzle. For instance, location data from your photos, your check-ins on social media, and even background location tracking by apps can build a detailed profile of your movements and habits.8 If an adversary is attempting to identify you, this aggregated data can provide crucial leads or corroborating evidence. By consciously limiting what you share and pruning your old data, you reduce the raw material available for such analysis.
Rule 2: Use Strong, Unique Passwords and Two-Factor Authentication (2FA)
At the moment, no whistleblower support organization has in-house AI expertise. This is where OAISIS comes in: we supplement existing whistleblower support organizations with AI expertise: You can request for the OAISIS/Third Opinion experts to be leveraged in your outreach — the support organizations will know what to do.
If you would just like to get independent AI experts’ opinions on your questions (without disclosing any confidential information) previous to your outreach to these organizations, set up an initial consultation with Third Opinion. This is a service we set up so insiders can clarify their concerns with AI, ethics, legal, or other appropriate experts.
Rule 3: Encrypt Your Devices and Data
“There is no law covering my AI risk specifically, so no one will support me.”
Most whistleblower support non-profit organisations help individuals who are not yet clear on whether a law is violated – as long as the case carries an element of public interest. Refer to our “Contact Hub” below to identify a suitable organisation. We recommend looking at the “Case Focus” category in the detailed profiles of each organisation to determine if they can help. For help to identify the right organisation, you can also contact us.
Legal notice: OAISIS does not request or encourage potential whistleblowers to act unlawfully.
“There is now law covering my AI risk specifically … Can I still be protected or receive whistleblower protections?”
TL;DR: Speak to whistleblower support organizations and experts in the list below to find out how you are or can be protected.
Please note that the following is provided for informational purposes only and does not constitute legal advice.
While your concern may not be explicitly covered under existing laws, there are existing whistleblower protection programmes that can offer you protection: If you are in California, for example, you are covered by the California Labor Code § 1102.5, which protects California workers from being fired or otherwise retaliated against for reporting violations of any law or regulation to the government or internally within their company.
For example: While there may not yet be a specific law requiring frontier AI labs to implement particular monitoring standards to prevent misuse of their models, a failure to implement reasonable safeguards, especially if done so in full awareness of how a model is used nefariously, could still expose the company to liability under existing California or federal laws, such as California Penal Code Section 502 (Computer Crimes), the Computer Fraud and Abuse Act (CFAA), or the Wire Act. Although these statutes generally target intentional misconduct, significant negligence around security or misuse prevention could nonetheless lead to civil liability, enforcement actions, or other legal consequences.
You may also be covered by, for example, the federal SEC Whistleblower Protection Programme. This programme not only protects you from retaliation, but may also offer you a ‘bounty’ if the SEC imposes fines on the organization you report for suspected misconduct.
Potential violations related to AI companies, covered by the SEC Whistleblower Protection Programme, may include:
- Restrictive agreements (non-disclosure, non-disparagement)
- Proof of discrepancy between public statements and internal reality
- Underlying safety concerns that may be of interest to any federal, regulatory, or law enforcement agency, including but not limited to national security issues and safety protocols
- Failure to disclose to potential investors and government agencies and/or the general public evidence of major risks
Rule 4: Control and Sanitize Your Metadata
Absolutely not. As long as you believe* you have spotted an issue of concern, you can reach out to any of the organizations listed below.
You always have the option of pulling out or stepping back — whistleblower support nonprofits and organizations will never require you to make a disclosure. They are here to support you.
*If you suspect or are unsure that there is an issue, use the Third Opinion service to consult with AI experts. No sensitive or confidential information is ever required during this process.