We already wrote about which kinds of whistleblowing channels a company needs to have. In this series of blogs we have a closer look at these two individual types of whistleblowing channels. While it has long been a default, sending sensitive content through email poses major security risks in today’s world. Here we address these risks and compare the benefits of email verses web-based whistleblowing channels.
Email reporting is very common in practice. Nevertheless, it is far from ideal as it is not a secure channel for sending information. Email is by default sent from server to server in clear text that can be read by anyone while in transit and its content can easily be manipulated. This affects report’s confidentiality and integrity, which may have negative consequences for investigation.
Encryption can be used to protect the body of the message but requires both the sender and receiver to have set it up in advance, which is usually not the case in whistleblowing. While encrypting just an attachment can be done more easily, these attachments can be deleted by mail systems because their contents cannot be scanned for safety.
When setting up a dedicated address for email reporting, one also needs to consider who will have access to the inbox beyond the staff authorised for receiving and processing the reports (e.g. IT admins) and how such access could be controlled and managed.
The advantage of online solutions is that they usually facilitate a two-way secured (encrypted) anonymous or confidential communication with whistleblowers. Moreover, they usually include case management systems for processing of reports.
When online solutions allow submitting electronic documents together with reports, whistleblowers should be clearly warned that such documents may include metadata, which may disclose their identity. Therefore, they should check and remove any such metadata from the documents prior to sending them, should they want to remain anonymous. Alternatively, they should have the possibility to send the documents in physical form via ordinary mail to a dedicated address.
Web-based whistleblowing channels should support multi-language capability, if relevant for the organization. Web forms on organization’s website should be avoided. Namely, such web-sites usually record visitors’ IP addresses and use various cookies. To allow for anonymous reporting dedicated web domains should be used and set-up accordingly.
Share this on:
To use Trusty for your company free of charge, please fill out the following form. You will receive the link to your personal login and all further information from us shortly.