Help me be a tattletail without getting told on
June 9, 2008 10:31 AM   Subscribe

Maybe you should be using tor?
posted by the dief at 10:34 AM on June 9

I'd send it from the library.
posted by ill3 at 10:35 AM on June 9 [4 favorites]

Make sure the letter is brief (or edited) enough that no distinct "voice" can be detected (this is coming from someone who's very good at recognizing characteristic spelling errors, punctuation quirks, language, paragraph breaks, etc. from folks I email with frequently).
posted by availablelight at 10:38 AM on June 9

Absolutely. Once they have an IP address it's just a game of follow the leader and internet providers tend to work with the authorities. Why assume so much risk? Libraries, public and academic alike, have computers with internet connections and sometimes you can just walk in and use them, no questions asked.
posted by jwells at 10:38 AM on June 9

What would happen if people knew you were the rat? Because if you send this email, there's a nonzero chance that it'll happen.
posted by box at 10:39 AM on June 9

Amplifying what availablelight said above, in case you don't already know it, your spelling is such that those you work with may recognize your writing immediately. Have someone else edit your message before you send it.
posted by JimN2TAW at 10:48 AM on June 9 [1 favorite]

Seconding Tor.
posted by Brian Puccio at 10:54 AM on June 9

Regarding the fear of being fired/convicted - If you blow the whistle to proper authorities, the Sarbanes-Oxley act is supposed to protect against such retaliation.

Otherwise, yea, Tor. Masking your IP address, which is certainly trackable, is one of its uses.
posted by jmd82 at 11:01 AM on June 9

Short answer - yes, people other than law-enforcement can track down the email. They can issue a subpoena to Yahoo who would almost certainly give up the IP address of the computer the email was composed on. They *might* also say what other Yahoo addresses are associated with that IP.

The key things that might link this email to you are:

- knowledge of events described. Do a lot of people know about X, or a few?
- time of day email was sent
- IP address of computer email was sent from
- unusual characteristics of text - uncommon misspellings or grammar errors, unusual words or unusually complex sentences, correct or incorrect use of punctuation.
posted by zippy at 11:13 AM on June 9 [1 favorite]

They can issue a subpoena to Yahoo who would almost certainly give up the IP address of the computer the email was composed on.

I dont know if yahoo would 'almost certainly' give up the IP address for a routine discovery request. Yahoo is interested in protecting the privacy of its users and I would offer at least minimal resistance.
posted by norabarnacl3 at 11:17 AM on June 9

*I would offer = I assume they would offer
posted by norabarnacl3 at 11:18 AM on June 9

Agreeing with box. Certainly do what you can to remain anonymous, but ultimately you need to decide whether you will 'go along to get along' or whether you're willing to stand up for what is right.

Also, even though I'm not a 'higher-up' in my company, I would think that there's a strong possibility that an anonymous email from a Yahoo account will be ignored no matter what charges/grievances are contained within it.
posted by wabashbdw at 11:25 AM on June 9

Similarly, internet cafes offer public access to do something like this, and in most of them, you can pay a couple bucks in cash for the time you want to use, no names and registration required. I supposed you could still theoretically be tracked down if they have security cameras or similar, but it'd require a real world identification of you as a person instead of some computer records.
posted by jacquilynne at 11:30 AM on June 9

How about mailing a letter. This might actually get more attention.
posted by blue_wardrobe at 11:45 AM on June 9

If someone uses Yahoo! webmail I think it includes the IP address of the sender in the headers (it certainly used to), so no subpoena required.
posted by malevolent at 11:48 AM on June 9

I just want to remind you that you posted this question non-anonymously. While you don't have your name in your profile, you've posted several questions and a lot of answers on AskMefi; This could probably be used to identify you by people who know you in real life and also uses Metafilter. It's unlikely, but it's possible.
posted by qvtqht at 11:50 AM on June 9 [3 favorites]

Yahoo is interested in protecting the privacy of its users and it would offer at least minimal resistance.

No, it isn't, and it doesn't. If the poster's employer filed a John Doe civil lawsuit against him, a judge would grant a subpoena for Mr. Doe's identity, based on his IP address or other identifying information. Yahoo's policy is to give the user 15 days notice (and prior to the 2000 lawsuit, they didn't notify users at all). The user may then attempt to quash or otherwise fight the subpoena... but that presents a bit of a catch-22, as doing so would generally reveal the identity in question. (See: an example, some consequences, and the company they keep)

Is it possible to cover your tracks enough to make it impossible to track your identity? Sure. But one simple mistake (like leaving a stray cookie on your laptop) will blow your cover. Are you likely to do this correctly the first time? That depends on you.

This is one of those times where a non-technical solution is probably better. Type the letter. Crumple it once. Uncrumple it. Xerox it somewhere. Place the xeroxed copy in an envelope with a stamp and no return address. Mail it somewhere out of town. Then forget about it. You didn't mail it. You don't know who mailed it. Boy, would you like to read it.
posted by toxic at 11:50 AM on June 9 [1 favorite]

Also, if Yahoo gives up the IP address of your home computer, your ISP can tell which of its customers was using that IP address at the date and time the email was sent. Don't use your home computer.
posted by poppo at 11:54 AM on June 9

Never, ever, do this from a home PC.

Do this on a computer that is not yours along with a network connection that is not yours.

Google for "anonymous remailers" (example) at the library and do it from there. Test it out to your yahoo account. then send it via and put a fake email address in the form.

Of course in the world of spam filters and what not, you're better off sending a real letter.
posted by damn dirty ape at 12:03 PM on June 9

Type out a letter with a typewriter (I don't remember the details, but it's possible to determine at least the model, if not the serial number of the printer used to print something, based on a dot matrix that is visible under UV or something). Send it from a public mailbox near your place of work to the appropriate office, with a return address that is the generic address of your place of work. If you want to get really detailed, make sure you use self-adhesive stamps and envelopes.
posted by gauchodaspampas at 12:04 PM on June 9 [2 favorites]

Also, ask Jess, Matt or Cortex to disappear this thread (not just delete).
posted by gauchodaspampas at 12:07 PM on June 9 [1 favorite]

Seconding the use of an anonymous remailer.

Here at work, I've had to investigate threatening/scary emails sent via Yahoo! accounts before and while it was a pain in the ass it was doable. Some of those emails wound up having been sent from a work machine, but I'd bet a bit of "social engineering" with the ISP/owner of the IP address would have gotten me the info anyway.
posted by JaredSeth at 12:10 PM on June 9

Be sure to disappear this thread. I've already figured out how to identify you if you work for my organization.

Hmm, when did X take time off for a doctor's appointment...
posted by anthill at 12:52 PM on June 9

If someone uses Yahoo! webmail I think it includes the IP address of the sender in the headers (it certainly used to), so no subpoena required.

This is correct for many webmail clients. Last I checked, gmail does not include the originating IP address in headers (but obviously you should check).

If you don't want to use Tor but want to do this electronically, probably your best bet is several levels of obfuscation:

- Get someone to edit/reword your letter
- Go to a library/internet cafe in another city (if not another state)
- create a gmail account there and send the email from there
- never log into that gmail account from your home computer. ideally, never log in ever again
- get this thread as gone as the mods can make it
posted by mikepop at 1:05 PM on June 9

Type out a letter with a typewriter (I don't remember the details, but it's possible to determine at least the model, if not the serial number of the printer used to print something, based on a dot matrix that is visible under UV or something). Send it from a public mailbox near your place of work to the appropriate office, with a return address that is the generic address of your place of work. If you want to get really detailed, make sure you use self-adhesive stamps and envelopes.

This is the best idea. If it even gets through the spam filter, will it get past the secretary filter? The disgruntled crank filter?

If you do send physical copies, send several letters and indicate on the letter everyone you're CCing--they won't be able to pitch it if they know that the CEO, and COO, the Comptroller, and the General Counsel have the same letter.

Put some kind of threat of going to the authorities if x action isn't taken in y time, and if it's that important, be willing to follow up.

You're awesome for doing this, and I wish you the best of luck.
posted by sondrialiac at 1:08 PM on June 9

Buy newspapers, cut out all the letters, glue your message letters together. Wait until dark out, and no moon, get false ID, take a taxi to a mailbox mail a letter to 3rd party, ask 3rd party to remail it.

Seriously, just print it and mail it - seems easy to me, as opposed to some other cloak and dagger answers suggested.
posted by dripped at 1:45 PM on June 9

Considering all of the people saying not to use yahoo, I'm surprised nobody has suggested Hushmail. Reasonably secure, can be free, encrypted blah blah, hosted in B.C. and they have a track record of only accepting subpoenas from B.C./Canadian Federal courts. Can get anonymous remailers and all that. I've used them before, like them.

However, still agree with physical letter, and really agree with not sending from your public computer.
posted by Lemurrhea at 1:48 PM on June 9

Wait, wait, how in the world would law enforcement ever go investigate to track down your personal information if you are the whistleblower?? Law enforcement would have no reason to do that, I don't know why they could, they wouldn't help your company track you down - the laws certainly aren't there for the purpose of law enforcement aiding your company at retribution against a whistleblower. I could see an investigation being something to worry about if you were the one at fault, but not if you're the one blowing the whistle!

I think this is overblown, get an anonymous email account and send your message.
posted by citron at 5:03 PM on June 9 [1 favorite]

That said, you could always just type a letter and sending that to the appropriate higher-ups (many of them) and put a "CC" notice at the bottom so they are all aware that each other are being copied.
posted by citron at 5:05 PM on June 9

Law enforcement would have no reason to do that

Law Enforcement has nothing to do with it. The civil side of the American legal system has plenty of tools that an aggrieved company can use against an anonymous irritant.

Mr. Chips blows the whistle internally. Nothing happens. So, he decides to be a little more aggressive, and also sends an anonymous message to a reporter and to a couple of the company's clients.

Chips's company, naturally, objects. Someone has libeled their company through internet private mail (and most likely, has violated the terms of their employment contract and/or nondisclosure agreement). So, Chips's company files a civil lawsuit claiming libel and breach of contract.

The problem is, they don't know who to file it against. Fortunately, case law favored by the copyright industry allows Chips's company to essentially file suit against an IP address, or an account name, and then immediately subpoena the identity of the owner of the address/account. Generally, ISPs (and Yahoo) are more than happy to comply with such a subpoena, if someone's gone to the trouble to hire a lawyer, file a lawsuit, and have a subpoena granted (not that this is especially difficult for a corporate attorney).

And at that point, they may find out Mr Chip's identity -- if he was at all sloppy with the anonymous account, and somehow made it possible for Yahoo to know who he is (or he did this from home, and his own ISP is the target of the subpoena). His ISP and his email provider won't protect him; if they know who he is, they'll hand that over. The company may choose to continue their lawsuit against him. They may also choose to drop it, without ever really establishing its validity. They might fire him, or shun him until he quits.

Not. Worth. The. Risk.
posted by toxic at 5:40 PM on June 9

What you want is not tor, what you want is mixmaster or perhaps mixminion; they are specifically designed for sending anonymous, untraceable email, for exactly these sorts of situations.

Of course, it's still possible to give yourself away if you're not careful with the content of the message...
posted by Kadin2048 at 6:12 PM on June 9

Whatever else you do, look into getting a new job. If things are bad enough that you're contemplating skullduggery, they're probably bad enough that you don't really need to be there any more.

That said, here's my plan:

First, your letter. Make sure it has an eye-catching title. Huge, bold profanities work. Be careful where you produce that document, and as others have said, be careful what it gives away in terms of your language choice and stylistic quirks. Type up the document in Notepad or similar at an internet cafe, on a comptuer with a local printer. Before you print, replace every letter "T" with "T[" or "a" with "4" or some other semi-randomizing distraction. Print without saving, and switch the computer off and on after using it. Add the title by hand, drawing the letters with a pen and a ruler. Make 17 copies at a coin-op photocopier somewhere. (To mess with them. Most people make n*5 or n*10 copies of things. They will assume there are 20, and 3 have gone missing.)

Buy a cheap secondhand fax off Ebay or at the junk store that will do "chain" faxes, ie send the same fax to multiple numbers. Find out all the fax numbers in the building. Program them into the fax. Change the fax's outgoing/origin message to the local post office (or similar public fax facility) name and number, or a name and number off the last junk fax that was tossed out. Disable the machine's automatic pagination. Put the fax in some kind of box that people carry around your office all the time, like a toner cartridge box or mail delivery basket or something; if you're uber-paranoid, empty an old computer case that's large enough to hold a little fax, and put it inside the shell.

Find an insecure phone line somewhere in the building, like a conference room or empty office or supply closet, that you can hook a fax up to (near power) without being caught on security camera, and can carry a box into without looking suspicious. Behind a desk works well. Come up with a plausible reason why you're taking the box to that empty room. ("Cleanout" is a good one. "Need some privacy to go through these old files" is another.) Run one test fax to your nearest fax machine, just a blank page, so you can ensure it gives no clue to its origins. Now run your 17-page fax through it, and send it to every fax machine in the building. Make sure it's an outgoing, then incoming, call (ie, dial zero and use the full number, rather than just the extension).

That afternoon, pick up the box from the empty office, drive home, and stop to toss it in an industrial bin on your way.
posted by aeschenkarnos at 12:16 AM on June 10

If you've got a laptop, get an Ubuntu Linux LiveCD (so you don't need to worry about cache/cookies/etc) and head on down to your friendly local Panera. Their free Wifi doesn't require any information you can't lie about, and from there you can boot into Linux, create the email account, compose and send your letter, and then pack everything up. Hell, throw the LiveCD in a dumpster if it makes you feel any better. At this point the only thing tying you to the email is your laptop's wifi card's MAC address- so figure out how to change that (it's not too hard) and you're set.
posted by Pope Guilty at 4:18 AM on June 10

Just wanted to point out that at many public libraries you have to log in with your library card number or some other personally identifiable marker.

But many university libraries and labs have open computers that don't require a login. You might try one of those.
posted by aerotive at 5:10 AM on June 10

Or you can send out a free fax from the library. Make your letter a PDF and visit this site.
posted by damn dirty ape at 7:03 AM on June 10

So, he decides to be a little more aggressive, and also sends an anonymous message to a reporter and to a couple of the company's clients.

This is where the whole law enforcement/subpoena tack comes off the rails, since that's not what he said he was going to do. Nor does it seem like the higher ups would be sufficiently vested in who dropped the dime to go flailing around in court. Either they'll ignore it or they'll do an investigation and find out enough that the email won't matter.

What cause of action, exactly, do people think is going to make a company file suit against a person for sending an anonymous, purportedly internal, email informing company executives of misdoings within the company? Breach of contract? I'm sure judges just love contracts that require employees to ignore crimes, and are eager to enforce them.

I'm kind of beating up on Toxic here, but those links are misleading. Take the first one - the SeeBeyond subpoena. That subpoena was quashed following an oral argument by a second year law student at Stanford's cyberlaw clinic.

Surely those that got fired/reprimanded are going to have a hard time availing themselves of the courts to find out who did this. It seems like a suit against somebody who got them fired for cause would be a losing battle. "Motion to Quash the Subpoena on the Grounds that It Is Stupid, your honor."

Similarly, I'm not sure why you think law enforcement might be brought to bear on finding the anonymous tipster. If there's better evidence, the police and prosecutors won't care about who sent your email; if there's no case, they still won't care.

There are lots of people telling you lots of ways to be anonymous. I know I'm not answering your narrow question here, but on the off chance it's helpful, I think you've got to ask yourself whether you want to report this crime or not. Wabashbdw's point probably applies to any anonymous complaint that that the company hasn't set up for exactly this sort of communication. I don't imagine, though, that it'd be fun to work for a company where everybody would hate you for doing the right think. Damn. That's pretty preachy. Still.

At the end of the day, I wouldn't worry about your employer going much out of their way to find who you are if you're complaining anonymously to the higher-ups. I wouldn't worry much about people who got the fired finding out who did it, either. I would worry, if you're serious about getting the situation resolved, whether anonymity would yield any traction in getting the company moving on the problem.
posted by averyoldworld at 9:14 AM on June 10 [1 favorite]

I received an anonymous yahoo email at a previous job. It warned me to "watch my back," and advised me that "karma comes back threefold." Though it was anonymous, I knew exactly who sent it. She was crazy. I was friends with her boss. She thought we were having an affair. We weren't.

Because there was a homophobic undercurrent to the email, and an implicit threat, I reported it to my boss. He made me go to the university police.

What I learned from this, and what you need to know: In order for Yahoo to reveal the identity of an account holder, they must first receive a subpoena. No police department will subpoena an ISP unless a there's been a violation of the penal code. That is, a threat of physical harm must have been made.

I suppose there's an outside chance that your employer would hire a lawyer to subpoena the ISP, but only if they decided to sue the anonymous whistleblower -- in which case, you'd be protected by Federal law.

One more thing you should know: Anonymous emails that the higher-ups find in their inboxes are laughably easy to delete. The chances of them acting on a report from someone who is obviously to afraid to really threaten them -- well, they're slim. Sorry.

If it's so important that you really want things to change, consult a lawyer, know your protections, and then blow the whistle in the light of day.
posted by mudpuppie at 1:54 PM on June 11

One more thing you should know: Anonymous emails that the higher-ups find in their inboxes are laughably easy to delete. The chances of them acting on a report from someone who is obviously to afraid to really threaten them -- well, they're slim. Sorry.

This is quite true. That's a big part of why my hypothetical up there included the scenario of "Nothing happened internally, so Chips decided to let some outsiders in on it, too".

Assuming this company stinks enough for us to be having this discussion, it's not likely that this email will be especially enlightening to the recipients (short of sending it company-wide, and not just to the higher ups). They know this is going on. They likely condone it. Unless you threaten to spread this information further, you've got no leverage, and they're likely to just ignore you -- because it's not like you're going to come along later and say "But wait, didn't you get an anonymous message back in June?"

They can pretend to have never gotten it, and there's nothing you can do to call them on it, without losing your anonymity.


I suppose there's an outside chance that your employer would hire a lawyer to subpoena the ISP, but only if they decided to sue the anonymous whistleblower -- in which case, you'd be protected by Federal law.

The original post was not concerned with the level of protection that the the whistleblower has ("What can they do to me if they know I sent this")... the post was "Can my company find out who I am, if I send an anonymous mail using Yahoo?"

And the answer to that question is that there's a non-zero chance that your company could find out who you are (or confirm their suspicions). One method would be to would go through the motions of filing a lawsuit, for the purpose of determining an anonymous detractor's identity (at which point, they may or may not continue the lawsuit -- but if all they wanted was a name, they'd get it, if the ISP/mail provider had it). Law enforcement won't subpoena this information, because there's no cause to believe that a crime has been committed... but the standards for this sort of discovery in the early stages of a tort filing are significantly lower.

Is it a dubious lawsuit? Sure, though in the era of the nondisclosure agreement, it's less dubious than it should be. But is the identity of the whistleblower likely to become known before the suit is dropped or thrown out? Unfortunately, yes. Google "CyberSLAPP" for examples and discussions on the matter. SLAPP lawsuits pre-date the Internet (and more than one state has anti-SLAPP legislation -- which is slowly evolving to cover these suits as well)... this is not entirely new ground, though the sheer amount of minable data that an ISP has changes the game a bit.

Considering the poster believes that certain people would go to jail if this were to get out, and they're of the mindset that bending the law is acceptable behavior, I would very strongly suspect that they'd use every tactic available to them -- including this sort of subpoena. I think that this increases that already non-zero risk to the point where it's not worth it. You are free to draw your own conclusion, and/or lower your risk by using a media (like, say snail mail) where there's less of an audit trail that could lead to identity discovery.
posted by toxic at 4:46 PM on June 11

« Older Can anyone recommend a good se...   |   Okay so I'm about 30lbs over m... Newer »