Honest Appalachia is designed to help whistleblowers anonymously leak documents to journalists and the public. The website hopes to serve a vital need in Appalachia, by inspiring whistleblowers to make critical information available to an informed citizenry.
In addition, Honest Appalachia hopes to serve as a replicable model for similar projects elsewhere in the United States and around the world. We are willing to offer our assistance to those working on similar projects. We believe that our model can change the way government and industry operate. We believe our model will help in the perennial effort to keep our politicians, our government agencies and our corporations honest.
Honest Appalachia was developed by a group of freelance journalists, transparency activists and computer programmers from Appalachia and beyond. It seeks to adhere to a strict journalistic ethic, maintaining objectivity and nonpartisanship in its activities.
Honest Appalachia is focused on serving the Appalachia region of the United States of America, so currently our threat model, subsequent design, and recommendations are all based on the surveillance capabilities of US government and law enforcement, and the legal rights of US citizens. Consider Contribute if you want to support other parts of the world.
Much of this documentation refers to evading law enforcement or government surveillance. While whistleblowing is legally protected in the United States, its legal status is loosely and inconsistently defined, primarily at the state level. Therefore we assume the worst, and act to protect whistleblowers even if they could be threatened by unjust uses of the legal system. In a truly just and democratic society, whistleblowers would not need to fear their government and this site would not be necessary in the first place.
1 A user visits the Honest Appalachia upload page, using Tor to anonymize their traffic. All of the pages at the honestappalachia.org domain force access through HTTPS.
2 The upload page confirms that they are using a Tor exit node to communicate, and redirects them to the real upload site, a Tor hidden service.
3 The user is presented with a simple web form allowing them to upload a file and optionally include comments about it.
4 The file and comments are uploaded using HTTP with the Tor hidden service protocol, which is end-to-end encrypted. The user receives a confirmation page and is done.
5 The hidden service encrypts the uploaded file with a GPG public key, then uploads it to Amazon S3 for storage, where is further encrypted with AES-256. The original and encrypted files are securely deleted from the hidden service.
6 An activist for Honest Appalachia downloads the encrypted file from Amazon S3 and uses their private key to decrypt it. They review the upload files, carefully removing any information, like file metadata, that could identify the original source.
7 The cleaned file is distributed to journalists for analysis and publication.
- email: firstname.lastname@example.org
- mobile phone / SMS text message:
For those who wish to discuss our submission protocol or other sensitive information: email@example.com
Also for Postal Document submissions:
P.O. Box 11776
Charleston, WV 25339
United States of America
Social Media / Networks
Mainstream media print and broadcast journalists and politicians etc. i.e. influential people at which whistleblower leaks are targeted, are busy people, but can sometimes be enticed to read about whistleblower issues through Twitter or FaceBook or Blog RSS feeds etc.
Entries RSS: https://blog.honestappalachia.org/feed/
Comments RSS: https://blog.honestappalachia.org/comments/feed/
Financial Donation methods
The project is funded by a grant from the Sunlight Foundation, a government transparency watchdog based in Washington D.C, as well as by private donations.
You can use your Paypal account or a credit/debit card. Donations are handled by Aurora Lights, an organization offering us infrastructural support.
Currently accepting submissions of whistleblower leaks ?
Explicit promises about Anonymity, Privacy or Security
Yes, with sensible caveats
Restrictive legal Terms & Conditions
Practical Advice on preserving Whistleblower Anonymity
Leak Submission Encryption
Digital Certificate fingerprints published on their website:
Qualsys SSLLabs SSL Server Test rating:
Overall rating: **A **
Protocol Support: 85
Key Exchange 80
Cipher Strength: 90
PGP Public Encryption Key
URL to web page or downloadable .asc text file
Link to a key Public PGP Keyserver e.g.
PGP ID: 0xDC3784C2
Type: RSA 4096/4096
PGP fingerprint: 0911 FB4A 07F2 ED6A 924C 37DE 2844 2311 DC37 84C2
TOR Hidden Service
The online submission system is only accessible via their Tor Hidden Service:
via Tor will redirect the Tor Hidden Service
See the online documentation and anonymity advice, for how to install the Tor Browser Bundle
Hushmail Secure Form
Leak Submission Anonymity
Some of these techniques are appropriate for a normal website like this wiki, but not for whistleblower or tipoff websites, where potential whistleblower source anonymity protection should be paramount:
TOR users blocked from access
3rd Party or persistent tracking cookies or graphics
CAPTCHA graphics generated from another website e.g. GoogleRe-Captcha
Mixed mode non-SSL graphics or style sheets
Embedded video clips or deep linked graphics etc. from another website e.g. YouTube
Flash file uploader class
Communications / Acknowledgement back to the whistleblower via the website
Acknowledgement of receipt of information
e.g. file upload success indicator - has the leak message or upload actually been received successfully ?
Leak analysis work flow status reporting
e.g. Has anyone actually looked at what the whistleblower has submitted ?
Private message box
e.g for 2 way communications back to the anonymous whistleblower, asking for clarification, offering advice etc.
Domain Name Resilience
The threats of legal court proceedings against Domain Name Registrars and Domain Name Service providers are lessons which WikiLeaks.org emulators should take note of:
Domain Name Registrar
Multiple Internet Service Providers, in different legal jurisdictions ?
ThePlanet.com Internet Services, Inc. Houston, Texas, USA
Domain Name Server(s) & jurisdiction(s)
ns1.webfaction.com [220.127.116.11] ns2.webfaction.com [18.104.22.168] ns4.webfaction.com [22.214.171.124]
Alternate Domain Name aliases
Actual Physical Mirrors of the website:
Content available via BitTorrent etc P2P etc.
Hosting of Mirrors of other whistleblowing websites
Open Source software published
We host all of our code on Github. At the moment there are 3 main repositories:
This is the Django website that powers www.honestappalachia.org.
Our secure upload site.
This documentation! It is written in ReStructuredText and compiled with Sphinx. There are instructions for contributing documentation in the README.