For Tech Whistleblowers, There’s Safety in Numbers

Amber Scorah knows only too well that powerful stories can change society—and that powerful organizations will try to undermine those who tell them. In 2015, her 3-month-old son Karl died on his first day of day care. Heartbroken and furious that she hadn’t been with him, Scorah wrote an op-ed about the poor provision for parental leave in the US; her story helped New York City employees win their fight for improved family leave. In 2019 she wrote a memoir about leaving her tight-knit religion, the Jehovah’s Witnesses, that exposed issues within the secretive organization. The book cost her friends and family members, but she heard from many people who had also been questioning some of the religion’s controversial practices.

Then, while working at a media outlet that connects whistleblowers with journalists, she noticed parallels in the coercive tactics used by groups trying to suppress information. “There is a sort of playbook that powerful entities seem to use over and over again,” she says. “You expose something about the powerful, they try to discredit you, people in your community may ostracize you.”

In September 2024, Scorah cofounded Psst, a nonprofit that helps people in the tech industry or the government share information of public interest with extra protections—with lots of options for specifying how the information gets used and how anonymous a person stays.

Psst’s main offering is a “digital safe”—which users access through an anonymous end-to-end encrypted text box hosted on Psst.org, where they can enter a description of their concerns. (It accepts text entries only and not document uploads, to make it harder for organizations to find the source of leaks.)

To safely share secrets, tech whistleblowers can go to psst.org and enter details in an encrypted text-box.

Photograph: Ali Cherkis

What makes Psst unique is something it calls its “information escrow” system—users have the option to keep their submission private until someone else shares similar concerns about the same company or organization.

As the organization was preparing to launch, members of Psst’s team helped a group of Microsoft employees who were unhappy with how the company was marketing its AI products to fossil-fuel companies. Only one employee was willing to speak publicly, but others provided supporting documents anonymously. With help from Psst’s team of lawyers, the workers filed a complaint with the Securities and Exchange Commission against the company and aired their concerns in a story published by The Atlantic.

Combining reports from multiple sources defends against some of the isolating effects of whistleblowing and makes it harder for companies to write off a story as the grievance of a disgruntled employee, says Psst cofounder Jennifer Gibson. It also helps protect the identity of anonymous whistleblowers by making it harder to pinpoint the source of a leak. And it may allow more information to reach daylight, as it encourages people to share what they know even if they don’t have the full story.

Only members of Psst’s in-house legal team can access information in the safe. In countries including the US and UK, communications between lawyers and their clients usually benefit from legal privilege, meaning the information is kept confidential.

This is one reason tech companies have such large legal departments, says Gibson, who leads Psst’s in-house legal team: “They’re designed to put lawyers in the room so the information isn’t disclosable. To some extent, we’re using their playbook.”

Amber Scorah with Psst co-founders Jennifer Gibson and Rebecca Petras.

Photograph: Ali Cherkis

At the moment, Psst lawyers first manually review the entries in the safe without reading the contents. Users can tag their entries with the company name and the category of their concern—“trust and safety” or “fraud,” for instance. If the lawyers find matches, and the contributor consents, the lawyers decrypt and read the entries to see if they may form part of the same story, while keeping the different contributors’ identities protected from one another.

Psst plans to automate some of this process—in the future an algorithm running in a secure enclave built into the hardware of a computer will decrypt and compare information looking for potential matches while keeping it shielded from human eyes.

What happens next depends on various factors, but often Psst will involve an independent investigative journalist or publish accounts on its own website. Sometimes, whistleblowers might want to alert regulators without going public.

One challenge, Gibson says, is that regulation often lags behind technological advances, as with AI safety. “You’re then in this no-man’s-land,” she says—even if something’s not illegal, reporting it may be in the public interest.

Scorah hopes Psst’s impact on the tech world will be similar to what she experienced when telling her own stories, by using insiders’ accounts to shed light on broader industry issues. “Whether it’s a religion operating off the radar with policies that cause harm or an AI company whose product or policies are causing harm, I have seen the same thing,” she says. “Sunlight has a sanitizing effect.”