Can you help if we already use a vendor whistleblowing platform?

Often yes. Ki-Ki can help you understand what the existing platform is doing technically, improve the surrounding infrastructure, and design an independent alternative route if appropriate.

Ki-Ki | Whistleblower safe sites and secure reporting routes

Q: Can you guarantee anonymity for whistleblowers?

No one can honestly guarantee anonymity. Ki-Ki designs routes that minimise unnecessary data, use encryption, and avoid fragile platforms. The limits and realistic protections are explained plainly at the start.

Q: Do you work directly with individual whistleblowers?

Ki-Ki can work with individuals or small groups where there is a clear, lawful public interest goal and a sensible scope. Technical support does not replace independent legal advice or representation.

Q: Can you help us receive disclosures securely?

Yes. Ki-Ki can set up secure PGP based contact routes, harden the surrounding infrastructure, and provide guidance on safe handling of incoming messages and files on your side.

Q: How do you handle conflicts of interest in whistleblower work?

If Ki-Ki is already working with an organisation in a way that creates a clear conflict with a proposed whistleblower project, the new work will be declined. Ki-Ki does not sit on both sides of the same dispute.

Whistleblower safe sites, for both sides of the disclosure

Whistleblowing is high risk for the person speaking and for the people who agree to receive and act on what they say. The web infrastructure should not be the weak point.

I build and harden neutral, technical foundations for lawful whistleblowing and public interest disclosures. That covers both internal disclosers who need safe contact routes, and independent projects that receive and protect sensitive information.

Whistleblower safety Secure reporting routes Static sites and Cloudflare Evidence grade logs Lawful fingerprinting

Talk to Kieron Who this fits Common problems How I help Boundaries

For the wider context of public interest work, see Advocacy, campaign, and public interest sites.

Who this fits, in practice

This offer is split between internal whistleblowers looking for safe routes, and independent receivers providing those routes to others.

Internal whistleblowers and reformers

Staff or contractors who want to document patterns and timelines on a site they control personally.
People preparing material for regulators, oversight bodies, or MPs and who want a clean public record to point to.
Small groups of staff who want a shared, stable space to organise documents and updates outside company platforms.

Independent receivers and platforms

Journalists and public interest publishers who invite confidential tips and need safer intake routes.
Charities, advocacy projects, and unions that accept disclosures about abuse, malpractice, or unsafe practice.
Community projects that support people to raise concerns about local services or institutions.

The common thread is simple. There is something important to say, someone is likely to be unhappy about it, and you want the technical side to be solid, boring, and defensible.

What usually goes wrong with whistleblower routes

A lot of whistleblowing infrastructure is built for appearances, not for safety. The gaps show up at the worst possible time.

Ordinary contact forms for extraordinary risk

Standard site forms, poorly configured HTTPS, and email forwarding leave a fragile chain when somebody is sharing sensitive information that could have consequences for their job or safety.

Corporate platforms that people do not trust

Staff are told to use internal hotlines or vendor platforms that feel aligned with the organisation, not with them. As a result, serious concerns never leave private chat groups.

No clear chain of custody for digital evidence

Files move between inboxes, messaging apps, and shared drives. When somebody challenges your account, you do not have a clear, technical story of what was sent, when, and from where.

Sites that fold under targeted attention

A disclosure surfaces, people rush to the site, lawyers take an interest, and the mix of traffic and pressure breaks a fragile build or cheap hosting plan.

Weak logging and no view of patterns

Basic analytics cannot show whether someone is quietly probing your reporting routes, lifting entire pages, or attempting to exploit mistakes in configuration.

Unclear promises made to whistleblowers

Websites promise words like anonymous, safe, and secure without understanding the technical trade offs. That is unfair to disclosers and creates risk for receivers.

This offer is about aligning what you say with what you actually do, with conservative technical choices that keep everyone safer.

How I help independent receivers

If you are the one receiving disclosures, your responsibilities are heavy. Your infrastructure should support that, not undermine it.

Static sites with no exposed login pages or fragile plugins. See Secure static sites.
Cloudflare hardened with rules tuned for sensitive intake routes, not just generic traffic.
Secure contact routes using PGP so whistleblowers can send encrypted messages and attachments. See Secure PGP contact.
Evidence grade logging on the intake side, so you can show timelines, challenge attempts, and any hostile probing you receive. See Evidence grade logging once live.
Lawful fingerprinting for your own domain, so repeat devices and suspicious behaviour are visible even when IPs change. See Fingerprinting and Edge Tracker.

How I help internal whistleblowers and small groups

If you are the person inside an organisation, you do not need a complicated platform. You need a stable, simple site you can control that supports whatever route you choose to take.

Personal or small team sites that document patterns, timelines, and evidence in a clear, structured way.
Private or semi private pages that can later be made public when it is safe to do so.
PGP contact options if you want to allow outside supporters, journalists, or advisers to reach you securely.
DNS and email sanity so replies to regulators, ombudsmen, or MPs do not vanish into spam.

I do not tell you when or how to disclose. I make sure that, when you decide, the technical side is not held together with string.

Evidence, expectations, and real world pressure

Whistleblowing and public interest disclosures attract a specific kind of traffic and attention. Your site should assume that from day one.

That can include quiet monitoring by internal teams, legal firms checking wording, external contractors scanning your routes, and sudden bursts of public interest when a story lands. Logs, fingerprinting, and Cloudflare rules can give you a clear view of that activity.

The point is not to create drama. It is to have a record you can use calmly if somebody later claims that nothing happened or that you are exaggerating.

If you want a deeper view of monitoring and patterns, see the public interest overview section on Expected monitoring.

Boundaries for whistleblower related work

These limits are there so that whistleblowers and receivers know exactly what Ki-Ki does and does not do.

Ki-Ki provides technical services only. I do not act as a lawyer, investigator, or case handler for whistleblowing matters.
I do not read, analyse, or advise on the substance of disclosures. My work is focused on infrastructure and process, not the claims themselves.
I do not draft or host pages that name individuals as wrongdoers or run public naming campaigns. If you publish that kind of material, it is your decision and responsibility.
Any copy I help with will be neutral and factual, and will only go live after your written approval.
You must not suggest that Ki-Ki endorses your allegations, your targets, or your position in any dispute.
If it becomes clear that a project is likely to cross into unlawful activity or unmanaged serious risk, I will refuse or end the engagement.

The full position is set out in the Neutral infrastructure policy. Your use of Ki-Ki is also governed by the Terms of use and Privacy policy.

Questions people usually ask about whistleblower work

Can you guarantee anonymity for whistleblowers?

No one can honestly guarantee anonymity. What I can do is design routes that minimise unnecessary data, use encryption properly, and avoid fragile platforms. I will also be clear about what is and is not realistic for your situation.

Do you work directly with individual whistleblowers?

I can work with individuals or small groups where there is a clear, lawful public interest goal and a sensible scope. I do not act as a case adviser or representative. I look after the technical side and point you toward independent sources of legal advice where appropriate.

Can you help us receive disclosures securely?

Yes. That is a core part of this offer. I can set up secure PGP based contact routes, harden the site, and give you a clear process for handling incoming messages and files on your side.

Will fingerprinting reveal which staff member made a disclosure?

No. Fingerprinting identifies devices and sessions on your own site, not real world identities. It can show patterns, repeat access, and attempts to evade logging, but it cannot tell you which named person typed the message.

Can you help if we already have a vendor whistleblowing platform?

Often yes. I can help you understand the technical reality of what it is doing, improve the surrounding infrastructure, and design a separate route if you want an additional, independent option.

How do you handle conflicts of interest?

If I am already working with an organisation in a way that would create a clear conflict with a proposed whistleblower project, I will say so and decline the new work. I do not sit on both sides of the same dispute.

Start the conversation

Set out, in simple terms, what kind of disclosures you are dealing with, who might be unhappy about them, and what you already have in place. I will tell you plainly whether I am the right person and what a realistic first step looks like.

[email protected] Consulting overview Public interest overview