Whistleblower protection laws generally do not require that the "appropriate regulatory agency" be the only person to whom disclosure is made...
Publishing internal documents is the last resort after everything else has failed.
No, that's usually the first and best option once the company has been made aware of the problem and chooses not to correct it...as is what is alleged happened here. Why make vague statements that Company X ignored Problem Y when you can just provide documents proving your claims?
> Whistleblower protection laws generally do not require that the "appropriate regulatory agency" be the only person to whom disclosure is made...
Whistleblower protection laws in some cases don't even exist and even where they do you're typically not going to have a fun time if you have to use them. When it comes down to it you do what you've got to do, but going there first rather than last is not a really great idea.
> No, that's usually the first and best option once the company has been made aware of the problem and chooses not to correct it...as is what is alleged happened here. Why make vague statements that Company X ignored Problem Y when you can just provide documents proving your claims?
For one thing, documents rarely prove anything on their own (how do you even know they're not forgeries?) without the investigatory powers needed to verify the information in them. Which the government has and Twitter doesn't.
For one thing, documents rarely prove anything on their own (how do you even know they're not forgeries?) without the investigatory powers needed to verify the information in them. Which the government has and Twitter doesn't.
We don't. The government is also not the only entity that can perform forensics on purported documents. News companies do it all the time, and their are hundreds of e-forensics firms in the US and EU that could happily do it for a fee. There's also thousands of people with access to Twitter and the spare time to dig into any purported document leaks to verify them for accuracy. In fact, Twitter is a good (but not even remotely the best) way to get all the interested/competent parties aware of the documents.
Forensics on digital documents can be a lot of pseudo-science, especially when you're talking about text documents and spreadsheets. Legitimate documents can have as many anomalies as a half decent forgery.
Confirmation is having somebody to go to the place and see if the materials alleged to be there are actually there. Unless you're lucky enough for them to be clearly and unambiguously visible from public space, that means you need some kind of authorization to go in and have a look. A picture of an unknown container is not very helpful.
> In fact, Twitter is a good (but not even remotely the best) way to get all the interested/competent parties aware of the documents.
What's wrong with bringing them privately to the subset of the parties whose interest is in fixing the problem?
Internal documents can contain confidential business information that is of use to competitors etc. which it may be illegal or a violation of an NDA for you to expropriate and publish. Then it becomes a public exhibit of everyone attacking each other and defending themselves instead of people working to actually solve the problem.
Moreover, "a company" doesn't do stuff, its employees do. If you're the employee, the first person whose job it is to keep the company from doing dumb stuff is you. And there is a process for that. If you're the one responsible for it, you fix it. If you're not, you alert the person who is, then their boss if that doesn't work and on up the chain to the government until it gets fixed. If that process works then the problem gets solved without there being anything to create a media storm over, and if that process would have worked but you decided to skip it then you're creating a media storm over nothing.
I guess it depends on the intent of the whistle blower. Is there a Project Zero type of way to publish? Wikileaks? Why does it have to go to any gov't body first? If the information is leaked out, do the governing agencies have a responsibility to investigate based on the leaked information or only investigate the suspect for leaking? Paralysis by analysis can be applied here, so just publish and let the chips fall where they may?
