Why did you disclose your Whistleblower (though this term barely fits here) to his employer? I don't understand what you are trying to achieve here. This will prevent further WBs from contacting you I'm afraid.
First, on the word "whistleblower." A whistleblower is someone who, at personal cost, discloses institutional wrongdoing to the public. Dan Norman sent us, unsolicited, from his corporate Elsevier email, during his work hours, using authenticated Scopus credentials, a document demonstrating methodology for identifying cleared US defense personnel through his employer's own products. The document did not mention 3I/ATLAS once, the topic his outreach claimed to be about. On Signal, in the same conversation, he stated papers could be blocked at peer review by disagreeing reviewers and denied in the same breath that suppression was occurring. That is not whistleblowing. That is something else. THE PUBLICATION GAP documented what it was. Readers can decide.
Second, on "disclosure to his employer." We did not disclose Mr. Norman to Elsevier. Mr. Norman disclosed himself to Elsevier when he used Elsevier's authenticated corporate infrastructure, Elsevier's email servers, Elsevier's Microsoft 365 tenant, Elsevier's Scopus credentials, and Elsevier's LeapSpace access to transmit material to an independent publication. Every one of those systems logs every action. Elsevier has known about this outreach since the moment he sent it, because Elsevier's systems told them. The formal email on Monday did not disclose anything. It asked Elsevier to place its existing institutional knowledge on the record.
Third, on what this prevents. Legitimate whistleblowers do not use their employer's corporate infrastructure to contact press. They use personal devices, anonymous channels, and secure drops.
The Sentinel Network™ operates sentinel.intel.drop@proton.me for exactly that purpose. Our source protection standards are documented in THE PUBLICATION GAP in forensic detail, we redacted every piece of identifying metadata that could have named Mr. Norman before publication, and we would do the same for any genuine source who contacted us through an appropriate channel. What this does prevent is corporate employees using company infrastructure to socially engineer independent press while publicly claiming whistleblower status. That prevention is a feature.
He may have acted not in a very professional way. You don't know if this was a deliberate attempt to manipulate you (If it WAS, it was pathetic, right?). You just assume that the EMail he sent you was tracked by his employer, what if it wasn't? Then you exposed him to his employer.
On "you don't know if it was tracked." Every corporate Microsoft 365 tenant logs every outbound email at the server level. That is how Microsoft 365 is architected. It is not a feature Elsevier can opt out of. The document Mr. Norman sent also carried Microsoft Information Protection sensitivity labels, which are applied by the tenant's compliance engine and recorded in the compliance log. The Scopus session IDs embedded in the file require authentication through Elsevier's SSO, which is also logged. The LeapSpace follow-up files were generated on Elsevier's own internal research tool, which is logged at the service level.
On "deliberate attempt to manipulate." We made no claim about his intent. THE PUBLICATION GAP described what he did and the infrastructure he used to do it. THE FOLLOW-UP describes the institutional response to being asked about it. Readers are free to draw their own conclusions about intent. We drew none.
Why did you disclose your Whistleblower (though this term barely fits here) to his employer? I don't understand what you are trying to achieve here. This will prevent further WBs from contacting you I'm afraid.
First, on the word "whistleblower." A whistleblower is someone who, at personal cost, discloses institutional wrongdoing to the public. Dan Norman sent us, unsolicited, from his corporate Elsevier email, during his work hours, using authenticated Scopus credentials, a document demonstrating methodology for identifying cleared US defense personnel through his employer's own products. The document did not mention 3I/ATLAS once, the topic his outreach claimed to be about. On Signal, in the same conversation, he stated papers could be blocked at peer review by disagreeing reviewers and denied in the same breath that suppression was occurring. That is not whistleblowing. That is something else. THE PUBLICATION GAP documented what it was. Readers can decide.
Second, on "disclosure to his employer." We did not disclose Mr. Norman to Elsevier. Mr. Norman disclosed himself to Elsevier when he used Elsevier's authenticated corporate infrastructure, Elsevier's email servers, Elsevier's Microsoft 365 tenant, Elsevier's Scopus credentials, and Elsevier's LeapSpace access to transmit material to an independent publication. Every one of those systems logs every action. Elsevier has known about this outreach since the moment he sent it, because Elsevier's systems told them. The formal email on Monday did not disclose anything. It asked Elsevier to place its existing institutional knowledge on the record.
Third, on what this prevents. Legitimate whistleblowers do not use their employer's corporate infrastructure to contact press. They use personal devices, anonymous channels, and secure drops.
The Sentinel Network™ operates sentinel.intel.drop@proton.me for exactly that purpose. Our source protection standards are documented in THE PUBLICATION GAP in forensic detail, we redacted every piece of identifying metadata that could have named Mr. Norman before publication, and we would do the same for any genuine source who contacted us through an appropriate channel. What this does prevent is corporate employees using company infrastructure to socially engineer independent press while publicly claiming whistleblower status. That prevention is a feature.
He may have acted not in a very professional way. You don't know if this was a deliberate attempt to manipulate you (If it WAS, it was pathetic, right?). You just assume that the EMail he sent you was tracked by his employer, what if it wasn't? Then you exposed him to his employer.
On "you don't know if it was tracked." Every corporate Microsoft 365 tenant logs every outbound email at the server level. That is how Microsoft 365 is architected. It is not a feature Elsevier can opt out of. The document Mr. Norman sent also carried Microsoft Information Protection sensitivity labels, which are applied by the tenant's compliance engine and recorded in the compliance log. The Scopus session IDs embedded in the file require authentication through Elsevier's SSO, which is also logged. The LeapSpace follow-up files were generated on Elsevier's own internal research tool, which is logged at the service level.
On "deliberate attempt to manipulate." We made no claim about his intent. THE PUBLICATION GAP described what he did and the infrastructure he used to do it. THE FOLLOW-UP describes the institutional response to being asked about it. Readers are free to draw their own conclusions about intent. We drew none.