Cybersecurity & Tech Democracy & Elections Foreign Relations & International Law Surveillance & Privacy

Manufactured Whistleblowing: Data Leaks as Subversion

Libby Lange, Doowan Lee
Friday, July 23, 2021, 8:01 AM

Manufactured whistleblowing has become an element of disinformation campaigns to disrupt Taiwan’s sovereignty and stability.

Xinhuamen, the gate to the Zhongnanhai compound which houses the headquarters for the Chinese Communist Party and China's State Council. (Jorge Láscar,; CC BY 2.0,

Published by The Lawfare Institute
in Cooperation With

Information operations have become a pernicious staple in interstate relations, especially between Taiwan and the People’s Republic of China (PRC). Taiwan has long been a key battleground of disinformation and cyber operations in the Chinese Communist Party’s (CCP’s) efforts to disrupt the organic political process across the strait. It appears manufactured whistleblowing is the latest technique employed against the more independently oriented Tsai administration. Whistleblowing, as defined by the National Whistleblower Center, is the act of “reporting waste, fraud, abuse, corruption or dangers to public health and safety to someone who is in the position to rectify the wrongdoing.” While the concept may carry a righteous notion of exposing political corruption, whistleblowing, when done in public view, can also be effectively weaponized to undermine the legitimacy of government agencies or elected officials.

First Attempt

On Oct. 17, 2020, a newly created account on a Hong Kong online discussion forum, claiming to be a former employee from the Taiwanese National Security Bureau, posted what appeared to be a list of people being monitored by the Taiwanese government.

This list included the names of politicians, diplomatic officers stationed in Taiwan, current and retired military officials, and journalists. Each entry in the list followed the same format: the office responsible for monitoring (either the National Security Bureau or the Ministry of Justice Investigation Bureau), the month and year when monitoring began (ranging from 2016 to 2020), the name of the person or organization being monitored, and their phone number. At first glance, it appeared to be an act of conscientious whistleblowing exposing an illegal government overreach into private data. However, certain aspects of the incident suggest that the whistleblowing may have been manufactured with the goal of amplifying a larger disinformation campaign designed to undermine public confidence in the Tsai government. The government and public responses to the incident exemplify the difficulty of responding to suspected information operations that touch on sensitive national security issues.

On Oct. 21, 2020, a group of Twitter accounts began to share the post using hashtags such as “abuse of power,” “National Security Bureau” and “Republic of China.” Top national security officials in Taiwan later confirmed that these accounts were fake. And several factors seem to support the government’s assessment. None of the accounts had profile photos, they did not follow any accounts nor have any followers, and all accounts posted only one tweet. Each of these tweets received hundreds of likes, but most had no retweets. Moreover, six of the accounts were created on the same date within a 10-minute span. At the time, this limited effort received little notice from the wider public.

If at First You Don’t Succeed ...

In February 2021, Taiwan’s National Security Bureau released a statement that media outlets had reported these fake posts to them, and that the media themselves had received letters from this anonymous “Taiwan Whistleblower” (台灣吹哨者) listing a total of 162 people and organizations allegedly being monitored. The NSB called the incident “a classic example of external forces conducting cognitive warfare against Taiwan through misinformation and disinformation.”

The reality, however, is not so black and white. In fact, plausibility is central to successful disinformation campaigns, partly because it makes them so much harder to refute. When asked to comment on the authenticity of the list by an opposition legislator, former NSB chief and current Minister of Defense Chiu Kuo-cheng stated that some contents were true and some were false. He declined to give further details. In response to a question about whether the government had ever ordered the phones of opposition party leaders in Taiwan be monitored, Premier Su Tseng-chang stated that he had never given such an order. He, too, declined to comment further.

In the wake of these responses, legislators from both sides of the aisle called for the government to release to the public more information about the authenticity of these reports.

The impact of this incident is difficult to measure, partly due to the prevalence of information sharing among private group chats in Taiwan. Media reporting in Taiwan focused largely on the NSB’s response, although some media commentators latched on to the existence of a whistleblower within the NSB. Only one editorial pointed out that this incident could be a window into deeper issues in Taiwan’s information space, although the authors remain noncommittal about whether the issue is government abuse of power or CCP infiltration into Taiwan’s national security networks. No observers have raised the possibility that the incident could be due to cyber vulnerabilities.

Responses from political parties have also been fairly muted, perhaps due to the government’s clear branding of the operation as cognitive warfare. However, at least one legislator has publicly questioned officials on the authenticity of the list’s contents. Officials’ failure to give conclusive answers could feed into the idea that at least some of the entries are genuine. One media outlet claimed that it was able to dial at least one of the numbers on the list, although no one answered. Thus, it is unclear how many, if any, of the numbers are real.

Connecting the Dots

There has not yet been any official confirmation about the source of this operation, but a number of clues point to China. First, the list was sent out to media outlets just days after President Tsai announced China-focused changes to her national security team, suggesting that the goal may have been to undermine the legitimacy of Taiwan’s national security apparatus at a time when it was not as well equipped to respond. The alleged whistleblower’s claim that the Taiwanese government was monitoring the phones of diplomats from the United States, Japan, Australia and New Zealand would also suggest that it came from a source across the strait seeking to sow distrust among some of Taiwan’s staunchest allies.

Contextual clues also suggest CCP involvement: The list posted in the Hong Kong forum contains dozens of entries spanning multiple years, but the earliest entry begins in June 2016, just one month after Tsai, a member of the less amenable Democratic Progressive Party (DPP), took office. Moreover, titles such as National Chengchi University were changed to Taiwan Chengchi University, a common practice in China. A number of entries on the leaked list included outdated titles and positions for Taiwanese opposition politicians. Furthermore, some of the titles were inaccurate as they were the official titles used only by the PRC government. There were also a number of incorrect characters that apparently resulted from the contents being put through a Simplified-Traditional Chinese converter.

Puma Shen, director of Doublethink Lab and frequent commentator on information operations in Taiwan, pointed out that officially directed operations would not contain so many linguistic errors, a nontrivial indication of inauthentic influence. He proposed two likely perpetrators: passionate young Chinese nationalists not employed by the state known as “little pinks” or, on a slightly more sophisticated level, an outsourced company. While the posting of the list was crude, the incident has received an unexpected boost in longevity due to yet another feature of Taiwan’s democracy: the rule of law. According to authorities, an investigation into the incident is currently underway. This means sensitive information cannot be released to the public, creating a communication gap that can be exploited to generate even more suspicion. Twitter also has yet to take action against the accounts that shared the original whistleblowing post.

Despite the initial sensationalism of the incident, the operation was haphazardly executed. It appears to be a persistent, if bumbling, attempt to sow discord both within Taiwan and among Taiwan’s allies. When one avenue—social media—failed to produce desired results, the perpetrators turned to traditional media, perhaps knowing that the presence of so many opposition political figures on the list would make it an attractive story to more partisan outlets.

This is not the first time “leaks” with suspicious origins have been used to undermine the Tsai government. In May 2020, the same month Tsai was inaugurated for a second term, files that appeared to be doctored Office of the President documents were released to the public. A lengthy investigation into allegations of hacking ensued, with the office later concluding that the documents were in fact forged, not stolen in a hack.

As of the time of this writing, it is impossible to know what portions of the list, whether phone numbers or actual records of government monitoring, were genuine. But generally speaking, this incident indicates something quite subversive: discord by exploiting democratic practices. In other words, manufactured whistleblowing with sensitive data can act as a particularly disruptive form of disinformation operation. These kinds of information operations are truly multifaceted. They may employ cyber hacking to steal personal data, use such data on social media to disseminate false information, and exploit the perception of whistleblowing to establish an illusion of corruption. The NSB monitoring list incident is a good example of how cyber-enabled disinformation campaigns unfold to create the illusion of whistleblowing designed to prop up friendly politicians and undermine organic political dynamics. This is another gap in the information environment that most democracies are ill prepared to cope with. Taiwan offers insightful lessons on the evolution of how disinformation is fused with cyberattacks.

The NSB list scandal suggests that disinformation mitigation requires more combined efforts with data protection and cybersecurity. Some of the information in the scandal appears to have been stolen. However, neither the main opposition party the Kuomintang (KMT) nor the DPP has any incentives to acknowledge parts of the list were obtained by a cyber hack. For the KMT, to suggest a hack would mean publicly admitting it was using data stolen by CCP-aligned groups to discredit the Tsai government. For the DPP, acknowledging a hack would only reinforce the narrative that the NSB was indeed monitoring not only politicians and diplomats but also private citizens without their knowledge. However, the threat of politically motivated data theft in Taiwan has been growing for years. Taiwanese government agencies reported 1,709 cybersecurity incidents between 2018 and 2020. Moreover, suspected CCP-affiliated groups have frequently targeted government agencies. Investigators say that these groups have long since gained access to both agencies and third-party providers.

The NSB list scandal points to an added layer of disruption exacerbating subversive information operations in Taiwan. Malign actors can mix stolen data with misleading narratives to engineer the perception of political corruption and undermine a democratically elected government. While cybersecurity and open-source intelligence have matured in the past two decades, they are rarely addressed together. This is a gap that the CCP may be attempting to exploit in order to disrupt and undermine the democratically elected government of Taiwan. Disinformation analysts and researchers need to pay far more attention to the nexus between stolen data and malign information operations.

Libby Lange is an MA student and Kerry Fellow at Yale’s Jackson Institute for Global Affairs, where she studies the intersection between influence operations and cybersecurity in the context of U.S.-China relations. Prior to coming to Yale, Libby worked as the lead English speechwriter and social media manager for Taiwanese President Tsai Ing-wen, an experience that sparked her interest in how narratives are formed and weaponized in the age of social media. During her time at the Office of the President, Libby accompanied President Tsai on state visits throughout the Caribbean and worked closely with the Director-General of the National Security Council. Libby graduated from National Taiwan University in 2018 with a B.A. in international relations and is fluent in Mandarin Chinese.
Doowan Lee is a senior advisor to the Institute for Security and Technology (IST) and adjunct professor of politics at the University of San Francisco. He leverages emerging AI technologies to empower open society and support national security. He specializes in disinformation analysis and great power competition in the information environment. Before joining IST, he taught at the Naval Postgraduate School for more than eleven years as a faculty member and principal investigator. There he developed and executed operational and communications technology projects with federal R&D agencies to support the US government’s efforts to combat violent extremist networks and authoritarian regimes. In particular, he has closely worked with the US special operations community to support overseas operations. Central to this work is a focus on how the CCP and the Kremlin exploit social media and emerging technologies to threaten democracy and open society.

Subscribe to Lawfare