{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,10,22]],"date-time":"2025-10-22T00:48:48Z","timestamp":1761094128368,"version":"build-2065373602"},"reference-count":63,"publisher":"Oxford University Press (OUP)","issue":"1","license":[{"start":{"date-parts":[[2025,10,21]],"date-time":"2025-10-21T00:00:00Z","timestamp":1761004800000},"content-version":"vor","delay-in-days":293,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"funder":[{"DOI":"10.13039\/501100004281","name":"National Science Centre","doi-asserted-by":"publisher","award":["2023\/51\/I\/ST6\/02770"],"award-info":[{"award-number":["2023\/51\/I\/ST6\/02770"]}],"id":[{"id":"10.13039\/501100004281","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2025,1,17]]},"abstract":"<jats:title>Abstract<\/jats:title>\n               <jats:p>The EU Whistleblower Directive aims to create a framework where the persons reporting breaches of EU law are protected against retaliation. In contrast to GDPR, it is mainly based on trust assumptions and not on the concept of privacy and security by design. As we are explicitly dealing with problems of unlawful behavior, this is a critical issue. In this paper, we analyze the role of pseudonymization, the main technical tool promoted in the GDPR, within the Whistleblower Directive. To see the real impact of the Directive, we analyze how these issues are reflected in the national law in Germany and Poland. We show that the current law does not take advantage of the opportunities given by pseudonymization and does not create a clear legal framework that can be converted to problem-relevant technical requirements. Even worse, it allows the Member States to ban anonymous reports. On the other hand, we show that so far, no pseudonymization tool developed within official ID management frameworks addresses all threats to reporting systems.<\/jats:p>","DOI":"10.1093\/cybsec\/tyaf028","type":"journal-article","created":{"date-parts":[[2025,10,21]],"date-time":"2025-10-21T14:46:29Z","timestamp":1761057989000},"source":"Crossref","is-referenced-by-count":0,"title":["Pseudonymization and reporters\u2019 protection by design in the EU whistleblower directive"],"prefix":"10.1093","volume":"11","author":[{"ORCID":"https:\/\/orcid.org\/0000-0003-3192-2430","authenticated-orcid":false,"given":"Miros\u0142aw","family":"Kuty\u0142owski","sequence":"first","affiliation":[{"name":"NASK National Research Institute Cryptology Department, , Kolska 12, 01-045 Warsaw ,","place":["Poland"]}]},{"ORCID":"https:\/\/orcid.org\/0009-0009-8560-5300","authenticated-orcid":false,"given":"Gabriel","family":"Wechta","sequence":"additional","affiliation":[{"name":"NASK National Research Institute Cryptology Department, , Kolska 12, 01-045 Warsaw ,","place":["Poland"]}]}],"member":"286","published-online":{"date-parts":[[2025,10,21]]},"reference":[{"key":"2025102110462464400_bib1","doi-asserted-by":"publisher","first-page":"543","DOI":"10.1007\/s11673-020-09990-x","article-title":"Humiliating Whistle-Blowers: Li Wenliang, the Response to Covid-19, and the Call for a Decent Society","volume":"17","author":"Nie","year":"2020","journal-title":"J Bioethic Inq"},{"key":"2025102110462464400_bib2","article-title":"Whistleblowers You Should Know: Learn more about courageous individuals who have come forward to expose wrongdoing","author":"National Whistleblower Center","year":"2024"},{"key":"2025102110462464400_bib3","article-title":"Directive (EU) 2019\/1937 of the European Parliament and of the Council of 23 October 2019 on the protection of persons who report breaches of Union law","author":"European Parliament and Council of the European Union","year":"2024"},{"key":"2025102110462464400_bib4","first-page":"1291","article-title":"Making Whistleblowers Whole","volume":"12","author":"Pacella","year":"2022","journal-title":"UC Irvine Law Rev"},{"key":"2025102110462464400_bib5","doi-asserted-by":"publisher","first-page":"665","DOI":"10.1111\/ablj.12131","article-title":"Whistleblowers Need Not Apply","volume":"55","author":"Eisenstadt","year":"2018","journal-title":"Am Bus Law J"},{"key":"2025102110462464400_bib6","doi-asserted-by":"publisher","first-page":"1","DOI":"10.3390\/admsci13090199\"&gt;10.3390\/admsci13090199","article-title":"Exploring attitudes towards Whistleblowing in relation to sustainable municipalities","volume":"13","author":"Cheliatsidou","year":"2023","journal-title":"Adm Sci"},{"key":"2025102110462464400_bib7","doi-asserted-by":"publisher","first-page":"573","DOI":"10.2478\/slgr-2023-0033","article-title":"The (Legal) status of a Whistleblower in Poland. Selected Issues","volume":"68","author":"Zi\u00f3\u0142kowska","year":"2023","journal-title":"Studies in Logic, Grammar and Rhetoric"},{"key":"2025102110462464400_bib8","article-title":"Whistleblowing in Italy: The EU Whistleblower Protection Directive","author":"NAVEX","year":"2021"},{"key":"2025102110462464400_bib9","doi-asserted-by":"publisher","first-page":"999","DOI":"10.1108\/jfc-04-2022-0091","article-title":"Cultural aspects of the EU-Whistleblowing Directive","volume":"30","author":"Teichmann","year":"2022","journal-title":"J Financ Crime"},{"key":"2025102110462464400_bib10","doi-asserted-by":"publisher","first-page":"121","DOI":"10.15290\/bsp.2022.27.04.08","article-title":"Poles\u2019 attitudes to the concept of Whistleblowing. historical and present background","volume":"27","author":"Kun-Buczko","year":"2022","journal-title":"Bia\u0142ostockie Studia Prawnicze"},{"key":"2025102110462464400_bib11","first-page":"39","article-title":"The cybersecurity threat: compliance and the role of Whistleblowers","volume":"11","author":"Pacella","year":"2016","journal-title":"Brooklyn J Corporate, Financ Comm Law"},{"key":"2025102110462464400_bib12","doi-asserted-by":"crossref","first-page":"14","DOI":"10.9785\/cri-2020-210104","article-title":"The new EU Whistleblowing directive","volume":"21","author":"Kaufmann","year":"2019","journal-title":"Comput Law Rev Int"},{"key":"2025102110462464400_bib13","doi-asserted-by":"publisher","first-page":"553","DOI":"10.1108\/JFRC-12-2021-0118","article-title":"Whistleblowing: procedural and dogmatic problems in the implementation of directive (EU) 2019\/1937","volume":"30","author":"Teichmann","year":"2022","journal-title":"J Financ Regul Comp"},{"key":"2025102110462464400_bib14","doi-asserted-by":"publisher","first-page":"52","DOI":"10.2478\/wrlae-2024-0002","article-title":"Pitfalls in implementing the EU Whistleblower directive","volume":"14","author":"Scheu","year":"2024","journal-title":"Wroclaw Review of Law, Administration & Economics"},{"key":"2025102110462464400_bib15","article-title":"Coercion-Resistant Electronic Elections","author":"Juels","year":"2002"},{"key":"2025102110462464400_bib16","article-title":"Regulation (EU) 2016\/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95\/46\/EC (General Data Protection Regulation) (Text with EEA relevance)","author":"European Parliament","year":"2016"},{"key":"2025102110462464400_bib17","article-title":"Guidelines 01\/2025 on Pseudonymisation","author":"European Data Protection Board","year":"2025"},{"key":"2025102110462464400_bib18","doi-asserted-by":"publisher","first-page":"1","DOI":"10.48550\/ARXIV.2111.02825","article-title":"Whistleblower protection in the digital age\u2013why \u2018anonymous\u2019 is not enough. From technology to a wider view of governance","volume":"31","author":"Berendt","year":"2022","journal-title":"Int Rev Inf Ethics"},{"key":"2025102110462464400_bib19","article-title":"Whistleblower law across Europe\u2014country list","author":"Agata","year":"2024"},{"key":"2025102110462464400_bib20","doi-asserted-by":"publisher","DOI":"10.48550\/ARXIV.2405.01097","article-title":"Silencing the risk, not the whistle: a semi-automated text sanitization tool for mitigating the risk of Whistleblower re-identification","author":"Staufer","year":"2024"},{"key":"2025102110462464400_bib21","article-title":"America\u2019s First Whistleblowers","author":"University of South Carolina Audit and Advisory Services","year":"2021"},{"key":"2025102110462464400_bib22","article-title":"Unsafe at any speed: the designed-in dangers of the American Automobile","author":"Nader","year":"1965"},{"key":"2025102110462464400_bib23","article-title":"\u2018An Unheard of Dream\u2019: Ralph Nader\u2019s 50 Years in Whistleblowing","author":"Whistleblower Network News.","year":"2021"},{"key":"2025102110462464400_bib24","article-title":"Whistleblowing: international standards and developments","author":"Banisar","year":"2011"},{"key":"2025102110462464400_bib25","article-title":"3D-Speaker-Toolkit: an open source Toolkit for multi-modal speaker verification and diarization","author":"Chen","year":"2024"},{"key":"2025102110462464400_bib26","volume-title":"ESPnet-SPK: full pipeline speaker embedding toolkit with reproducible recipes, self-supervised front-ends, and off-the-shelf models","author":"Jung","year":"2024"},{"key":"2025102110462464400_bib27","doi-asserted-by":"crossref","DOI":"10.1007\/3-540-44987-6_7","article-title":"An efficient system for non-transferable anonymous credentials with optional anonymity revocation","author":"Camenisch","year":"2001"},{"key":"2025102110462464400_bib28","doi-asserted-by":"publisher","DOI":"10.6028\/nist.ir.8105","volume-title":"Report on post-quantum cryptography","author":"Chen","year":"2016"},{"key":"2025102110462464400_bib29","doi-asserted-by":"publisher","first-page":"519","DOI":"10.1109\/CCNC.2011.5766527","volume-title":"Signing with multiple ID\u2019s and a single key","author":"Kuty\u0142owski","year":"2011"},{"key":"2025102110462464400_bib30","volume-title":"Technical Guideline TR-03110 v2.21\u2013Advanced Security Mechanisms for Machine Readable Travel Documents and eIDAS Token","author":"Bundesamt f\u00fcr Sicherheit in der Informationstechnik","year":"2016"},{"key":"2025102110462464400_bib31","volume-title":"Regulation (EU) 2024\/1183 of the European Parliament and of the Council","author":"The European Commission","year":"2024"},{"key":"2025102110462464400_bib32","article-title":"The Tor Project","author":"The Tor Project","year":"2023"},{"key":"2025102110462464400_bib33","volume-title":"Act for better protection of whistleblowers (Whistleblower Protection Act - HinSchG) (German)","author":"Bundestag","year":"2023"},{"key":"2025102110462464400_bib34","volume-title":"ACT of June 14, 2024 on the protection of whistleblowers. (Polish)","author":"Polish Parliament","year":"2024"},{"key":"2025102110462464400_bib35","article-title":"OPINION OF ADVOCATE GENERAL SPIELMANN, European Data Protection Supervisor v Single Resolution Board","author":"Court of Justice of the European Union","year":"2025"},{"key":"2025102110462464400_bib36","doi-asserted-by":"crossref","first-page":"199","DOI":"10.1007\/978-1-4757-0602-4_18","article-title":"Blind signatu`res for untraceable payments","volume-title":"Advances in Cryptology","author":"Chaum","year":"1983"},{"key":"2025102110462464400_bib37","doi-asserted-by":"crossref","first-page":"221","DOI":"10.1007\/978-3-642-32298-3_15","article-title":"Restricted identification scheme and diffie-hellman linking problem","volume-title":"Trusted Systems","author":"Kuty\u0142owski","year":"2012"},{"key":"2025102110462464400_bib38","doi-asserted-by":"publisher","first-page":"467","DOI":"10.1007\/978-3-319-40367-0_31","article-title":"Pseudonymous signature on eIDAS token - implementation based privacy threats","volume-title":"Information Security and Privacy - 21st Australasian Conference, ACISP 2016, Melbourne, VIC, Australia, July 4-6, 2016, Proceedings, Part II. Vol. 9723 of Lecture Notes in Computer Science","author":"Kuty\u0142owski","year":"2016"},{"key":"2025102110462464400_bib39","doi-asserted-by":"publisher","first-page":"103","DOI":"10.1007\/978-3-540-47942-0_9","article-title":"Zero-Knowledge Proofs of Possession of Digital Signatures and Its Applications","volume-title":"Information and Communication Security, Second International Conference, ICICS\u201999, Sydney, Australia, November 9-11, 1999, Proceedings. Vol. 1726 of Lecture Notes in Computer Science","author":"Nguyen","year":"1999"},{"key":"2025102110462464400_bib40","article-title":"zk-SNARKs: A Gentle Introduction","author":"Nitulescu","year":"2020"},{"key":"2025102110462464400_bib41","article-title":"Designated-Verifier zk-SNARKs Made Easy","author":"Li","year":"2024"},{"key":"2025102110462464400_bib42","first-page":"369","article-title":"A Digital Signature Based on a Conventional Encryption Function","volume-title":"Advances in Cryptology \u2014 CRYPTO '87","author":"Merkle","year":"1987"},{"key":"2025102110462464400_bib43","doi-asserted-by":"publisher","DOI":"10.17487\/RFC5755","article-title":"An Internet Attribute Certificate Profile for Authorization","author":"Turner","year":"2010"},{"key":"2025102110462464400_bib44","doi-asserted-by":"crossref","first-page":"107","DOI":"10.1007\/978-3-642-03315-5_8","article-title":"A survey on non-transferable anonymous credentials","volume-title":"The Future of Identity in the Information Society","author":"Pape","year":"2009"},{"key":"2025102110462464400_bib45","doi-asserted-by":"publisher","first-page":"22328","DOI":"10.1109\/ACCESS.2019.2896108","article-title":"A survey on consensus mechanisms and mining strategy management in Blockchain Networks","volume":"7","author":"Wang","year":"2019","journal-title":"IEEE Access"},{"key":"2025102110462464400_bib46","article-title":"Cryptographers\u2019 Feedback on the EU Digital Identity\u2019s ARF","author":"Baum","year":"2024"},{"key":"2025102110462464400_bib47","volume-title":"European Digital Identity Wallet: Architecture and Reference Framework","author":"European Commission","year":"2024"},{"key":"2025102110462464400_bib48","doi-asserted-by":"publisher","first-page":"164","DOI":"10.1515\/popets-2018-0026","article-title":"Privacy pass: bypassing internet challenges anonymously","volume":"2018","author":"Davidson","year":"2018","journal-title":"Proceedings on Privacy Enhancing Technologies"},{"key":"2025102110462464400_bib49","volume-title":"Overview of the FIDO alliance","author":"FIDO Alliance","year":"2023"},{"key":"2025102110462464400_bib50","doi-asserted-by":"crossref","first-page":"89","DOI":"10.1007\/3-540-68697-5_8","article-title":"The dark side of \u201cblack-box\u201d cryptography or: should we trust capstone?","volume-title":"Advances in Cryptology\u2014CRYPTO \u201996","author":"Young","year":"1996"},{"key":"2025102110462464400_bib51","article-title":"Zero to Monero:\u00a0Second Edition","author":"Koe","year":"2020"},{"key":"2025102110462464400_bib52","doi-asserted-by":"crossref","DOI":"10.1109\/SP.2014.36","article-title":"Zerocash: decentralized anonymous payments from Bitcoin","author":"Ben-Sasson","year":"2014"},{"key":"2025102110462464400_bib53","volume-title":"Directive (EU) 2019\/1937 of the European Parliament and of the Council of 23 October 2019 on the protection of persons who report breaches of Union law","author":"European Parliament and Council of the European Union","year":"2019"},{"key":"2025102110462464400_bib54","volume-title":"EU sanctions compliance reporting platform","author":"The European Commission","year":"2024"},{"key":"2025102110462464400_bib55","volume-title":"U-prove technology overview","author":"Paquin","year":"2024"},{"key":"2025102110462464400_bib56","doi-asserted-by":"publisher","first-page":"21","DOI":"10.1145\/586110.586114","article-title":"Design and implementation of the idemix anonymous credential system","volume-title":"Proceedings of the 9th ACM Conference on Computer and Communications Security","author":"Camenisch","year":"2002"},{"key":"2025102110462464400_bib57","volume-title":"U-Prove Cryptographic Specification","author":"Paquin","year":"2014"},{"key":"2025102110462464400_bib58","doi-asserted-by":"crossref","DOI":"10.1145\/2714576.2714597","volume-title":"Tracing attacks on U-Prove with revocation mechanism","author":"Hanzlik","year":"2015"},{"key":"2025102110462464400_bib59","volume-title":"Specification of the Identity Mixer Cryptographic Library Version 2.3.0","author":"IBM Research","year":"2009"},{"key":"2025102110462464400_bib60","volume-title":"MSP Implementation with Identity Mixer","author":"Hyperledger Fabric Project","year":"2024"},{"key":"2025102110462464400_bib61","volume-title":"PrimeLife Project","author":"ERCIM","year":"2011"},{"key":"2025102110462464400_bib62","volume-title":"ABC4Trust Research Project","author":"CryptoExperts"},{"key":"2025102110462464400_bib63","article-title":"Idemix: Identity Mixer","author":"IBM","year":"2024"}],"container-title":["Journal of Cybersecurity"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/academic.oup.com\/cybersecurity\/article-pdf\/11\/1\/tyaf028\/64829139\/tyaf028.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"syndication"},{"URL":"https:\/\/academic.oup.com\/cybersecurity\/article-pdf\/11\/1\/tyaf028\/64829139\/tyaf028.pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,10,21]],"date-time":"2025-10-21T14:46:39Z","timestamp":1761057999000},"score":1,"resource":{"primary":{"URL":"https:\/\/academic.oup.com\/cybersecurity\/article\/doi\/10.1093\/cybsec\/tyaf028\/8294137"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2025]]},"references-count":63,"journal-issue":{"issue":"1","published-print":{"date-parts":[[2025,1,17]]}},"URL":"https:\/\/doi.org\/10.1093\/cybsec\/tyaf028","relation":{},"ISSN":["2057-2085","2057-2093"],"issn-type":[{"value":"2057-2085","type":"print"},{"value":"2057-2093","type":"electronic"}],"subject":[],"published-other":{"date-parts":[[2025]]},"published":{"date-parts":[[2025]]},"article-number":"tyaf028"}}