SecureDrop | safety for sources and whistleblowers

How to leak something without getting busted? Don’t get busted. SecureDrop is an end-to-end encrypted communication system that uses Tor to link journalists and their sources.

Got a secret?

Careful who you tell.

If you’re a 4-star general whispering state secrets to your mistress, expect a slap on the wrist.

Mere mortals don’t have it so easy.  FBI contract worker Shamai Leibowitz was tried in 2010 for giving secrets to a blogger. The documents contained ‘communication intelligence activities,’ according to court records.

His crime? Even his judge didn’t know. According to the Washington Post: ‘I don’t know what was divulged, other than some documents, and I don’t know how it’s compromised things,’ U.S. District Judge Alexander Williams Jr. said in court.

His sentence for an unspecified crime committed with an unknown blogger and absolutely no evidence? 20 months.

A worldwide trend

It’s not much better in the UK, where legal advisors have suggested raising minimum sentencing and redefining espionage.

In outraged but odd wording, Jim Killock, of the campaign body Open Rights Group, called the move a ‘full-frontal attack’ on human rights in general and journalists in particular.

Enter SecureDrop

What’s SecureDrop? From the website: ‘SecureDrop is an open-source whistleblower submission system that media organizations can install to accept documents from anonymous sources.’ Via Tor, whistleblowers can submit documents and communicate with journalists through a secure-by-today’s-standards system.

The communication method protects journalists and their sources by eliminating as much metadata as possible. From the site: ‘The SecureDrop application does not record your IP address, information about your browser, computer, or operating system. Furthermore, the SecureDrop pages do not embed third-party content or deliver persistent cookies to your browser. The server will only store the date and time of the newest message sent from each source. Once you send a new message, the time and date of your previous message is automatically deleted.’

Easy, right?

Not so much. To access, says WIRED’s Secure Drop FAQ page, one just follows 10 easy steps! Well, easy as any 10-step set of tech directions, in words, can be. For media outlets, the setup is complicated enough that the organisation offers setup and installation support. And it should be complicated, to keep things safe.

The real deal

Although BuzzFeed has an account, this isn’t just cloak-and-dagger for funsies. Other organisations include Greenpeace, the New York Times, Radio-Canada, the Guardian and CPJ, the Campaign to Protect Journalists.

Do people use it?

That depends on whom you talk to.

A recent article from the cybersecurity site CyberScoop showed some differing opinions.

‘We have definitely gotten useful, actionable material through our SecureDrop,’ John Cook, of Gizmodo Media Group, told the organisation. ‘It’s not a flood everyday, but it’s definitely worth having in terms of what’s come in.’

But SecureDrop can also be a metaphor of an organisation’s commitment to the safety of sources. Cook: ‘It’s just a way to communicate with sources that you’re sophisticated and care about protecting their identity and anonymity in any digital communications.’

Others aren’t so keen. ‘It’s a marketing thing. You have it because it sounds good, but effectively no one uses it at all,’ former Tor executive director Andrew Lewman told CyberScoop in a recent interview. ‘And almost every time if someone does manage to upload some documents they end up doing it by email because they get so sick of the back and forth over the hidden service.’

Is it safe?

In these new-fangled times, no digital communication is 100% safe. But SecureDrop is another tool that journalists and sources can use to fight back against the full-frontal attack on whistleblowers and the journalists who cover them.

For more information:

Read next: Internet Info Heist: Fight Back!