Join us
behind the news

When sources remain anonymous

SecureDrop, a new tool for communicating with unknown sources, could be best described as the digital equivalent of slipping a fat manila envelope under a door
October 31, 2013

Sign up for The Media Today, CJR’s daily newsletter.

On Tuesday, Forbes became the first media outlet to launch its own version of SecureDrop, an online application designed to allow sources to send anonymous and encrypted documents and tips to its reporters, since the project was taken over and upgraded by the Freedom of the Press Foundation last month. The Forbes tool, called SafeSource, is live now.

Savvy journalists working on sensitive topics have a number of tools at their disposal to protect the identity of confidential sources, the sources’ confidential information, and themselves, of course: encrypted communication, disk encryption, air-gapped computers, and (admittedly shifting and confusing) legal protections, among others. But perhaps the most effective way for a reporter to protect the identity of a source is to never learn that identity in the first place. That’s the guiding principle behind SecureDrop. The anonymous document relay enabled by SecureDrop could be best described as the digital equivalent of slipping a fat manila envelope under a door.

Forbes‘ Andy Greenberg explains in Forbes a video accompanying the announcement just why this tool is so crucial, and timely: “One thing that I’ve learned in the last few years of covering stories like WikiLeaks and Edward Snowden is that news sources today need more protection than mere email can provide, and that’s what we’re trying to offer,” he says.

SecureDrop accepts messages and documents and then encrypts them before sending and storing them for their recipients. It uses GPG encryption and operates via the anonymous browser application Tor, but the instructions for using it are accessible by the “regular” internet, which further lowers the requirement for technical know-how for a would-be whistleblower. And it’s not a one-time anonymous drop into a well, either; SecureDrop allows for a continued conversation between sender and receiver, all over encrypted communication channels. (Incidentally, it’s a concept similar to WikiLeaks spinoff OpenLeaks, a project which did not ultimately materialize, and to The Wall Street Journal‘s SafeHouse, a 2011 attempt which was immediately lambasted by security experts for its, well, lack of security.)

SecureDrop is also just one of many lasting legacies from the work of activist and programmer Aaron Swartz; it evolved from code that he wrote with security engineer James Dolan and Wired investigative reporter Kevin Poulsen. Previously called DeadDrop, the project was taken over by the Freedom of the Press Foundation this month–an organization which also works to raise money for whistleblowers and news outlets that come “under attack for engaging in transparency journalism.” Daniel Ellsberg, Glenn Greenwald, Laura Poitras, and many Electronic Freedom Foundation and Free Press luminaries are on the organization’s board and staff list.

The Foundation offers its services to news organizations large and small, both working to set up a SecureDrop protocol and providing long-term tech support if necessary. Believing that more eyes and more tests means a stronger code, the Foundation also sent SecureDrop out for a security audit by University of Washington researchers, as well as security experts Bruce Schneier and Tor’s Jacob Applebaum. (More about that audit and its findings here, for the crypto-nerds in the audience.) The results were heartening.

Sign up for CJR’s daily email

“Although it is important to note that no security system can ever be 100 percent impenetrable, Freedom of the Press Foundation believes that this system is the strongest ever made available to media outlets,” wrote the Foundation’s Trevor Timm and Rainey Reitman in a release earlier this month.

The first news organization to take this all out for a spin was The New Yorker, which announced its version of the DeadDrop code, StrongBox, back in May. Then Forbes become the first news outlet to take advantage of the new, upgraded code. And it certainly won’t be the last. The Foundation said on Tuesday that six other “major” news organizations plan to install their own versions in the coming months–though it hasn’t announced which ones just yet. Kevin Poulsen, one of the original application developers, wrote on Twitter following the Forbes announcement that Forbes and The New Yorker are just the beginning, adding: “Within six months journalist organizations will outnumber drug websites on the dark net.” The Foundation is also inviting any news outlet that’s interested in getting its own version of the tool to apply for their help here.

Has America ever needed a media defender more than now? Help us by joining CJR today.

Lauren Kirchner is a freelance writer covering digital security for CJR. Find her on Twitter at @lkirchner