Tor Service SecureDrop Facilitates The Anonymous Sharing Of Critical Information With News Organizations

The Freedom Of The Press Foundation’s goal is to protect, defend, and empower public-interest journalism, which is a critical mission considering the proliferation of censorship globally. Critical information regarding governments and corporations can land the source aka the whistleblower in hot water legally, or even endanger their life, even if that information would lead to positive change and protect the public if it was exposed. The nature of the internet, where it is relatively easy to intercept most communications and data transfers, has exacerbated the problem. The government has been known to secretly subpoena internet service providers (ISPs), mobile carriers, and 3rd party services like Google and Facebook to obtain information on an anonymous source, making it so that journalists had no ability to protect their source. This is a bad situation, since if sources of critical information are put in mortal danger then the information will stop flowing.

The Freedom Of The Press Foundation has created SecureDrop in order to solve this problem. With SecureDrop sources can securely and anonymously communicate with major news organizations like Al Jazeera, Bloomberg, BuzzFeed, CBC, Financial Times, HuffPost, NBC, New York Times, San Francisco Chronicle, The Globe And Mail, The Guardian, The Intercept, The Washington Post, USA Today, and Vice, among others.

SecureDrop is quite easy to use for people who wish to send critical information to a news organization. Download Tor and go to the directory of organizations linked above, and find the .onion address for that news organization. Then there is a page where documents and communications up to 500 MB can be submitted. You will receive a code name, which is basically a mnemonic seed, and this is how you can log back into the conversation to see if the journalist responded or needs more information. No identifying information is obtained when using SecureDrop.

If dealing with extremely serious information, like issues of national security, SecureDrop recommends that you buy a new computer and a USB stick with cash and then go to a busy internet cafe that you don’t usually go to, and face your back against the wall so security cameras cannot see your computer screen or keystrokes. For maximum security, use the Tails operating system, which is designed to leave no traces of your activity on your computer, and automatically routes all of your internet activity through Tor.

A brief segue into Tor. Tor is short for The Onion Router, and it is named after an onion since its encryption is nested like the layers of an onion. Tor encrypts a user’s internet data multiple times, including the destination IP address, and this data is sent through a relay of nodes around the world. Each node decrypts a layer of the data so it can know which node to send the data to next. The final relay decrypts the actual data and sends it to the destination. In other words, Tor encrypts a user’s data and bounces it between some of the thousands of relays around the world, so a user’s internet traffic data and IP address cannot be discovered. Therefore, the fact that SecureDrop requires Tor makes it far more secure than if it was a clear web service.

In order to prevent secret subpoenas no 3rd party server is used by SecureDrop. Instead, the server sits on the property of the news organization, and therefore if it was subpoenaed the news organization would receive the direct legal order. This gives the news organization the chance to contest the order, unlike the situation where a 3rd party like Google or Facebook would receive such an order and instantly divulge all of the information the government asks for.

Also, SecureDrop stores practically no metadata. Only the time of the last communication is stored in metadata, and all previous times of communications are overwritten. Further, nothing about the source’s browser or computer is stored.

All information sent through SecureDrop is end to end encrypted via GnuPG aka GPG, and the information received by a news organization’s SecureDrop server does not even touch the hard drive. Submissions are accessed and downloaded with a USB stick that is running the Tails operating system and only accesses the internet with Tor, and the decryption key is not on the server that is connected to the internet. The decryption key is only on an air-gapped computer, meaning a computer that has absolutely no internet connection. The USB with the critical data is plugged into the air-gapped computer and decrypted, and since this computer is not connected to the internet there is no way for the decrypted information to be intercepted.

If you are a news organization who wants to install SecureDrop in order to protect your sources, setup information can be found here and here.

Finally, SecureDrop is open source, so anyone can check SecureDrop’s code and make sure it does what it says it does, and SecureDrop has put its code through penetration testing to ensure the utmost security.

Thus, SecureDrop is likely one of the best ways to anonymously and securely send critical information to news organizations, giving sources the best possible chance to stay anonymous and safe, and therefore SecureDrop increases the free flow of information and has the potential to better society.