SecureDrop

Last updated
SecureDrop
SecureDrop logo.svg
Screenshot from SecureDrop Source view.png
Screenshot from the SecureDrop Source interface.
Original author(s)
Developer(s) Freedom of the Press Foundation
Initial release15 October 2013;7 years ago (2013-10-15)
Stable release
1.6.0 [1] / 7 October 2020;6 months ago (2020-10-07)
Repository OOjs UI icon edit-ltr-progressive.svg
Written in Python
Operating system Linux
Type Secure communication
License GNU Affero General Public License, version 3
Website SecureDrop.org Tor: sdolvtfhatvsysc...6fzvyd.onion [2]

SecureDrop is a free software platform for secure communication between journalists and sources (whistleblowers). [3] It was originally designed and developed by Aaron Swartz and Kevin Poulsen under the name DeadDrop. [4] [5] James Dolan also co-created the software. [6]

Contents

History

After Aaron Swartz's death, the first instance of the platform was launched under the name Strongbox by staff at The New Yorker on 15 May 2013. [7] The Freedom of the Press Foundation took over development of DeadDrop under the name SecureDrop, and has since assisted with its installation at several news organizations, including ProPublica, The Guardian , The Intercept , and The Washington Post . [8] [9] [10]

Security

SecureDrop uses the anonymity network Tor to facilitate communication between whistleblowers, journalists, and news organizations. SecureDrop sites are therefore only accessible as onion services in the Tor network. After a user visits a SecureDrop website, they are given a randomly generated code name. [7] This code name is used to send information to a particular author or editor via uploading. Investigative journalists can contact the whistleblower via SecureDrop messaging. Therefore, the whistleblower must take note of their random code name. [4]

The system utilizes private, segregated servers that are in the possession of the news organization. Journalists use two USB flash drives and two personal computers to access SecureDrop data. [4] [7] The first personal computer accesses SecureDrop via the Tor network, and the journalist uses the first flash drive to download encrypted data from the secure drop server. The second personal computer does not connect to the Internet, and is wiped during each reboot. [4] [7] The second flash drive contains a decryption code. The first and second flash drives are inserted into the second personal computer, and the material becomes available to the journalist. The personal computer is shut down after each use. [4]

Freedom of the Press Foundation has stated it will have the SecureDrop code and security environment audited by an independent third party before every major version release and then publish the results. [11] The first audit was conducted by University of Washington security researchers and Bruce Schneier. [12] The second audit was conducted by Cure53, a German security firm. [11]

SecureDrop suggests sources disabling JavaScript to protect anonymity. [13]

Prominent organizations using SecureDrop

The Freedom of the Press Foundation now maintains an official directory of SecureDrop instances. This is a partial list of instances at prominent news organizations. [14]

Name of organizationImplementation date
The New Yorker [2] [4] 15 May 2013
Forbes [2] [15] [16] [17] 29 Oct 2013
Bivol [2] [18] 30 Oct 2013
ProPublica [2] [19] [20] 27 Jan 2014
The Intercept [2] [21] 10 Feb 2014
San Francisco Bay Guardian [2] [22] 18 Feb 2014
The Washington Post [2] [23] 5 Jun 2014
The Guardian [2] [3] 6 Jun 2014
The Globe and Mail [2] [24] 4 Mar 2015
Radio-Canada20 Jan 2016
Canadian Broadcasting Corporation [2] [25] 29 Jan 2016
Associated Press 18 Oct 2016
The New York Times [2] [26] 15 Dec 2016
BuzzFeed News 21 Dec 2016
USA Today [2] [27] 22 Feb 2017
Bloomberg News Unknown
The Wall Street Journal Unknown
Aftenposten Unknown
Disclose [28] Unknown
Australian Broadcasting Corporation [29] 28 Nov 2019

Awards

See also

Related Research Articles

Kevin Poulsen

Kevin Lee Poulsen is an American former black-hat hacker and a contributing editor at The Daily Beast.

A dark net or darknet is an overlay network within the Internet that can only be accessed with specific software, configurations, or authorization, and often uses a unique customized communication protocol. Two typical darknet types are social networks, and anonymity proxy networks such as Tor via an anonymized series of connections.

Aaron Swartz Computer programmer and internet/political activist

Aaron Hillel Swartz was an American computer programmer, entrepreneur, writer, political organizer, and Internet hacktivist. He was involved in the development of the web feed format RSS, the Markdown publishing format, the organization Creative Commons, and the website framework web.py, and joined the social news site Reddit six months after its founding. He was given the title of co-founder of Reddit by Y Combinator owner Paul Graham after the formation of Not a Bug, Inc.. Swartz's work also focused on civic awareness and activism. He helped launch the Progressive Change Campaign Committee in 2009 to learn more about effective online activism. In 2010, he became a research fellow at Harvard University's Safra Research Lab on Institutional Corruption, directed by Lawrence Lessig. He founded the online group Demand Progress, known for its campaign against the Stop Online Piracy Act.

CERT Coordination Center

The CERT Coordination Center (CERT/CC) is the coordination center of the computer emergency response team (CERT) for the Software Engineering Institute (SEI), a non-profit United States federally funded research and development center. The CERT/CC researches software bugs that impact software and internet security, publishes research and information on its findings, and works with business and government to improve security of software and the internet as a whole.

Malicious Software Removal Tool

Microsoft Windows Malicious Software Removal Tool is a freely distributed virus removal tool developed by Microsoft for the Microsoft Windows operating system. First released on January 13, 2005, it is an on-demand anti-virus tool that scans the computer for specific widespread malware and tries to eliminate the infection. It is automatically distributed to Microsoft Windows computers via the Windows Update service but can also be separately downloaded from the Microsoft Download Center.

Jacob Appelbaum American computer security researcher and journalist (born 1 April 1983)

Jacob Appelbaum is an American independent journalist, computer security researcher, artist, and hacker. He studies at the Eindhoven University of Technology, and was formerly a core member of the Tor project, a free software network designed to provide online anonymity. Appelbaum is also known for representing WikiLeaks. He has displayed his art in a number of institutions across the world and has collaborated with artists such as Laura Poitras, Trevor Paglen, and Ai Weiwei. His journalistic work has been published in Der Spiegel and elsewhere. Appelbaum has repeatedly been targeted by U.S. law enforcement agencies, who obtained a court order for his Twitter account data, detained him at the U.S. border after trips abroad, and seized his laptop and several mobile phones.

Tor (anonymity network) Free and open-source anonymity network based on onion routing

Tor is free and open-source software for enabling anonymous communication by directing Internet traffic through a free, worldwide, volunteer overlay network consisting of more than seven thousand relays in order to conceal a user's location and usage from anyone conducting network surveillance or traffic analysis. Using Tor makes it more difficult to trace the Internet activity to the user: this includes "visits to Web sites, online posts, instant messages, and other communication forms". Tor's intended use is to protect the personal privacy of its users, as well as their freedom and ability to conduct confidential communication by keeping their Internet activities unmonitored.

The Centre for Investigative Journalism (CIJ) is a British independent charity providing training to journalists, researchers, producers and students in the practice and methodology of investigative journalism. It was incorporated as a Company Limited by Guarantee in June 2005 and registered as a Charity in March 2007. Using grants from the Lorana Sullivan Foundation, the CIJ organises annual three-day summer conference and courses in data journalism and investigative techniques. It has provided training to thousands of journalists, researchers and students from over 35 countries. The CIJ is based at the School of Journalism at Goldsmiths, University of London, which has held the CIJ summer conference each year since 2014.

Tails (operating system) Linux distribution for anonymity and privacy

Tails, or The Amnesic Incognito Live System, is a security-focused Debian-based Linux distribution aimed at preserving privacy and anonymity. All its incoming and outgoing connections are forced to go through Tor, and any non-anonymous connections are blocked. The system is designed to be booted as a live DVD or live USB, and will leave no digital footprint on the machine unless explicitly told to do so. The Tor Project provided financial support for its development in the beginnings of the project. Tails comes with UEFI Secure Boot.

GlobaLeaks is an open-source, free software intended to enable secure and anonymous whistleblowing initiatives.

Nawaat

Nawaat is an independent collective blog co-founded by Tunisians Sami Ben Gharbia, Sufian Guerfali and Riadh Guerfali in 2004, with Malek Khadraoui joining the organization in 2006. The goal of Nawaat's founders was to provide a public platform for Tunisian dissident voices and debates. Nawaat aggregates articles, visual media, and other data from a variety of sources to provide a forum for citizen journalists to express their opinions on current events. The site does not receive any donations from political parties. During the events leading to the Tunisian Revolution of 2011, Nawaat advised Internet users in Tunisia and other Arab nations about the dangers of being identified online and offered advice about circumventing censorship. Nawaat is an Arabic word meaning core. Nawaat has received numerous awards from international media organizations in the wake of the Arab Spring wave of revolutions throughout the Middle East and North Africa.

Freedom of the Press Foundation (FPF) is a non-profit organization founded in 2012 to fund and support free speech and freedom of the press. The organization originally managed crowd-funding campaigns for independent journalistic organizations, but now pursues technical projects to support journalists' digital security and conducts legal advocacy for journalists.

Matthew Garrett Irish computer programmer

Matthew Garrett is a technologist, programmer, and free software activist who is a major contributor to a series of free software projects including Linux, GNOME, Debian, Ubuntu, and Red Hat. He is a recipient of the Free Software Award from the Free Software Foundation for his work on Secure Boot, UEFI, and the Linux kernel.

The Courage Foundation is a trust for fundraising the legal defence of individuals such as whistleblowers and journalists.

Cure53 is a German cybersecurity firm. The company was founded by Dr. Mario Heidrich, a client side security researcher.

Ben Wizner is an American lawyer, writer, and civil liberties advocate with the American Civil Liberties Union. Since July 2013, he has been the lead attorney of NSA whistleblower Edward Snowden.

James S. Dolan was an American computer security expert who, with Aaron Swartz and Kevin Poulsen, co-developed SecureDrop, a widely used secure digital platform for sources to anonymously submit materials to journalists.

Runa Sandvik

Runa Sandvik is a computer security expert, known as a proponent of strong encryption. She was hired as The New York Times senior director of information security in March 2016 and is a proponent of a smartphone messaging application Signal.

References

  1. https://github.com/freedomofpress/securedrop/releases
  2. 1 2 3 4 5 6 7 8 9 10 11 12 13 "The Official SecureDrop Directory". Freedom of the Press Foundation. Retrieved January 29, 2017.CS1 maint: discouraged parameter (link)
  3. 1 2 Ball, James (5 Jun 2014). "Guardian launches SecureDrop system for whistleblowers to share files". The Guardian .
  4. 1 2 3 4 5 6 Kassner, Michael (20 May 2013). "Aaron Swartz legacy lives on with New Yorker's Strongbox: How it works". TechRepublic . Retrieved 20 May 2013.CS1 maint: discouraged parameter (link)
  5. Poulsen, Kevin (14 May 2013). "Strongbox and Aaron Swartz". The New Yorker .
  6. Timm, Trevor (9 January 2018). "A tribute to James Dolan, co-creator of SecureDrop, who has tragically passed away at age 36". Freedom of the Press Foundation .
  7. 1 2 3 4 Davidson, Amy (15 May 2013). "Introducing Strongbox". The New Yorker . Retrieved 20 May 2013.CS1 maint: discouraged parameter (link)
  8. "Strongbox". The New Yorker. Retrieved 15 November 2013.CS1 maint: discouraged parameter (link)
  9. Biryukov, Alex; Pustogarov, Ivan; Thill, Fabrice; Weinmann, Ralf-Philipp (2013). "Content and popularity analysis of Tor hidden services". arXiv: 1308.6768 [cs.CR].
  10. Davidson, Amy (15 May 2013). "Introducing Strongbox". The New Yorker. Retrieved 26 December 2013.CS1 maint: discouraged parameter (link)
  11. 1 2 Timm, Trevor (20 January 2014). "SecureDrop Undergoes Second Security Audit". Freedom of the Press Foundation. Retrieved 13 July 2014.CS1 maint: discouraged parameter (link)
  12. Czeskis, Alexei; Mah, David; Sandoval, Omar; Smith, Ian; Koscher, Karl; Appelbaum, Jacob; Kohno, Tadayoshi; Schneier, Bruce. "DeadDrop/StrongBox Security Assessment" (PDF). University of Washington Department of Computer Science and Engineering. Retrieved 13 July 2014.CS1 maint: discouraged parameter (link)
  13. Source Guide SecureDrop
  14. ssteele (6 December 2016). "Tor at the Heart: SecureDrop". Tor Blog.
  15. Kirchner, Lauren. "When sources remain anonymous". Columbia Journalism Review. Retrieved 28 January 2014.CS1 maint: discouraged parameter (link)
  16. Timm, Trevor. "Forbes Launches First Updated Version of SecureDrop Called SafeSource". Freedom of the Press Foundation. Retrieved 28 January 2014.CS1 maint: discouraged parameter (link)
  17. Greenberg, Andy. "Introducing SafeSource, A New Way To Send Forbes Anonymous Tips And Documents". Forbes. Retrieved 28 January 2014.CS1 maint: discouraged parameter (link)
  18. Chavkin, Sasha. "Initiatives seek to protect anonymity of leakers". The International Consortium of Investigative Journalists. Retrieved 28 January 2014.CS1 maint: discouraged parameter (link)
  19. Tigas, Mike. "How to Send Us Files More Securely". ProPublica. Retrieved 28 January 2014.CS1 maint: discouraged parameter (link)
  20. Timm, Trevor. "ProPublica Launches New Version of SecureDrop". The Freedom of the Press Foundation. Retrieved 28 January 2014.CS1 maint: discouraged parameter (link)
  21. "How to Securely Contact The Intercept". The Intercept. Retrieved 9 February 2014.CS1 maint: discouraged parameter (link)
  22. Bowe, Rebecca (18 February 2014). "Introducing BayLeaks". San Francisco Bay Guardian . Retrieved 20 February 2014.CS1 maint: discouraged parameter (link)
  23. "Q&A about SecureDrop on The Washington Post". The Washington Post . 5 June 2014.
  24. "The Globe adopts encrypted technology in effort to protect whistle-blowers". The Globe and Mail . 4 March 2015.
  25. "CBC adopts SecureDrop to allow for anonymous leaks". 29 January 2016.
  26. Timm, Trevor [@trevortimm] (15 December 2016). "Nice. The @NYTimes launched @SecureDrop today, along with a really useful secure tips page" (Tweet) via Twitter.
  27. "USA TODAY launches secure whistle-blower site". 22 February 2017.
  28. https://disclose.ngo/fr/article/devenez-une-source
  29. "ABC launches SecureDrop for whistleblowers to securely and anonymously contact journalists". 28 November 2019.
  30. Sullivan, John (25 March 2017). "SecureDrop and Alexandre Oliva are 2016 Free Software Awards winners" (Press Release). Free Software Foundation .