SecureDrop

SecureDrop

Screenshot from the SecureDrop Source interface.
Original author(s)	Aaron Swartz, Kevin Poulsen
Developer(s)	Freedom of the Press Foundation
Stable release	0.4.2[1] / 14 August 2017; 6 years ago (2017-08-14)
Repository	github.com/freedomofpress/securedrop
Written in	Python
Operating system	Linux, Tails OS
Type	Secure communication
License	GNU Affero General Public License, version 3
Website	securedrop.org Tor: secrdrop5wyphb5x.onion[2]

SecureDrop is an open-source software platform for secure communication between journalists and sources (whistleblowers).^[3] It was originally designed and developed by Aaron Swartz and Kevin Poulsen under the name DeadDrop.^[4][5]

After Aaron Swartz's death, the first instance of the platform was launched under the name Strongbox by staff at The New Yorker on 15 May 2013.^[6] The Freedom of the Press Foundation took over development of DeadDrop under the name SecureDrop, and has since assisted with its installation at several news organizations, including ProPublica, The Guardian, The Intercept, and The Washington Post.^[7][8][9]

Security

SecureDrop uses the anonymity network Tor to facilitate communication between whistleblowers, journalists, and news organizations. SecureDrop sites are therefore only accessible as hidden services in the Tor network. After a user visits a SecureDrop website, they are given a randomly generated code name.^[6] This code name is used to send information to a particular author or editor via uploading. Investigative journalists can contact the whistleblower via SecureDrop messaging. Therefore, the whistleblower must take note of their random code name.^[4]

The system utilizes private, segregated servers that are in the possession of the news organization. Journalists use two USB flash drives and two personal computers to access SecureDrop data.^[4][6] The first personal computer accesses SecureDrop via the Tor network, the journalist uses the first flash drive to download encrypted data from the Internet. The second personal computer does not connect to the Internet, and is wiped during each reboot.^[4][6] The second flash drive contains a decryption code. The first and second flash drives are inserted into the second personal computer, and the material becomes available to the journalist. The personal computer is shut down after each use.^[4]

The news organization should not record any information regarding the uploader, i.e., their IP address or information about the computer used, and the browser does not enable persistent cookies or allow third party embedding. Anonymity is not guaranteed, but the creators claim that the system is safer than electronic mail.^[5]

Freedom of the Press Foundation has stated it will have the SecureDrop code and security environment audited by an independent third party before every major version release and then publish the results.^[10] The first audit was conducted by University of Washington security researchers and Bruce Schneier.^[11] The second audit was conducted by Cure53, a German security firm.^[10]

Prominent organizations using SecureDrop

The Freedom of the Press Foundation now maintains an official directory of SecureDrop instances. This is a partial list of instances at prominent news organizations.

Name of organization	Implementation date	Web location
The New Yorker[2][4]	15 May 2013	https://projects.newyorker.com/strongbox/ Tor: strngbxhwyuu37a3.onion
Forbes[2][12][13][14]	29 Oct 2013	https://safesource.forbes.com/ Tor: bczjr6ciiblco5ti.onion
Bivol[2][15]	30 Oct 2013	https://www.balkanleaks.eu/ Tor: dtsxnd3ykn32ywv6.onion
ProPublica[2][16][17]	27 Jan 2014	https://securedrop.propublica.org/ Tor: pubdrop4dw6rk3aq.onion
The Intercept[2][18]	10 Feb 2014	https://firstlook.org/theintercept/securedrop/ Tor: y6xjgkgwj47us5ca.onion
San Francisco Bay Guardian[2][19]	18 Feb 2014	https://bayleaks.com/ Tor: wd5x5eexdqcjrqfa.onion
The Washington Post[2][20]	5 Jun 2014	https://www.washingtonpost.com/wp-stat/securedrop/securedrop.html Tor: vbmwh445kf3fs2v4.onion
The Guardian[2][3]	6 Jun 2014	https://securedrop.theguardian.com/ Tor: 33y6fjyhs3phzfjj.onion
The Globe and Mail[2][21]	4 Mar 2015	https://sec.theglobeandmail.com/securedrop/ Tor: n572ltkg4nld3bsz.onion
Radio-Canada	20 Jan 2016	https://sourceanonyme.radio-canada.ca/ Tor: w5jfqhep2jbypkek.onion
Canadian Broadcasting Corporation[2][22]	29 Jan 2016	https://securedrop.cbc.ca/ Tor: ad2ztmbv5vmbj7ic.onion
The Associated Press	18 Oct 2016	https://securedrop.ap.org/ Tor: 3expgpdnrrzezf7r.onion
The New York Times[2][23]	15 Dec 2016	https://www.nytimes.com/tips#securedrop Tor: nytimes2tsqtnxek.onion
BuzzFeed News	21 Dec 2016	https://contact.buzzfeed.com/ Tor: 6cws3rcwn7aom44r.onion
USA Today[2][24]	22 Feb 2017	https://newstips.usatoday.com Tor: usatodayw7vu5egc.onion

See also

• GlobaLeaks
• Wikileaks

References

1. https://github.com/freedomofpress/securedrop/releases
2. "The Official SecureDrop Directory". Freedom of the Press Foundation. Retrieved January 29, 2017.
3. "Guardian launches SecureDrop system for whistleblowers to share files". The Guardian. 6 June 2014.
4. Kassner, Michael (20 May 2013). "Aaron Swartz legacy lives on with New Yorker's Strongbox: How it works". TechRepublic. Retrieved 20 May 2013.
5. Paulsen, Kevin (15 May 2013). "Strongbox and Aaron Swartz". The New Yorker. Retrieved 17 June 2013.
6. Davidson, Amy (15 May 2013). "Introducing Strongbox". The New Yorker. Retrieved 20 May 2013.
7. "Strongbox". The New Yorker. Retrieved 15 November 2013.
8. Biryukov, Alex; Pustogarov, Ivan; Weinmann, Ralf-Philipp (2013). "Content and popularity analysis of Tor hidden services" (PDF). ArXiv.org (Cornell University Library). Retrieved 15 November 2013.
9. Davidson, Amy (15 May 2013). "Introducing Strongbox". The New Yorker. Retrieved 26 December 2013.
10. Timm, Trevor (20 January 2014). "SecureDrop Undergoes Second Security Audit". Freedom of the Press Foundation. Retrieved 13 July 2014.
11. Czeskis, Alexei; Mah, David; Sandoval, Omar; Smith, Ian; Koscher, Karl; Appelbaum, Jacob; Kohno, Tadayoshi; Schneier, Bruce. "DeadDrop/StrongBox Security Assessment" (PDF). University of Washington Department of Computer Science and Engineering. Retrieved 13 July 2014.
12. Kirchner, Lauren. "When sources remain anonymous". Columbia Journalism Review. Retrieved 28 January 2014.
13. Timm, Trevor. "Forbes Launches First Updated Version of SecureDrop Called SafeSource". Freedom of the Press Foundation. Retrieved 28 January 2014.
14. Greenberg, Andy. "Introducing SafeSource, A New Way To Send Forbes Anonymous Tips And Documents". Forbes. Retrieved 28 January 2014.
15. Chavkin, Sasha. "Initiatives seek to protect anonymity of leakers". The International Consortium of Investigative Journalists. Retrieved 28 January 2014.
16. Tigas, Mike. "How to Send Us Files More Securely". ProPublica. Retrieved 28 January 2014.
17. Timm, Trevor. "ProPublica Launches New Version of SecureDrop". The Freedom of the Press Foundation. Retrieved 28 January 2014.
18. "How to Securely Contact The Intercept". The Intercept. Retrieved 9 February 2014.
19. Bowe, Rebecca (18 February 2014). "Introducing BayLeaks". San Francisco Bay Guardian. Retrieved 20 February 2014.
20. "Q&A about SecureDrop on The Washington Post". The Washington Post. 5 June 2014.
21. "The Globe adopts encrypted technology in effort to protect whistle-blowers". The Globe and Mail. 4 March 2015.
22. "CBC adopts SecureDrop to allow for anonymous leaks". 29 January 2016.
23. Timm, Trevor [@trevortimm] (December 15, 2016). "Nice. The @NYTimes launched @SecureDrop today, along with a really useful secure tips page" (Tweet) – via Twitter.
24. "USA TODAY launches secure whistle-blower site". 22 February 2017.

External links

• SecureDrop on GitHub
• Ball, James (5 Jun 2014). "Guardian launches SecureDrop system for whistleblowers to share files". The Guardian.