A Brief History of the SecureDrop Project

At the 2014 Hackers on Planet Earth (HOPE) conference in New York City, a panel announced the SecureDrop system as “a WikiLeaks for every newsroom.”4 It was a provocative and topical proposal at an event held in the wake of the Snowden disclosures, but many people must have been asking: Why would every newsroom need its own WikiLeaks?

By the time the SecureDrop project was first conceived in 2012, WikiLeaks itself was dealing with a staff mutiny, a shuttered submission system, and Julian Assange’s self-imposed exile. Disaffected former staff had launched a new project, OpenLeaks, but it failed to gain comparable traction. In short, there was not a clear successor, even as news audiences still had an appetite for the brand of radical transparency that WikiLeaks had pioneered. For Edward Snowden to orchestrate his leak of NSA documents, it was necessary for him to devise his own digital security scheme from publicly available tools. Using Tor, PGP encryption, an anonymous email service called LavaBit, and a well-timed getaway, Snowden engineered the safe delivery of the files to a handpicked selection of journalists during the early months of 2013, right when the first prototype of SecureDrop was launched as another solution to the momentary decline of WikiLeaks.

The SecureDrop project was originally devised by Kevin Poulsen, a senior editor at Wired magazine and onetime fugitive hacker himself. Poulsen had noticed that journalists were facing a gap in the news ecosystem that Assange had so rapidly cultivated. “It bothered me that we had no dedicated channel for people to communicate with us securely,” Poulsen said. “WikiLeaks at one point had a useable system, and it seemed like if they could do it, there should be a way for journalists to do it as well.” But Poulsen envisioned an arrangement distinctly different from Assange’s “middle-man” approach: He wanted to place this secure whistleblowing platform in the newsroom itself.

So Poulsen reached out to Aaron Swartz to collaborate on this project. Swartz was well known as an information activist and gifted computer programmer. He had been an author of the RSS protocol at age fourteen, a founder of the website Reddit, an architect of the Creative Commons licenses, and one of the most ardent and vocal activists opposing the Stop Online Piracy Act (SOPA).

Writing in The New Yorker, Poulsen described Swartz as “a member of a fairly small tribe with the skills to turn ideas into code—another word for action—and the sensibility to understand instantly what I was looking for: a slightly safer way for journalists and their anonymous sources to communicate.”5

At the time, Swartz and Poulsen called their project “DeadDrop,” in reference to a common element of spycraft. A dead drop is a designated, hidden site where documents or messages can be dropped off and picked up without participants ever needing to meet in person or know each other’s identity. Similarly, the DeadDrop system was conceived to be an encrypted, anonymous space where whistleblowers could safely deposit sensitive documents for journalists to retrieve and assess for publication, without the whistleblower’s identity being exposed. Swartz and Poulsen collaborated on the project in their spare time over the course of 2012, meeting to work in person only once at the Wired offices in San Francisco.

Unfortunately, DeadDrop would be one of Swartz’s last projects. The first version of the system was finished in December of 2012, just a month before Swartz’s suicide in a Williamsburg, Brooklyn, apartment at age twenty-six. Throughout the process of developing SecureDrop, Swartz had been under federal investigation for attempting to download the entire archive of academic articles from the subscription service JSTOR. His death is often imputed to the overzealous prosecution of intellectual property laws that Swartz himself had battled to prove unjust.

After Swartz’s death, Poulsen helped move the project from Wired to another Condé Nast publication, The New Yorker, where it launched under the name “Strongbox” in May of 2013. That day, staff writer Amy Davidson characterized the system as a much-needed asset. “Readers and sources have long sent documents to the magazine and its reporters, from letters of complaint to classified papers. But, over the years, it’s also become easier to trace the senders, even when they don’t want to be found,” Davidson wrote. “Strongbox addresses that; as it’s set up, even we won’t be able to figure out where files sent to us come from. If anyone asks us, we won’t be able to tell them.”6

But with Swartz gone, the project’s code base was effectively abandoned. Without continued development, it was unclear if the system would ever become straightforward and robust enough to use beyond the prototype developed within Condé Nast—even though Poulsen had intended from the beginning for the code to be released open-source and used in other newsrooms.

After several months of uncertainty, the project found new caretakers when the Freedom of the Press Foundation asked Poulsen if it could adopt DeadDrop and continue its development. Just one year earlier, the FPF had been founded by two members of the Electronic Frontier Foundation (EFF), the lawyer Trevor Timm and the technologist Micah Lee. The duo launched the FPF largely as a crowdfunding site for journalism organizations focused on transparency—especially WikiLeaks, whose donation services had been blocked by many leading payment companies. Lee would eventually help Laura Poitras and Glenn Greenwald learn to use encryption so they could communicate with an especially cautious source, Edward Snowden. In short, the FPF had already situated itself at the nexus of those concerns that grounded Poulsen’s project, so he trusted the foundation to carry it forward.

First, Timm and Lee renamed DeadDrop as SecureDrop, and redesigned the interface from its original appearance—a white-on-black, cloak-and-dagger aesthetic—into something lighter and friendlier looking. The objective, after all, was to make the software more broadly usable and appealing. The FPF also made several hires in order to support the development of SecureDrop. These included the security expert James Dolan, who had helped design the original DeadDrop project with Swartz and Poulsen at Condé Nast, and a new lead developer for SecureDrop, Garrett Robinson, who had previously worked at EFF and as a security engineer at Mozilla.

After adopting the project, the FPF also commissioned a professional security audit to find any vulnerabilities that they would need to address as they pushed the software forward. They hired some of the best: security expert Bruce Schneier and a team from the University of Washington. That team spent thirty hours just trying to install SecureDrop before giving up. Although the group saw no obvious security flaws, this trial clearly highlighted that the system was far too difficult and idiosyncratic in its present state to be useful to others, let alone in the average newsroom.

In all, the FPF team spent about ten months disentangling, hardening, streamlining, and automating the SecureDrop code before releasing the first working version (besides the original, still running at The New Yorker). In October of 2013, the first SecureDrop systems were installed at Forbes and BalkanLeaks. ProPublica followed in January 2014. By the summer, when SecureDrop was billed at HOPE as a “WikiLeaks for every newsroom,” there were over a dozen instances of SecureDrop running at some of the world’s leading newspapers and activist groups. At the time of writing, about thirty SecureDrop systems are running at news organizations and activist groups worldwide, with over eighty on the FPF’s waiting list for a guided installation.