ProPublica was the third organization to install a SecureDrop system after the FPF rebooted the project, and yet it was also the only organization whose representatives stated that SecureDrop has not been a particularly successful source of stories.
Instead, ProPublica staff articulated a broader spectrum of uses for SecureDrop. Assistant Managing Editor Scott Klein said: “We don’t see SecureDrop exclusively as a way for anonymous whistleblowers to send us the proverbial ‘plain brown envelope’ full of data, because that’s actually a pretty rare event. We also see SecureDrop as an ideal way for sources we know to send us data and documents in an environment where the anonymity and security are turned up to eleven.”
For instance, a source was communicating with a ProPublica reporter over encrypted email to exchange a cache of documents but found they could not transmit such a large volume of data due to the brute limitations of the email system itself. ProPublica’s reporter then advised the source to deposit the files through SecureDrop instead. In this case, SecureDrop was neither a first point of contact nor, in a strict sense, an anonymous one. Mike Tigas, who maintains ProPublica’s SecureDrop, said he logs in to check the system about once a week, and that the whole process takes about an hour. Tigas said that a few useful tips have come through messages dropped into the system, but none of these have become an active, repeat source. He estimated that a new source comes to ProPublica’s SecureDrop with a potential story about once a week, but that these are rarely useful leads.
Asked whether ProPublica would cite SecureDrop in the event that a major story originated in the system, Tigas said there isn’t a firm policy in place: “We haven’t had too many of these situations and we publish slowly enough that I think that decision will continue to be made on a per-project basis. We’d definitely consider touting SecureDrop if the circumstances were right.”
Tigas also noted that many ProPublica reporters prefer to use PGP email for sensitive conversations because they are working with known—rather than anonymous—sources. He estimated that about ten reporters regularly use PGP with a total of about fifty regular sources. Based on the key server registration figures, ProPublica’s enrollment had a slight spike after the Snowden revelations and once more after the outlet installed SecureDrop.
Number of public key registrations over time at ProPublica.