Executive Summary

This report offers a guide to the use and significance of SecureDrop, an in-house system for news organizations to securely communicate with anonymous sources and receive documents over the Internet. SecureDrop itself is a very young technology. It was developed over the last four years, beginning during the period when the WikiLeaks submission system was down and it was unclear how else whistleblowers could safely transmit large caches of data to journalists.

The history of SecureDrop’s conception and development is thus entwined with some of the most striking moments in the recent history of digital journalism: the arrival of Julian Assange as a charismatic force calling for radical transparency; the remarkable life of the technology activist Aaron Swartz; the bravery of Edward Snowden in revealing the level of surveillance now exercised by government agencies worldwide; and the resulting alliance between journalists, activists, and hackers who wish to ensure the accountability of powerful organizations by publishing information in the public interest.

Through interviews with the technologists who conceived and developed SecureDrop, as well as the journalists presently using it, this report offers a sketch of the concerns that drive the need for such a system, as well as the practices that emerge when a news organization integrates this tool into its news gathering routines.

In general, I found a fairly narrow and consistent set of practices among the journalists using SecureDrop. Many organizations designate just a handful of employees to check their system, and these employees act as operators, in a sense, who monitor the inbox and distribute promising submissions to the reporter who is best suited to assess and potentially act on that information. This is by far the most common model for the coordination of SecureDrop in newsrooms, and it appears to be so common largely because these practices were imprinted at the time of the system’s initial, guided installation by the SecureDrop developers.

Given its complexity, SecureDrop may appear at first like a radical new tool, but many reporters told me that it closely resembles many of the other channels newsrooms have traditionally made available for sources to contact them. The crucial difference is that SecureDrop restores the effectiveness of a reporter’s privilege to protect their sources through principled non-cooperation—such as refusing to testify in court—whereas pervasive digital surveillance has made this gesture effectively moot over the last decade. The reality is that when a reporter’s source can be identified through digital traces, the prosecution does not even need that reporter to testify. One of the explicit purposes behind developing SecureDrop has been to restore the possibility for journalists to protect sources whose communication devices might otherwise expose their identities.

Still, most readers must be wondering whether SecureDrop has proved worthwhile. This is a difficult question to assess because journalists are wary of revealing information that could put a source in danger. Still, most of my informants, representing nine of the ten organizations studied here, confirmed that the system has been generally valuable as a reporting tool, if not particularly consistent. Many were not willing to disclose the specific stories that originated with tips or documents from SecureDrop, nor the frequency of these stories. Nearly everyone did confirm, however, that the technical and often tedious process of checking the SecureDrop inbox is worthwhile overall, both as a reporting tool and as a signal that their organization takes seriously the protection of its sources.