Introduction

SecureDrop is a platform designed to facilitate secure and anonymous communication between sources and journalists. It is a complicated ensemble of computers, running carefully configured software that can only be accessed through a specific and deliberate set of procedures. This is especially true on the journalist’s side, where most of the difficulty is stacked by design. One must log into a specific computer just to check the inbox, then one must use a separate, totally isolated computer to view and print any documents that have arrived. The process for the source is comparatively simple, relying only on the user-friendly Tor anonymous browser, though this process still requires a specialized tool and the initiative to use it. Such a lopsided investment is quite deliberate: The primary value for the designers of SecureDrop is to minimize the risk that the source—by far more vulnerable than the reporter in the majority of cases—could be identified or their messages intercepted en route.

For whistleblowers, choosing to reveal sensitive material has always involved some level of personal risk, whether it means harassment, imprisonment, or even physical violence. But technology today is uniquely susceptible to monitoring that could endanger a whistleblower. We now know that using computers, mobile phones, and other digital communication devices is particularly hazardous for matters intended to remain private. Whether information is skimmed in transit or seized from a data center, any number of digital traces may identify and endanger whistleblowers. And when this information is gathered without a warrant, it is immaterial whether the leaked materials hold public value that justifies publication. SecureDrop provides a secure and anonymous channel for sources to speak to journalists from a position of relative safety.

At the time of writing, the Freedom of the Press Foundation (FPF) directory lists thirteen news organizations, three independent journalists, and eight nonprofit activist groups that are operating verified installations of SecureDrop.³ The FPF estimates that there are currently thirty running instances, including some that are not yet public. The organizations studied in this report include Gawker, *The Globe and Mail, The Guardian, The New Yorker, ProPublica, and The Washington Post*.

This list in no way indicates the limit of interest in SecureDrop: More than eighty organizations are on the FPF’s waiting list. These organizations are holding out for a guided installation not only because it is technically demanding to set up the equipment, but also because many journalists will need assistance developing practical routines to make effective use of the system. In short, the purpose of a guided installation is both to limit the possibility of errors and security compromises, and to develop sound routines for checking and making productive use of the system. This leads to a fairly narrow set of practices surrounding SecureDrop. Unlike most other new and emerging technologies, which are subject to varying degrees of play and experimentation in their early stages, SecureDrop by its very nature is often used within a fairly limited scheme of preconceived practices.

The purpose of this report is to sketch the use of SecureDrop at this nascent but promising moment in its development, and to assess the role it serves alongside other means of encrypted communication available to reporters and their sources. To this end, I have conducted interviews with twelve journalists and three technical administrators at ten organizations using SecureDrop, as well as five people who are actively building the system and training journalists to use it. Although small, this group reflects a fairly comprehensive survey of SecureDrop’s present user base as of early 2016.

It is worth noting that the interviews for this report were often complicated by the sensitive nature of the project itself. I began this work knowing that the use of SecureDrop in newsrooms would be a difficult phenomenon to examine. This is precisely why it seemed worthwhile to investigate. Still, my conversations were circumscribed by rigid borders. Not only were reporters wary of saying too much, but I was also bound by ethics (and the guidelines of my Institutional Review Board) to recognize that I could be placing others at risk, perhaps without even realizing it. The landscape of security hazards is broad and often largely unknowable, even for a system as carefully designed and thoroughly tested as SecureDrop.

The level of secrecy surrounding the system is, of course, deliberate. SecureDrop is designed to conceal as much as possible about the ways journalists and sources use it. At the time of this writing, the developers have commissioned five separate professional security audits to find and correct vulnerabilities. Unlike many other encrypted communication systems, which are not just difficult to use but often used incorrectly, SecureDrop minimizes the possibility for journalists and sources alike to misuse the system and reveal identifying information.

The SecureDrop login and submission pages are only accessible via the Tor web browser, which conceals both the users and the sites on its network. If you were to fire up a Tor browser and click through to a SecureDrop submission page, you would see a page inviting you to log in, send messages, and upload documents—all with massive forces of encryption protecting your identity, location, and the contents of your transmission. On the other side, journalists log into their own special-purpose computers to check the inbox of messages and documents that sources have deposited through SecureDrop.

Despite the apparent intensity of these security measures, many journalists using SecureDrop say that the system is more than just a lure for high-impact stories: It reflects a commitment to do their utmost to protect sources who place themselves in danger for the greater public interest. Whatever the actual level of risk for the source or the sensitivity of what they have to share, a news organization offering SecureDrop is signaling its respect for the level of protection that their source demands. Given what we know (and don’t know) about systems of mass surveillance today, this is a category of concern to which journalists have become increasingly attuned.

As a result, many journalists were understandably cagey about discussing SecureDrop. Every single person I contacted for this study must have at least considered the possibility that my stated intention as a researcher was a falsity—that I could be working for “the other side.” And even if my intentions were genuine, could these journalists trust me not to commit a serious error in my handling of information? Could they even trust our channels of communication? Of course not. The essential foundation of a digital security mindset is a judicious and highly informed sense of paranoia. And our interviews threatened to introduce a needless security hazard to a system that is otherwise painstakingly hardened against attacks.

In short, it was clear that my informants treated the possibility of revealing sensitive information about sources quite seriously. This meant that most of them would not identify the stories that originated with information from SecureDrop. Although the majority did confirm that it had happened and continues to happen, few would discuss the details of reporting these stories. Information on their patterns of use, not to mention the details of individual communications, could be enough for an adversary to try to identify the source of a particular story. In the wake of the Snowden revelations, these threats are not only plausible but fairly likely. Consequently, some interviewees preferred to speak in generalities about their process of assessing and then potentially acting upon tips that arrive through SecureDrop.

So how does SecureDrop affect a newsroom once it arrives? Are there new roles, reporting practices, or institutional configurations where SecureDrop is used?

Many of my informants explained that, as a point person using SecureDrop, they only monitor the system. If anything promising appears, they direct it to the reporter covering the relevant beat. Consequently, these point people often know very little about how the reporting process plays out from there—that is, how the beat reporter verifies documents, follows up on tips, and develops a broader picture of the issue at hand before filing a story. Whatever the novelty of SecureDrop, these aspects of the traditional reporting process remain largely intact.

Occasionally, a single, technologically sophisticated reporter assumes responsibility for the whole SecureDrop system. These rare cases require little coordination and have a minimal effect upon the greater newsroom. If the reporter leaves, the SecureDrop simply goes offline.

But in most of the newsrooms where I spoke to journalists using SecureDrop, the process seems to be integrated at some level into the greater newsroom. It is treated as a highly technical and sophisticated but largely quotidian technology. It sits alongside many other devices that journalists use to monitor information that may lead to further reporting. Like any other information source, it is neither a guarantee of valuable leads, nor a channel worth ignoring. SecureDrop appears to serve a unique and often narrow, but decidedly useful role in the newsrooms using it.