According to my interviews, the uses of SecureDrop fall into a fairly narrow set of practices. This is due, in part, to the design of the system. It is engineered to limit the possibility of security failures, which necessarily means limiting the range of possible actions for users. This much is logical and unsurprising. But the on-site installation and training from the FPF appears to be an equally important factor in the range of practices by SecureDrop users.
Checking the System and Distributing Tips
In most newsrooms, a group of four or fewer reporters is tasked with checking the SecureDrop at least once a week. The most common rate of checking reported was three times weekly. Once they have identified promising submissions, the reporter determines which of the organization’s reporters is best suited to assess and follow up on the tips or documents received.
The exception to this check-and-distribute model is with personal SecureDrops. Poulsen views his SecureDrop as a tool he offers for people who specifically want to contact him. He said that he checks his system “regularly” and that it gets “plenty of use,” but he declined to offer details of his interactions with sources. Gellman also gives a fairly generous level of attention to those who leave messages on his personal SecureDrop. “I generally respond to every submission that is not essentially empty or pure trolling,” he said. “I find that people are grateful and sometimes surprised to hear back.”
There is also no guarantee that a journalist will hear back from a source after their first appearance in the system. For this reason, some organizations said that they would attempt to move the conversation off SecureDrop and onto another, more convenient encrypted channel as soon as possible after the first point of contact. Otherwise, there is a risk that a useful source will disappear and not return to carry on the conversation, even if the reporter wants to push forward with the story.
Like any tip or document, materials in SecureDrop must be subjected to journalistic verification. Cook of Gawker said the process is exactly what one would expect in traditional scenarios. “There’s nothing unique about the SecureDrop system,” he said. “It’s the same thing we do with anything you get, which is you do regular old reporting to verify it—to see if it will stand up.”
Rich also pointed to a traditional journalistic skillset for assessing what arrives in The Post’s SecureDrop: “Throughout investigative reporting,” he said, “you get a sense for what tips you can use and which ones you can just throw away.”
One aspect of verification that journalists may not have at their disposal when using SecureDrop, though, is the identity of the source. Poulsen said:
My preference as an old-school journalist is that I like to know who I’m talking to. But part of the idea behind SecureDrop is that in this age right now, it’s harder to make guarantees that somebody’s identity is going to remain secret. The government has so many ways of surveilling journalists—and they show a willingness to use it—that I think the bar for accepting information from somebody whose identity is a mystery even to the reporter, I think that is now by necessity a bar that we reach more easily than in the past.
Nondisclosure of SecureDrop Stories
Although most journalists using SecureDrop told me they consider it a useful reporting tool, they were mostly unable to disclose the stories that originated with information from sources on SecureDrop. Thus, it could easily appear as though the journalistic footprint of SecureDrop is rather small.
McKie of The Globe and Mail said that they take a strict editorial stance on this point: “Before we launched SecureDrop, we adopted the explicit policy that we would not acknowledge that it was the source for any given story.”
To date, The Intercept is the only publication to have acknowledged when published stories have arrived through SecureDrop.14 They have since acknowledged a total of three in print, but Lee maintains that these are not the only Intercept stories to originate with tips or documents from its SecureDrop.
Cook of Gawker added:
It’s kind of a Catch-22 in that one of the things I’ve always wanted to do is to say, “Hey, we got this through SecureDrop.” But you don’t want to do that, because you don’t want to do anything that would lead someone to try to go look if someone’s work laptop has Tor on it, or whatever might lead to suspicion.
Placing SecureDrop Alongside Other Communication Channels
Another theme that has emerged from studying SecureDrop is that while it is at once progressive and technologically advanced, it also stands in the spirit and defense of longstanding, traditional reporting methods. Many journalists said that SecureDrop tips are just like any other tip and that the technology is very similar to others in its basic efficacy.
McKie of The Globe and Mail specifically characterized SecureDrop as a channel alongside other channels:
When we were pitching this idea to our newsroom leadership, one of the things that we were careful to point out is that the purpose of SecureDrop for us is to provide a door into the newsroom, alongside all of the others. We’re not telling people to stop calling us, we’re not telling them to stop emailing us, we’re not telling people to stop mailing us the generic manila envelope or sliding it under the door. All of the ways that people are getting in touch with us are still valid, it’s just that in this day and age, there are certain kinds of sources who don’t feel comfortable using those kinds of means anymore—and potentially, with really good reason.
Additionally, journalists often weigh SecureDrop against other channels when they are considering how to handle sensitive documents. Rich of The Washington Post said, “For large files, I would prefer a physical hand off, especially for something that sensitive.” This highlights a point worth remembering: Even with a tool as advanced as SecureDrop, it is wise to consider the entire range of approaches at your disposal when security is a concern.