Comparing Encryption Systems

While the growing use of PGP encryption among journalists is a strong signal that digital security has become a greater concern in the wake of the Snowden disclosures, the contents of those disclosures suggest the limitations of encrypted email for protecting sources.

Like many secure and encrypted communication tools available today, encrypted email tends to protect only the content of messages. “There is a pretty big ecosystem now of secure communication tools, but there are very few that deal with anonymity and metadata protection,” said Micah Lee of The Intercept. “And the reason is that this is a much, much harder problem. A much easier problem, relatively speaking, is encryption.”

The array of metadata that accompanies an encrypted transmission over email, phone, or chat is not only enough to prove that the communication has taken place, but also to pinpoint the parties, time, duration, frequency, location, and the presence of files transmitted in the message. In some cases, this has been enough information not only to identify a whistleblower, but to prosecute.

“Not every source is an expert on being an anonymous source,” Poulsen said. “That’s not why they’re contacting a reporter. It’s because they’re an expert on something else.”

Timm framed the problem another way: “You can’t teach sources to be secure, because you don’t know who the sources are.”

SecureDrop is designed to be as easy as possible for sources to use, while still requiring them to take reasonable security precautions. Because SecureDrop runs as a Tor hidden service, potential sources can only access its submission system while they are under the anonymity protections of Tor and, ideally, also the Tails secure operating system.

SecureDrop is particularly useful for facilitating a secure, anonymous first point of contact between the source and journalist—which is a largely unsolved problem in terms of secure communication. As Timm explained it: “You have to make that first contact, and that first contact is almost certainly going to be insecure, so SecureDrop is a way to have that point of first contact.” Oftentimes, after beginning a conversation on SecureDrop, the journalist and source may choose to move the conversation to another, more convenient venue like encrypted email, chat, or phone calls. For the journalist, this is especially valuable because it is better to know your source’s identity, even if you do not plan to reveal it.

Still, the basic nature of digital security is that threats can never be totally eliminated, only minimized along a greater number of possible avenues of attack. This has remained the case over the long history of cryptography, but it is compounded by the complexity of digital communications systems today. Even the strongest encryption scheme can be circumvented through the idiosyncrasies of software design and network pathways, not to mention that users can easily and unwittingly make mistakes while using these tools.

Garrett Robinson, the lead developer of SecureDrop, said:

With a lot of this stuff, we don’t have a clear sense of what an adversary could do, and so a lot of our thinking is just to make things harder for them. It’s hard for us to say, “This solves a problem.” It’s more like, “This raises a bar for an adversary.” But it’s not reasonable to assume that they can’t get around it.

Poulsen noted that these dangers can be further minimized because SecureDrop is a single-purpose system. “If you’re receiving tips on the same system that you are using to send and receive routine emails, that’s poor architecture. That’s not a good idea,” he said. “So that was the idea originally behind SecureDrop. Here, we’re going to have one little box that does nothing except stay secure, stay updated with patches, and be utterly dedicated to this one purpose of handling sensitive communications. And that is something that nobody had before.”