Legal Protections of SecureDrop
“People think of SecureDrop as a technical tool,” said Timm of the FPF, “but it’s almost as much a legal tool.” He pointed to the recent history of journalism to explain the specific needs that SecureDrop was designed to address. Since the 1970s, he said, journalists had banded together and produced “one of the most effective civil disobedience campaigns since the Civil Rights era.” They effectively refused to testify against sources and would voluntarily go to jail to avoid doing so. This led many states to pass shield laws, which protect the reporter’s privilege not to disclose their interaction with sources. There is not yet a federal shield law, but many federal circuit courts at least provide some limited privilege for journalists based on the First Amendment.
In leak cases during the Obama administration—the largest number filed under any U.S. president—none has required a reporter to testify. In the James Risen case, one reporter was subpoenaed, but federal prosecutors eventually dropped the subpoena and then easily convicted the source using electronic records from the government.
“I think a major reason that there have been so many prosecutions of sources in the past decade,” Timm said, “is that the government figured out that they didn’t need reporters to testify against their sources anymore.”
The legal advantage of SecureDrop is that the servers reside on the media organization’s property. Thus, no one else has access to it. When both the source and the journalist are using this system to communicate, they are only connecting to the server on the newsroom premises. There are no third parties who could be subpoenaed to release information, so the news organization can conceivably return to fighting battles over reporter’s privilege even if information is communicated over a digital channel. Timm explained:
Let’s say The Washington Post publishes a blockbuster story and they say that SecureDrop was used—or the government thinks SecureDrop was used. If they want to subpoena someone, they need to serve it on the news organization, and that means we can re-trigger the right that these organizations have lost over the past decade, which is that they will have the ability to challenge the subpoena before handing over the information—to go to a judge and say that this violates the First Amendment. They will have the ability to appeal it and ultimately reserve the right to be held in contempt of court rather than hand it over.
This will really make the bar for the government a lot higher. Number one, maybe the government just won’t issue the subpoena in the first place, because they know it will be difficult and they won’t want the public fight. Number two, even if the news organization ultimately loses after a years-long court battle, hopefully SecureDrop collected so little data on the source that it would be useless to the government anyways.
By comparison, even the strong protections of encryption systems like PGP email only conceal the contents of messages. They do not conceal the fact that communication has taken place between two parties, and in some cases that may be enough to endanger the source. No matter how difficult it is to break the encryption, if your source sends an email from anything besides a personal server, there is little to stop either eavesdropping on the transmission of that message or the seizure of records from the provider. SecureDrop solves both of these problems.