What is SecureDrop?

SecureDrop is an open-source whistleblower submission system that media organizations can install to accept documents from anonymous sources. It was originally coded by the late Aaron Swartz, with assistance from Wired editor Kevin Poulsen and James Dolan. The project was previously called DeadDrop. Freedom of the Press Foundation took over management of the project in October 2013.

How can media organizations install SecureDrop?

Any organization can install SecureDrop for free and also make modifications because the project is open-source. We have written detailed installation instructions, which can be read here. Because the installation and operation are still complex, Freedom of the Press Foundation will also help organizations install SecureDrop and train journalists in security best practices to ensure the most protection for sources. Please go here to apply for assistance and set up an appointment. We do ask for-profit news organizations to pay for installation support and maintenance so we can continue funding the project.

How does SecureDrop work?

SecureDrop is designed to use two physical servers: a public-facing server that stores messages and documents, and a second that performs security monitoring of the first. The code on the public-facing server is a Python web application that accepts messages and documents from the web and GPG-encrypts them for secure storage. This site is only made available as a Tor Hidden Service, which requires sources to use Tor, thus hiding their identity from both the SecureDrop server and many types of network attackers. Essentially, it’s a more secure alternative to the "contact us" form found on a typical news site. Every source who visits the site is given a unique "codename." The codename lets the source establish a relationship with the news organization without revealing his/her real identity or resorting to e-mail. They can enter the code name on a future visit to read any messages sent back from the journalist, or submit additional documents and messages under the same persistent, but pseudonymous, identifier. The source is known by a different and unrelated code name on the journalist’s side. All of the source’s submissions, and replies to the source from journalists, are grouped together into a collection. Every time there’s a new submission by a source, their collection is bumped to the top of the submission queue.

What technologies does SecureDrop use?

SecureDrop does not seek to re-invent the wheel. Instead it combines several well-respected tools into an application that is easier to use for sources and forces security best practices on journalists. Among the tools used in and around the SecureDrop application are: Tor, GnuPG encryption, Apache, OSSEC, grsecurity, Ubuntu, the Tails operating system, and an air-gap.

What type of hardware is needed to run SecureDrop and how much does it cost?

SecureDrop is a free and open source application that costs nothing to install. However, the application does require hardware that news organizations must purchase, including two servers, several USB sticks, an air-gapped computer, and a firewall. We have created a recommended hardware guide, however, news organizations can also choose their own hardware. It is critical, however, that the hardware is owned by the media organization and stored on its property in a secure space. The total cost of the hardware we recommend is $2,200 to $2,400, though it can be done for less if you are willing to sacrifice size and speed on the servers or are able to use recycled machines sourced from within your organization. Freedom of the Press Foundation will also physically come to your office to help set up SecureDrop and train journalists to use it if our travel costs are covered. Larger news organizations are also strongly encouraged to make a donation to the SecureDrop project for further development and tech support.

What types of attributes are required for a SecureDrop sysadmin?

  • Experience with managing Linux-based systems from the command line.
  • Proficiency with network hardware such as firewalls and switches (e.g. pfSense).
  • Experience with configuration management tools such as Ansible, Salt, Chef, or Puppet.
  • Ability to use and configure secure communication tools such as GPG.

We consider the first two requirements and the second two preferred attributes.

How does SecureDrop interact with an existing corporate network?

SecureDrop is designed with the understanding that many—if not all—news organizations’ corporate networks have already been compromised by attackers or will be in the future. The SecureDrop environment is completely segmented from the rest of the corporate network by design, through the use of a dedicated network firewall. Here's a more detailed diagram of the components of the system, which illustrates how the servers are connected to the organization's network through the network firewall: Detailed SecureDrop Architecture Diagram Journalists only connect to the SecureDrop server on their regular workstation through the Tails operating system, which does not touch their hard drive and connects to the Internet through the encrypted Tor network. Anything sent by a source through SecureDrop is encrypted with a GPG key pair, and intended to only be decrypted on an air-gapped computer that is never connected to a network.

What is required for the SecureDrop landing page?

While the main SecureDrop application runs as a Tor hidden service only accessible through the Tor Browser, news organizations need to create a SecureDrop landing page that lives on their main website. The landing page should provide directions for how to use SecureDrop, as well as detail the organization’s privacy policy. It is critical that the landing page loads as HTTPS by default, is free of third party trackers, and uses the appropriate security headers. We have created a detailed best practice guide for landing pages here. Freedom of the Press Foundation maintains a list of SecureDrop instances that are ’certified’ as using the recommended security practices. In order to be included on this list, your organization must comply with the landing page best practice guide.

How long does setup and training take?

We generally recommend news organizations set aside two days for the setup and training process. The first day is primarily the installation with the administrators and the second day is the training for those journalists who will regularly check SecureDrop. Often, the entire process takes much less time than two days but sometimes there are unique network or hardware issues that come up and delay completion. A more comprehensive schedule detailing each step, along with installation common issues, can be found here.

Can you use SecureDrop with multiple journalists?

While SecureDrop supports having multiple journalist login accounts for the document interface, each provisioned journalist will have all of the same access as the other journalist accounts. To avoid confusion, we recommend news organizations assign 1-3 journalists to regularly check SecureDrop and make sure that they all are in contact as to who is responsible for responding to each source. Providing multiple journalist support, so that sources can send information to specific journalists is on our roadmap for a future SecureDrop version release.

Can you share SecureDrop with different organizations?

Currently you cannot use SecureDrop with multiple organizations for security reasons. One of the benefits of SecureDrop is that it completely eliminates third parties from your communication channel. The media organization owns and operates the server that both the source and journalist connect to. Therefore any legal request or order has to be served on the media organization operating it, giving them a chance to challenge it before handing over any data. If a third party operated a SecureDrop server which multiple organizations used, a legal order could be served on the operator without the media organizations knowing.

What type of information does SecureDrop log?

The SecureDrop application does not record your IP address, information about your browser, computer, or operating system. Furthermore, the SecureDrop pages do not embed third-party content or deliver persistent cookies to your browser. The server will only store the date and time of the newest message sent from each source. Once you send a new message, the time and date of your previous message is automatically deleted. Journalists are also encouraged to regularly delete all information from the SecureDrop server and store anything they would like saved in offline storage to minimize risk.More detailed information can be found in our sample privacy policy, which we encourage news organizations using SecureDrop to adopt from when creating their own. Make sure to also follow our best practices for creating the SecureDrop landing page so that it logs as little information as possible as well.

What problems does SecureDrop attempt to solve?

In many of the recent leak prosecutions in the United States, sources have been investigated because authorities are able to retrieve both metadata and content of communications from third parties like email and phone providers in secret. SecureDrop attempts to completely eliminate third parties from the equation so that news organizations can challenge any legal orders that are served on them before handing over any data. SecureDrop also substantially limits the metadata trail that may exist from journalist-source communications in the first place. In addition, it also attempts to provide a safer environment for those communications than regular corporate news networks, which are often compromised.

How is SecureDrop audited?

Before major code changes are shipped, our policy is to have SecureDrop audited by a professional, third-party security firm. The first audit of SecureDrop, conducted in the Spring of 2013, was conducted by a group of University of Washington researchers and Bruce Schneier and can be found here. After significant changes to the system, the second audit of SecureDrop was conducted by Cure53 at the end of 2013 and can be read here. In the summer of 2014 iSEC Partners completed the third audit of SecureDrop. Their report can be read here and you can also read about how we resolved the issues they found. The most recent audit was conducted in summer 2015, also by iSEC Partners, and can be found in full here. In addition to these audits, we also have a bug bounty program hosted by Bugcrowd. 

What type of lifecycle support does FPF provide?

FPF is committed to providing continuous support for SecureDrop. Some basic Linux experience is required for the admin role at the news organization but FPF staff will assist with:

  • Investigating suspicious OSSEC alerts
  • Upgrading existing installs
  • Disaster recovery processes
  • Feature Requests
  • Development

What makes SecureDrop unique?

SecureDrop is not just a web application but a whole environment with processes to cover the full lifecycle. FPF provides an audited segmented environment not reliant on corporate services for administration or management. This breaks the kill chain of an attacker trying to pivot from a compromised corporate network to the SecureDrop environment. Each device in the SecureDrop environment is deployed to provide least access and to enforce security best practices. A monitoring and alerting solution is also deployed so the administrator will be aware of the health of the environment.Since nothing can ever be considered fully secure, especially networked computers, even with all of the other hardening provided, the secret key needed to decrypt submissions only exists on an airgapped computer. This airgapped process (or sneakernet) of putting the encrypted submissions on a transfer media and physically walking them to the airgapped Secure Viewing Station helps protect the private key from most types of attacks.

Does SecureDrop promise 100% security?

No, and any organization or product that promises 100% security is not telling the truth. The goal of SecureDrop is to create a significantly more secure environment for sources to share information than exists through normal digital channels, but there are always risks.That said, each release of SecureDrop goes through a security audit by a reputable third party security firm, and we maintain an ongoing commitment to have every release audited.

Who created SecureDrop?

The web application, which was originally called DeadDrop, was coded by Aaron Swartz in 2012 before his tragic death. The hardening guide and security environment was architected by James Dolan. Investigative journalist Kevin Poulsen originally managed the project. The New Yorker launched the first implementation and branded their version StrongBox in May 2013.In October 2013, Freedom of the Press Foundation took over management and development of the open-source project and re-named it SecureDrop. FPF also hired systems architect James Dolan to help media organizations with installations and security, and Garrett Robinson to lead development. Kevin Poulsen continues to be a journalistic consultant on the project.

Is SecureDrop free software?

Yes. SecureDrop is both open source and free software: you can redistribute it and/or modify it under the terms of the GNU Affero General public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.This project, and all material accompanying it, is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. For more details, see the GNU Affero General public License. In other words, please help us make it better, and spread it far and wide.

How can I contribute to SecureDrop?

There are many ways you can contribute to SecureDrop. First, donations are critical in keeping the project alive. You can go here to help us pay for development, upkeep, and security so we can travel to news organizations and help them install it.You can contribute to the development of SecureDrop by visiting our GitHub page. If you just want to dive in and start coding, make sure you read the Developer Guide first, then check out our Issues page for something to work on. If you have ideas for new security or usability features, or want to ask questions, you can also post to our development mailing list, or join us on our Gitter channel.