About SecureDrop

Frequently asked questions about SecureDrop and its security
  1. What is SecureDrop?
  2. What technologies does SecureDrop use?
  3. How does SecureDrop work?
  4. What type of information does SecureDrop log?
  5. What problems does SecureDrop attempt to solve?
  6. How is SecureDrop audited?
  7. What makes SecureDrop unique?
  8. Does SecureDrop promise 100% security?
  9. Who created SecureDrop?
  10. How can I contribute to SecureDrop?

What is SecureDrop?

SecureDrop is an open source whistleblower submission system that media organizations can install to accept documents from anonymous sources. It was originally developed by the late Aaron Swartz, with assistance from Wired editor Kevin Poulsen and James Dolan. The project was previously called DeadDrop. Freedom of the Press Foundation took over management of the project in October 2013.

Back to Top

What technologies does SecureDrop use?

SecureDrop does not seek to re-invent the wheel. Instead it combines several well-respected tools into an application that is easier to use for sources and enforces the use of many security best practices by news organizations. Among the tools used in and around the SecureDrop application are: Tor, GnuPG encryption, Apache, OSSEC, grsecurity, Ubuntu Server, the Tails operating system, and an air-gap to minimize exfiltration risks.

Back to Top

How does SecureDrop work?

SecureDrop is designed to use two physical servers: a public-facing server that stores messages and documents, and a second that performs security monitoring of the first. The code on the public-facing server is a Python web application that accepts messages and documents from the web and GPG-encrypts them for secure storage. This site is only made available as a Tor Hidden Service, which requires sources to use Tor, thus hiding their identity from both the SecureDrop server and many types of network attackers.

Essentially, it’s a more secure alternative to the "contact us" form found on a typical news site. Every source who visits the site is given a unique "codename." The codename lets the source establish a relationship with the news organization without revealing her or his real identity or resorting to e-mail.

They can enter the code name on a future visit to read any messages sent back from the journalist, or submit additional documents and messages under the same persistent, but pseudonymous, identifier. The source is known by a different and unrelated code name on the journalist’s side.

All of the source’s submissions, and replies to the source from journalists, are grouped together into a collection. Every time there is a new submission by a source, their collection is bumped to the top of the submission queue.


SD_diagram

Back to Top

What type of information does SecureDrop log?

The SecureDrop application does not record your IP address, information about your browser, computer, or operating system. Furthermore, the SecureDrop pages do not embed third-party content or deliver persistent cookies to your browser. The server will only store the date and time of the newest message sent from each source. Once you send a new message, the time and date of your previous message is automatically deleted.

Journalists are also encouraged to regularly delete all information from the SecureDrop server and store anything they would like saved in offline storage to minimize risk. More detailed information can be found in our sample privacy policy, which we encourage news organizations using SecureDrop to adopt from when creating their own. Make sure to also follow our best practices for creating the SecureDrop landing page so that it logs as little information as possible as well.

Back to Top

What problems does SecureDrop attempt to solve?

In many of the recent leak prosecutions in the United States, sources have been investigated because authorities are able to retrieve both metadata and content of communications from third parties like email and phone providers in secret. SecureDrop attempts to completely eliminate third parties from the equation so that news organizations can challenge any legal orders before handing over any data.

SecureDrop also substantially limits the metadata trail that may exist from journalist-source communications in the first place. In addition, it attempts to provide a safer environment for those communications than regular corporate news networks, which may be compromised.

Back to Top

How is SecureDrop audited?

Before major code changes are shipped, our policy is to have SecureDrop audited by a professional, third-party security firm. The first audit of SecureDrop, conducted in the Spring of 2013, was conducted by a group of University of Washington researchers and Bruce Schneier and can be found here.

After significant changes to the system, the second audit of SecureDrop was conducted by Cure53 at the end of 2013 and can be read here. In the summer of 2014 iSEC Partners completed the third audit of SecureDrop. Their report can be read here and you can also read about how we resolved the issues they found.

The most recent audit was conducted in summer 2015, also by iSEC Partners, and can be found in full here. In addition to these audits, we also have a bug bounty program hosted by Bugcrowd.

Back to Top

What makes SecureDrop unique?

SecureDrop is not just a web application but a whole environment with processes to cover the full lifecycle of its use. The Freedom of the Press Foundtion provides an audited, segmented environment not reliant on corporate services for administration or management. This breaks the kill chain of an attacker trying to pivot from a compromised corporate network to the SecureDrop environment.

Each device in the SecureDrop environment is deployed to provide least access and to enforce security best practices. A monitoring and alerting solution is also deployed so the administrator will be aware of the health of the environment.

Since nothing can ever be considered fully secure, especially networked computers, even with all of the other hardening provided, the secret key needed to decrypt submissions only exists on an airgapped computer. This process of putting the encrypted submissions on a transfer device and physically walking them ("sneakernet") to the airgapped Secure Viewing Station helps protect the private key from most types of attacks.

Back to Top

Does SecureDrop promise 100% security?

No, and any organization or product that promises 100% security is not telling the truth. The goal of SecureDrop is to create a significantly more secure environment for sources to share information than exists through normal digital channels, but there are always risks. That said, each release of SecureDrop with major architectural changes goes through a security audit by a reputable third party security firm.

Back to Top

Who created SecureDrop?

The web application, which was originally called DeadDrop, was developed by Aaron Swartz in 2012 before his tragic death. The hardening guide and security environment was architected by James Dolan. Investigative journalist Kevin Poulsen originally managed the project. The New Yorker launched the first implementation and branded their version StrongBox in May 2013.

In October 2013, Freedom of the Press Foundation took over management and development of the open source project and re-named it SecureDrop. In the project's early years at FPF, development was driven by James Dolan and Garrett Robinson. Today, SecureDrop is maintained by a small full-time development team at FPF and a growing volunteer community. FPF's development efforts are led by Jennifer Helsby.

Back to Top

How can I contribute to SecureDrop?

There are many ways you can contribute to SecureDrop:

Back to Top