SecureDrop

From Infogalactic: the planetary knowledge core
Jump to: navigation, search
SecureDrop
SecureDrop logo.png
Screenshot from SecureDrop Source view.png
Screenshot from the SecureDrop Source interface.
Original author(s) Aaron Swartz, Kevin Poulsen
Developer(s) Freedom of the Press Foundation
Stable release 0.2.1 / 9 January 2014; 10 years ago (2014-01-09)
Development status Active
Written in Python
Operating system Linux, Tails OS
Type Secure communication
License GNU Affero General Public License, version 3
Website freedom.press/securedrop Tor: freepress3xxs3hk.onion/securedrop[1]

SecureDrop is an open-source software platform for secure communication between journalists and sources (whistleblowers).[2] It was originally designed and developed by Aaron Swartz and Kevin Poulsen under the name DeadDrop.[3][4]

After Aaron Swartz's death, the first instance of the platform was launched under the name Strongbox by staff at The New Yorker on 15 May 2013.[5] The Freedom of the Press Foundation took over development of DeadDrop under the name SecureDrop, and has since assisted with its installation at several news organizations, including ProPublica, The Intercept, The Guardian, and The Washington Post.

Security

SecureDrop uses the anonymity network Tor to facilitate communication between whistleblowers, journalists, and news organizations. SecureDrop sites are therefore only accessible as hidden services in the Tor network. After a user visits a SecureDrop website, they are given a randomly generated code name.[5] This code name is used to send information to a particular author or editor via uploading. Investigative journalists can contact the whistleblower via SecureDrop messaging. Therefore, the whistleblower must take note of their random code name.[3]

The system utilizes private, segregated servers that are in the possession of the news organization. Journalists use two USB flash drives and two personal computers to access SecureDrop data.[3][5] The first personal computer accesses SecureDrop via the Tor network, the journalist uses the first flash drive to download encrypted data from the Internet. The second personal computer does not connect to the Internet, and is wiped during each reboot.[3][5] The second flash drive contains a decryption code. The first and second flash drives are inserted into the second personal computer, and the material becomes available to the journalist. The personal computer is shut down after each use.[3]

The news organization should not record any information regarding the uploader i.e. IP address, or information about the personal computer used. The browser does not enable persistent cookies or allow third party embedding. Anonymity is not guaranteed, but the creators claim that the system is safer than electronic mail.[4]

Freedom of the Press Foundation has stated it will have the SecureDrop code and security environment audited by an independent third party before every major version release and then publish the results.[6] The first audit was conducted by University of Washington security researchers and Bruce Schneier.[7] The second audit was conducted by Cure53, a German security firm.[6]

Prominent organizations using SecureDrop

The Freedom of the Press Foundation now maintains an official directory of SecureDrop instances. This is a partial list of instances at prominent news organizations.

Name of organization Implementation date Web location
The New Yorker[1][3] 2013-May-15 https://projects.newyorker.com/strongbox/ Tor: strngbxhwyuu37a3.onion
Forbes[1][8][9][10] 2013-October-29 https://safesource.forbes.com/ Tor: bczjr6ciiblco5ti.onion
Bivol[1][11] 2013-October-30 https://www.balkanleaks.eu/ Tor: dtsxnd3ykn32ywv6.onion
ProPublica[1][12][13] 2014-January-27 https://securedrop.propublica.org/ Tor: pubdrop4dw6rk3aq.onion
The Intercept[1][14] 2014-February-10 https://firstlook.org/theintercept/securedrop/ Tor: y6xjgkgwj47us5ca.onion
San Francisco Bay Guardian[1][15] 2014-February-18 https://bayleaks.com/ Tor: wd5x5eexdqcjrqfa.onion
The Washington Post[1][16] 2014-June-05 https://www.washingtonpost.com/wp-stat/securedrop/securedrop.html Tor: vbmwh445kf3fs2v4.onion
The Guardian[1][2] 2014-June-06 https://securedrop.theguardian.com/ Tor: 33y6fjyhs3phzfjj.onion
The Globe and Mail[1][17] 2015-March-04 https://sec.theglobeandmail.com/securedrop/ Tor: n572ltkg4nld3bsz.onion
Canadian Broadcasting Corporation[1][18] 2016-January-29 https://securedrop.cbc.ca/ Tor: ad2ztmbv5vmbj7ic.onion

See also

References

  1. 1.00 1.01 1.02 1.03 1.04 1.05 1.06 1.07 1.08 1.09 1.10 Lua error in package.lua at line 80: module 'strict' not found.
  2. 2.0 2.1 Lua error in package.lua at line 80: module 'strict' not found.
  3. 3.0 3.1 3.2 3.3 3.4 3.5 Lua error in package.lua at line 80: module 'strict' not found.
  4. 4.0 4.1 Lua error in package.lua at line 80: module 'strict' not found.
  5. 5.0 5.1 5.2 5.3 Lua error in package.lua at line 80: module 'strict' not found.
  6. 6.0 6.1 Lua error in package.lua at line 80: module 'strict' not found.
  7. Lua error in package.lua at line 80: module 'strict' not found.
  8. Lua error in package.lua at line 80: module 'strict' not found.
  9. Lua error in package.lua at line 80: module 'strict' not found.
  10. Lua error in package.lua at line 80: module 'strict' not found.
  11. Lua error in package.lua at line 80: module 'strict' not found.
  12. Lua error in package.lua at line 80: module 'strict' not found.
  13. Lua error in package.lua at line 80: module 'strict' not found.
  14. Lua error in package.lua at line 80: module 'strict' not found.
  15. Lua error in package.lua at line 80: module 'strict' not found.
  16. Lua error in package.lua at line 80: module 'strict' not found.
  17. Lua error in package.lua at line 80: module 'strict' not found.
  18. Lua error in package.lua at line 80: module 'strict' not found.

External links

Retrieved from "https://infogalactic.com/w/index.php?title=SecureDrop&oldid=702303743"