As Journalists Seek Encryption, SecureDrop Proves a Challenge
A look inside the anonymizing software protecting sources across the magazine industry.
If you want to reach Thomas Fox-Brewster, you'd best be prepared to download new software. In his Twitter bio, Fox-Brewster — a security reporter for Forbes — lists a series of codes which will allow anyone with a tip to covertly reach out through an encrypted channel. It might seem inconveniently picky, even a potential obstacle to reaching sources, but Fox-Brewster is among the growing ranks of journalists who have ditched insecure communication techniques in favor of tools like Signal and Ricochet.
Encryption has become increasingly common for journalists hoping to get the next big story by ensuring sources that their identities stay secret while their secrets go public. There are many options to choose from, some open source and others proprietary, with no consensus on any standard. This leaves newsrooms to fend for themselves as they try to protect people with secrets without making it too difficult for such whistleblowers to come forward.
Last Thursday, Wired became the latest magazine to publicize its use of SecureDrop, which allows whistleblowers and leakers to anonymously send documents and messages to media organizations without identifying or traceable information. This comes one month after Forbes adopted the program, and four years after The New Yorker took the technology public.
Compared to applications like Signal and Ricochet, which are used in conjunction with smart phones and personal computers, SecureDrop might be the most secure way to leak documents. But its set up is complex and its yield so far has been low — a steep consideration as some news organizations spend up to $3,000 in new hardware, and $10,000 in support contracts with the Freedom of the Press Foundation, which manages the SecureDrop project.
"SecureDrop can be a little bit intensive," Harlo Holmes, director of newsroom digital security at the Freedom of the Press Foundation, tells Folio:. “Source protection is really difficult to begin with…This is one way that is addressing that problem head on.”
THE MOTHER OF INVENTION
SecureDrop was first conceived in 2011 by famed programmer and activist Aaron Swartz at the request of Kevin Poulsen, an editor at Wired.
"There’s a growing technology gap: phone records, e-mail, computer forensics, and outright hacking are valuable weapons for anyone looking to identify a journalist’s source," Poulsen wrote in 2013. "With some exceptions, the press has done little to keep pace: our information-security efforts tend to gravitate toward the parts of our infrastructure that accept credit cards."
The tool has seen a resurgence since the election of President Donald Trump, who has publicly threatened to prosecute government employees who leak documents to the press. However, the origins of SecureDrop harken back to WikiLeaks and Obama-era strong-arming by the Department of Justice to get journalists to identify confidential sources.
With SecureDrop, there’s nothing to identify. Journalists are as ignorant of their sources as the Department of Justice itself. While this creates its own issues in terms of authentication, it frees up reporters from external pressure to reveal sources. This is in contrast to a phone call, which can be tapped or traced through phone companies, or apps like Facebook Messenger; Facebook is explicit in its willingness to reveal the content of messages when faced with a valid search warrant.
“In an age of pervasive internet surveillance, traditional tools like email and phone calls are no longer enough to safely link reporters and their contacts. The most sensitive sources need a more secure channel, one that’s encrypted and anonymous by default,” senior writer Andy Greenberg wrote in last week's announcement about Wired adopting SecureDrop.
A SLOW START
The New Yorker was the first magazine to publicize its use of the system in 2013, then under the name “Strongbox.” It’s since been followed by The Intercept, ProPublica, and The New York Times — publications known for their extensive investigative reporting. The Nation will also join later this year.
While many publications embrace the publicity as a means of coaxing tipsters, others prefer to keep their use, well, anonymous. The perils of an open inbox might include an influx of bizarre messages, or in the case of The New Yorker, endless poetry and cartoon submissions, according to Holmes.
Michael Luo, editor of NewYorker.com and a former investigative editor at The New York Times, says that while he’s a big fan of the system, it has yet to pay off. Eric Lach, the site’s deputy news editor, checks the system every few days, but it hasn’t led to any stories.
“We’re certainly getting tips, but nothing incredibly useful,” Luo tells Folio:. “Why is that? I guess I feel like, at this point, The New Yorker is not necessarily the front-of-mind outlet for those kinds of leaked documents and data, in the way that The Times and ProPublica, for example, are.”
Elsewhere in the mediasphere, however, stories are trickling in. Last week, Vice’s Motherboard published a story about people who spy on their loved ones, informed by data obtained through SecureDrop. In February, Gizmodo published a recording of Trump discussing trade tariffs with Wilbur Ross, a then-nominee for Secretary of Commerce.
“The proposals came during an apparent phone conversation that was captured on video and provided to Gizmodo via SecureDrop, a portal permitting whistleblowers and sources to reach us while remaining anonymous,” the article reads.
INSIDE THE MACHINE
To discreetly share documents or messages with a participating newsroom, tipsters must download Tor, a software program which allows users to circumvent existing tracing mechanisms that reveal location and other information. Tor is best known as an entry port for the “Dark Web” — a difficult-to-access set of websites which sometimes facilitate illegal activities, such as the hiring of hitmen.
Not everyone seeking anonymity is a murderer, however. Tor is often seen as the best bet for sources inside the government or corporations who wish to share information which is of public interest, but puts the source at risk in their personal or professional lives.
Sources are given a random code name which acts as a passcode. They can use this name to reaccess messages at a later date. This code name is different than the name that appears for the journalists on the other side.
For the newsroom, however, things are more difficult to set up. The Foundation combats this flaw with a sliding pay scale for technical support and training. “We know that not every news organization that wants to support public interest journalism is going to be as well funded as The Washington Post,” says Holmes.
For-profit institutions are asked to pay $10,000 for a year of support, which covers installation — performed in office by Freedom of the Press Foundation staff — the training of journalists and IT, and the set up of a SecureDrop landing page, in accordance with the Foundation’s best practices. This contract also covers ongoing support. Media organizations are expected to pay the Foundation's travel expenses as well.
Since SecureDrop is open source (and therefore free), newsrooms can conceiveably set up the system themselves, even using repurposed hardware. For these companies, the Foundation offers a year of support and training for $5000.
While it doesn’t matter which specific hardware is used, the Foundation provides recommendations in the range of $2000–$3000 per set up.
A fully functioning newsroom setup requires a server to run the application itself; a server to monitor the health of the first server; a dedicated firewall to keep SecureDrop separate from the rest of the newsroom’s traffic; computers with the operating system Tails, on which the reporters can view the documents securely; a separate computer — generally “well-guarded” — which hosts a user interface on which a specific set of editors (usually only one or two) can review submissions; and USB sticks to transfer the documents from the well-guarded computer to the viewing station, and from the viewing station to a normal computer, where the journalist eventually prepares the documents for publication.
“SecureDrop is notoriously challenging to use and takes dedication within a newsroom to check it diligently and respond. But it’s pretty good now for what we’ve got, and it’s only going to get better,” Holmes says.
Though SecureDrop was built by and for the magazine industry, several other pieces of software are popular with journalists due to their differing levels of security and ease of use.
Signal is a secure call and messaging app, run by volunteers and grant-funded programmers under the moniker Open Whisper Systems. It’s open source and free to use.
Signal is like WhatsApp for the fearful. Users download an app, which then uses the phone’s existing number and contact book. All messages are encrypted on both sides, which means that Open Whisper Systems can’t see your messages, though communication is not anonymous between users. The good news is, with end-to-end encryption, Open Whisper Systems has nothing to share with law enforcement should they request message transcripts.
Ricochet is a machine-specific instant messaging system which operates through Tor. The free and open-source software is encrypted end-to-end, and anonymized, which means your computer does not know where the messages are coming from.
Contacts are added through a specific serial code which is visible and shareable with other users. However, contact relationships are device specific and don’t run through servers or networks.
Open PGP (Pretty Good Privacy) is a non-proprietary email encryption software which can be used in conjunction with Windows, Mac and Android mailbox tools, as well as many others. Like the other services, Open PGP uses end-to-end encryption, which makes it difficult for emails to be read if they are intercepted.