SecureDrop is an open-source project created by (the late) Aaron Swartz with support from Kevin Poulsen and James Dolan. The entire raison d'être of SecureDrop is to create a safe information exchange mechanism between media organizations and whistleblowers.
The solution requires two servers:
- a TOR facing server to store messages and files
- a private server that monitors the security of the first server
When a message or files are dropped on the first server, the information is encrypted with GPG for secure storage.
By using the TOR anonymizing network, whistle-blowers can protect their identities from local threats (schools, companies & governments) and from the media organization receiving the information.
If TOR is blocked from your origin location, you can use the special GETTOR service I wrote about here.
The SecureDrop system assigns a codename for every whistle-blower. This codename is a means for the media organization to build a relationship with the whistle-blower while maintaining full anonymity.
It is obvious why the whistle-blower benefits from the anonymity but so does the media organization. The media organization may be given information it otherwise couldn't obtain. Journalists are also protected because they can't "give up" their sources because they don't know who they are.
The system doesn't use any third party embedded content, and the only information it logs is the codename and the date/time of the last message sent. Every time a new message is sent, the previous date/time stamp is deleted.
Who uses SecureDrop?
At last count, there were more than 36 news organizations around the world that use SecureDrop. You can find the list here. Some "normal" web links to media organizations that leverage this tool include:
- [AP] https://www.ap.org/tips/ - 3expgpdnrrzezf7r.onion
- [CBC] https://securedrop.cbc.ca/ - ad2ztmbv5vmbj7ic.onion
- [Globe and Mail] https://sec.theglobeandmail.com/securedrop/ - sml5wmpuq7ifq2mh.onion
- [The Guardian] https://securedrop.theguardian.com/ - 33y6fjyhs3phzfjj.onion
- [The Intercept] https://theintercept.com/source/ - intrcept32ncblef.onion
- [NewYork Times] https://www.nytimes.com/newsgraphics/2016/news-tips/#securedrop - nyttips4bmquxfzw.onion
- [ProPublica] https://www.propublica.org/leak-to-us/ - pubdrop4dw6rk3aq.onion
- [Radio Canada] https://sourceanonyme.radio-canada.ca/ - w5jfqhep2jbypkek.onion
I added the last link (Radio Canada) because they are the French sister site to the CBC and accept French submissions.
The above links are the normal internet web pages that explain (for each site) how they use SecureDrop. Links to the TOR SecureDrop for each can be found in the main directory above or on each of the normal web pages.