CPJ announced last week our instance of SecureDrop, the anonymous submission system engineered to resist even nation-state surveillance. In a time of unprecedented, technologically-mediated threats to journalism both online and offline, our adoption of this state-of-the-art system will help us protect journalists who need help the most. There has never been a safer way to tell CPJ about press freedom violations anywhere in the world — or request direct support when you’re under fire for your reporting.
SecureDrop allows for secure and anonymous submissions to newspapers, watchdogs, oversight groups — or anywhere else that someone might be concerned about being identified as the source of a submission. The project is maintained by the nonprofit Freedom of the Press Foundation (FPF). SecureDrop is easy to use but difficult to compromise. Behind the friendly submission form is a sophisticated system which separates different tasks onto independent computers. Each machine only performs part of the puzzle, so it’s very difficult to exploit them together.
SecureDrop relies on the Tor network, which the National Security Agency (NSA) once called “The king of high-secure, low-latency anonymity.” Tor conceals the origin and contents of communication with CPJ’s SecureDrop server. The Tor Browser is a version of the free and open source Firefox Web browser developed by Mozilla, which the Tor Project has extensively modified to protect against a slew of possible ways that one’s anonymity could be compromised. Micah Lee, journalist and technologist at The Intercept and First Look, has written clear and detailed instructions about the best ways to stay safe when anonymously submitting materials via SecureDrop.
More technically-sophisticated sources wanting to contact CPJ may want to use the Tails live operating system, which uses Tor to anonymize all connections into and out of a computer. Tails leaves no traces, history, or logs, and provides a selection of state-of-the-art anonymity, privacy, security, and cryptography software for savvy users. British government surveillance agency Government Communication Headquarters (GCHQ) described Tails as “CNE [computer network exploitation] hell” for the no-traces features which make it much harder to attack and reliably take control of Tails — unlike most other operating systems, such as Windows, Mac OS X, or Linux distributions which aren’t specifically security-focused.
Once documents have been submitted to SecureDrop, they can’t be decrypted by any computer connected to the Internet — including the SecureDrop server. Even if the server were hacked, an attacker would not obtain access to the contents of submissions (they’re encrypted and the server doesn’t have the decryption key) or the identities of sources. Because the source accesses SecureDrop anonymously using Tor, the server — and CPJ — never know who a source is unless the source chooses to tell us. If they do, that information would be part of the submission: encrypted and inaccessible from the server.
When we receive submissions, CPJ’s staff uses Tails to securely download and copy the data to a separate disk, which is then physically moved over to the SecureDrop viewing station. This is an air-gapped computer — it has no network capabilities and is never connected to any networks (wired or wireless). Only the air-gapped viewing station has the decryption keys necessary to access submissions. Keeping it disconnected makes it much harder to attack; even if it were attacked, it would be very difficult to retrieve the keys or decrypted documents.
The goal of all this technical cloak-and-dagger is to protect the contents of submissions and the identities of sources from even a nation-state attacker like the U.S. or China, which have immense resources and capabilities. SecureDrop masks a source’s identity through technology, adding a layer of protection to journalists’ promises of anonymity. Unless a source chooses to reveal their identity, CPJ couldn’t unmask the source even if we tried.
CPJ’s San Francisco-based Technology Program worked with FPF to build and set up CPJ’s SecureDrop instance. Once the system was ready for launch, we physically transported it to CPJ’s New York headquarters.
We live in a world where ubiquitous government surveillance forces journalists to think and act like spies. Even comparatively free states like the U.S. and U.K. engage in mass surveillance, and many other states use technology to harm journalists and suppress journalism. In this environment, tools like SecureDrop will continue to be necessary for the effective practice of journalism without putting reporters or their sources at risk.
Already, CPJ’s deployment of SecureDrop has resulted in numerous submissions — from journalists who are under fire and require CPJ’s assistance to those informing us about attacks in their region. We expect it to be a core part of our Journalist Assistance and research workflow.
Staff technologist Tom Lowenthal, a strong believer in individual privacy and personal freedom, is CPJ’s resident expert in operational security and surveillance self-defense. He is also a freelance journalist on security and tech policy matters. Follow him on Twitter @flamsmark.
San Francisco-based CPJ Internet Advocacy Coordinator Geoffrey King works to protect the digital rights of journalists worldwide. A constitutional lawyer by training, King also teaches courses on digital privacy law, as well as the intersection of media and social change, both at UC Berkeley. Follow him on Twitter at @CPJInternet.