It has been three years since the Freedom of the Press Foundation (FPF) launched the open-source whistleblower submission system SecureDrop, and already its ranks of users include The New Yorker, ProPublica, The Guardian, Gawker Media, the Washington Post, and The Intercept. And just last month, the Committee to Protect Journalists became the latest organization to jump aboard.
It all begs the question: Will secure encryption systems like SecureDrop become a fixture of modern journalism? And should your news team be scrambling to catch up?
Until recently, very little information existed about how SecureDrop has been used and what challenges have confronted its early adopters. But last month, the Tow Center for Digital Journalism at Columbia Journalism School released a report that finally offers some clues.
The full report is worth filing away for a weekend #longread, but in the meantime, here are four highlights from the report — and from my interview with its author Charles Berret.
After Snowden Leaks, (Some) News Organizations are Taking Steps to Improve Security
The report indicates that journalists have grown more concerned about privacy and security in the wake of Edward Snowden’s NSA revelations.
According to a 2015 Pew poll cited in the report, 64 percent of investigative journalists believe they’ve been subjected to surveillance by the U.S. government, and 38 percent of those journalists adopted secure communication tools.
For example, an MIT directory revealed a sharp spike in the number of PGP encryption keys registered to journalists following the Snowden leaks. But although the number of PGP keys registered at places like ProPublica, the Guardian, and Gawker more than tripled post-Snowden, not all news organizations made changes.
“It is worth noting that journalists’ adoption of encryption tools has been highly uneven,” Berret wrote in the report. “The vast majority of news organizations have no listings at all in the directory.”
Lots of Noise, But Some Signals Too
News organizations have plenty of received malware, spam, conspiracy theories and other unwanted submissions through SecureDrop, according to the report.
But even if “the ratio of chaff to wheat is unsurprising” (as one interviewee put it), there’s evidence that at least some tips are proving fruitful. “Especially recently, as awareness grows of its existence, we’ve seen more and more good stories coming out of that pipeline,” said Betsy Reed, editor of The Intercept, according to the report.
Berret says news organizations were reluctant to share any specifics about the SecureDrop submissions that led to stories — or even to disclose how often useful submissions have come in. But the general feedback appears to be positive. As Julia Tate, a journalist at the Washington Post, told Berret: “I can’t go into what those stories are [that began with SecureDrop tips]. But we’ve had success with it, definitely.”
Protecting Sources Could Become a Thing Again
Historically, the ultimate test of a journalist’s mettle has been their willingness to go to prison to protect a confidential source’s identity. In the 1980s and ’90s, for example, at least a dozen journalists served jail time for refusing to turn over sensitive information to the government.
But in an age of government surveillance and extensive electronic records, prosecutors have rarely needed journalist’s help getting to the bottom of cases. As Berret explains in the report:
“In leak cases during the Obama administration—the largest number filed under any U.S. president—none has required a reporter to testify. In the James Risen case, one reporter was subpoenaed, but federal prosecutors eventually dropped the subpoena and then easily convicted the source using electronic records from the government.”
If successful, SecureDrop will give whistleblowers and other confidential sources a way to submit tips online without being traced. As Trevor Timm, executive director of FPF, explains in the report, that could improve journalists’ ability to protect their sources.
“Let’s say The Washington Post publishes a blockbuster story and they say that SecureDrop was used—or the government thinks SecureDrop was used. If they want to subpoena someone, they need to serve it on the news organization, and that means we can re-trigger the right that these organizations have lost over the past decade, which is that they will have the ability to challenge the subpoena before handing over the information—to go to a judge and say that this violates the First Amendment. They will have the ability to appeal it and ultimately reserve the right to be held in contempt of court rather than hand it over.”
SecureDrop’s Future in Journalism — And Beyond
Although SecureDrop is an open-source system, news organizations must still grapple with several significant barriers to entry, especially when it comes usability. Installation remains a complicated process, for example, and the interface could be made more user-friendly.
“[The developers] acknowledge there’s still a way to go,” Berret said. “They’re pushing toward being less of an arcane, highly specialized thing that only the techiest reporter in the whole newsroom can use.”
But despite its challenges, SecureDrop has now been installed by more than a dozen news organizations, as well as a handful of NGOs and individuals. And Berret says SecureDrop’s list of uses could continue to grow.
“You can imagine SD being a useful tool for anything that involves oversight, and anything in which people are taking risks by speaking up about something they know,” he said. “It’s the best tool out there for that right now.”
Ben DeJarnette is the associate editor at MediaShift. He is also a freelance contributor for Pacific Standard, InvestigateWest, Men’s Journal, Runner’s World, Oregon Quarterly and others. He’s on Twitter @BenDJduck.