Reddit asks, we answer: Q&A on whistleblowing, SecureDrop, and sharing info with the press

From Daniel Ellsberg’s Pentagon Papers to Edward Snowden’s National Security Agency surveillance disclosures, whistleblowers have been behind some of the most impactful revelations in American history.

Both Ellsberg and Snowden risked their safety and personal freedom to leak documents to the press. While whistleblowers face similar risks today, they can protect their identities using modern whistleblowing platforms like SecureDrop — a project of Freedom of the Press Foundation (FPF) — and anonymity systems like the Tor Network.

To answer questions about how the public can safely share information with the press and use available tools to do so, FPF’s Chief Information Security Officer and Director of Digital Security Harlo Holmes and SecureDrop Staff Engineer Kevin O’Gorman engaged with Reddit’s r/IAmA community members on June 10 in a Q&A session.

The following select questions from various Reddit users, and Holmes and O’Gorman’s answers, have been edited for brevity and clarity. You can view the full thread here.

If I were a whistleblower with top-secret information, how would I get it to the newspapers without getting caught? What’s the high-level process like?

Harlo: There are a lot of variables that you’d have to consider and would only know of once you’re in that position! But, please know that whistleblowing is a hugely heroic act and there are always risks. Not only is there the possibility of “getting caught,” as you say, there is the prospect of retaliation down the line, loss of livelihood, and a lot of trauma that comes with making such a huge decision.

Other higher-level processes have to do with the aftermath. In a newsroom, journalists and their editorial team deliberate a lot about how best to write the story with what the whistleblower has supplied them. This may mean weighing matters of security, reputation, and the protection of everyone involved.

About a year ago, Signal introduced phone number privacy and usernames, effectively enabling Signal users to be (almost) anonymous if they want to. And major news outlets like The New York Times and The Guardian accept tips through Signal. Can you tell me how SecureDrop is more secure and better at protecting the privacy of the whistleblower?

Harlo: They’re both good. It’s all about “right-sizing” your tipline support. SecureDrop can be beyond the budget or bandwidth for some small newsmakers, and that’s why we at FPF can help in building a solution that fits. Fundamentally, a newsroom should ensure confidentiality and encryption. Both tools will get you there.

Kevin: Further to Harlo’s point, Signal’s approach is definitely better at scale and in general, while SecureDrop is designed to solve a more specific problem. That said, SecureDrop has some advantages for leaking to the press.

Signal requires a dedicated app, which leaves traces of its use. A source facing potential seizure and examination of their devices will leave fewer traces using Tor Browser. SecureDrop relies on an airgap to protect its decryption key, which protects journalists and sources by quarantining file submissions and makes it harder to target journalists with malware.

There are always trade-offs in play between security and ease of use, Signal is a solid choice and, from a purely cryptographic perspective, there’s no faulting it.

The Democrats released their own “whistleblowing” form a few months back for federal workers. That seems like a supremely bad idea, yes? It just looks like a Google form. Are there any big failures that you are aware of?

Harlo: Not my show, not my monkeys. We work with the press and are restricted from working with political parties. That said, we can share some tips regarding safer whistleblowing practices that anyone can adopt if they’re building a platform for intake!

First off, “be available everywhere.” In the past, whistleblowers have been burned because their web histories pointed directly to when and where they reached out to their journalist. So, use the commons of the internet to give people the information they need to securely establish first contact. If you’re running a tipline advertisement on your own website, use an encrypted and safe URL that will not indicate that the public has visited your explicit whistleblowing instructions.

Third-party services like Google are not your friend for the most sensitive of data. Google can definitely be subpoenaed for all the juicy whistleblower details. Find an alternative. Make your submission portals available over Tor, too! Visiting an onion address can make a huge difference.

Lastly, encrypt all the things. This means data in transit as well as at rest. If you are going to plop the next Panama Papers on your hard drive, encrypt that computer like your life depends on it.

As we have recently seen in some dramatic examples, all of the world’s encryption can’t help if the users misuse it. When you help news orgs set up SecureDrop, doesn’t this basically mean that you have to be giving them constant support to them and to whistleblowers on how to use it?

Kevin: This is the gig :)

By design, we have no contact with whistleblowers using SecureDrop. A key property of the system is that it is self-hosted with no subpoenable third parties in the loop, including us.

But we do journalist digital security training, publish guides for whistleblowers, and work with newsrooms to ensure they’re providing prospective sources with good operational security guidelines via their sites.

On the administration side, once set up, SecureDrop instances are actually pretty low-maintenance in terms of support — most updates are automated, for example. We run a support portal available to all administrators, but probably only about half of instances ever need to reach out. The system’s applications do need frequent security updates, and while the codebase is mature at this stage we do regular audits and make changes as a result, so there is an ongoing development effort there.

What do you all think about the security of good ol’ postal mail for whistleblowers, especially if they have a hard drive or doc trove to share? Is it always better to go with a secure digital solution or is there still a utility to the old-fashioned tactics like mail and IRL dead drops?

Kevin: A lot of newsrooms still offer postal mail as an option for tips, and there are definitely cases where it makes sense. If you’re dropping multiple gigabytes worth of files for example, systems using Tor are going to be slow and prone to network issues. (SecureDrop has a hard limit of 500MB on individual submissions, partially for this reason).

But it’s important that sources remember they still need to take steps to protect their anonymity when using postal mail. Obviously, adding a return address that is associated with the source in any way is a bad idea, as is mailing it from a post office or a mailbox somewhere you spend any amount of time. So sources should be posting their tips from mailboxes somewhere they don’t normally go.