Today the Tow Center for Digital Journalism at Columbia Journalism School has published a first-of-its-kind study on how newsrooms are using SecureDrop, our open-source whistleblower submission system that is now in-use at over thirty news organizations worldwide.
People often ask us: How effective is SecureDrop? Do sources use it? These are hard questions to answer, since SecureDrop’s very design prevents us at Freedom of the Press Foundation from seeing any submissions or accessing any data on it at all once the system is installed at a news organization. This is, of course, a good thing—given how so many news organizations have been spied on in recent years due to third parties controlling their email and phone calls.
And naturally, news organizations are hesitant to talk about how they use SecureDrop as well — the whole point of SecureDrop is to protect the identity of their sources, and by discussing where information in certain stories came from, they may put their sources at risk.
However, thanks to a newly published study led by PhD student Charles Berret at Columbia Journalism School, we can now safely reveal a little more information about how SecureDrop works.
Berret’s report recounts the project’s beginnings with its founders Kevin Poulsen and the late Aaron Swartz, how and why Freedom of the Press Foundation took over the project and its growth over the past several years. But the most interesting part are the interviews he conducts with a handful of news organizations and journalists who have been running their own SecureDrop instance for over a year (and in some cases two). Here are some of the highlights, which are direct quotes from the Tow Center report:
The Intercept's editor-in-chief Betsy Reed: “Especially recently, as awareness grows of its existence, we’ve seen more and more good stories coming out of that pipeline.”
The Washington Post’s researcher and editor Julie Tate: When asked if SecureDrop has been successful at The Post, Tate replied, “Definitely. I can’t go into what those stories are. But we’ve had success with it, definitely.”
Gawker's executive editor John Cook: Asked whether the platform has proved useful as a reporting tool, Cook said yes, and elaborated that his staff has been working on a long-running and potentially promising investigation based on a tip from SecureDrop: “The best one—which I wouldn’t feel comfortable talking about—is something that we’re still working on, and it’s been a long-term thing, but I don’t want to talk about it.”
Toronto Globe and Mail’s Alasdair McKie explained that the system quickly proved itself useful, yielding a story almost immediately after its launch. He said:
The fact that there are people who are willing to contact us over SecureDrop, who are not willing to contact us through another avenue, underscores for people not just the editorial leadership in the newsroom, but also just the company in general, that information security is a fact of life now.... And the sooner we incorporate that into the way we go about our business, the better it is for news organizations, in particular, because we are the focus of policy-making information in our society.
ProPublica's Scott Klein: “We don’t see SecureDrop exclusively as a way for anonymous whistleblowers to send us the proverbial ‘plain brown envelope’ full of data, because that’s actually a pretty rare event. We also see SecureDrop as an ideal way for sources we know to send us data and documents in an environment where the anonymity and security are turned up to eleven.
Three-time Pulitzer winner Barton Gellman has had at least three sources contact him with “significant and journalistically valuable” information through SecureDrop.
Wired’s Kevin Poulsen (also SecureDrop co-creator) said that he checks his system “regularly” and that it gets “plenty of use.”
We are proud of how SecureDrop has become a vital tool in many newsrooms, however, there is still much work to be done. Freedom of the Press Foundation continuously reevaluates the design and configuration of SecureDrop to mitigate constantly changing surveillance threats, and the Tow Center’s report provides valuable insights into how real-world journalists use the system.
We are excited to see how SecureDrop evolves over the next two years. In particular, we hope to improve the usability of both the installation and the journalists’ workflow, based on feedback from participating organizations.