SecureDrop
{{short description|Free software platform}}
{{Infobox software
| name = SecureDrop
| logo = SecureDrop logo.svg
| logo caption =
| logo_size = 150px
| logo_alt =
| screenshot = Screenshot from SecureDrop Source view.png
| caption = Screenshot from the SecureDrop Source interface.
| screenshot_size =
| screenshot_alt =
| collapsible =
| author = {{hlist|James Dolan|Kevin Poulsen|Aaron Swartz}}
| developer = Freedom of the Press Foundation
| released = {{Start date and age|2013|10|15|df=yes}}
| discontinued =
| latest release version = {{LSR/wikidata}}
| latest preview version =
| latest preview date =
| programming language = Python
| operating system = Linux
| platform =
| size =
| language =
| language count =
| language footnote =
| genre = Secure communication
| license = GNU Affero General Public License, version 3
| standard =
| website = {{Official URL}}
| AsOf =
}}
SecureDrop is a free software platform for secure communication between journalists and sources (whistleblowers).{{cite news|first1= James|last1=Ball|title= Guardian launches SecureDrop system for whistleblowers to share files|url=https://www.theguardian.com/technology/2014/jun/05/guardian-launches-securedrop-whistleblowers-documents|newspaper=The Guardian|date=5 Jun 2014}} It was originally designed and developed by Aaron Swartz and Kevin Poulsen under the name DeadDrop.{{cite web |url=http://www.techrepublic.com/blog/it-security/aaron-swartz-legacy-lives-on-with-new-yorkers-strongbox-how-it-works/ |title=Aaron Swartz legacy lives on with New Yorker's Strongbox: How it works |last1=Kassner |first1=Michael |date=20 May 2013 |website=TechRepublic |accessdate=20 May 2013 |archive-date=29 July 2013 |archive-url=https://web.archive.org/web/20130729032429/http://www.techrepublic.com/blog/it-security/aaron-swartz-legacy-lives-on-with-new-yorkers-strongbox-how-it-works/ |url-status=dead }}{{cite magazine|last1=Poulsen|first1=Kevin|title=Strongbox and Aaron Swartz|url=https://www.newyorker.com/news/news-desk/strongbox-and-aaron-swartz|magazine=The New Yorker|date=14 May 2013|language=en}} James Dolan also co-created the software.{{cite news|last1=Timm|first1=Trevor|title=A tribute to James Dolan, co-creator of SecureDrop, who has tragically passed away at age 36|url=https://freedom.press/news/tribute-james-dolan-co-creator-securedrop-who-has-tragically-passed-away-age-36/|work=Freedom of the Press Foundation|date=9 January 2018}}
History
After Aaron Swartz's death, the first instance of the platform was launched under the name Strongbox by staff at The New Yorker on 15 May 2013.{{cite magazine |url=http://www.newyorker.com/online/blogs/closeread/2013/05/introducing-strongbox-anonymous-document-sharing-tool.html |title=Introducing Strongbox |last1=Davidson |first1=Amy |authorlink1=Amy Davidson (author) |date=15 May 2013 |magazine=The New Yorker |accessdate=20 May 2013 }} The Freedom of the Press Foundation took over development of DeadDrop under the name SecureDrop, and has since assisted with its installation at several news organizations, including ProPublica, The Guardian, The Intercept, and The Washington Post.{{cite magazine|magazine=The New Yorker|url=https://projects.newyorker.com/strongbox/|title=Strongbox|accessdate=15 November 2013|archive-date=13 April 2017|archive-url=https://web.archive.org/web/20170413164430/https://projects.newyorker.com/strongbox/|url-status=dead}}{{cite arXiv|eprint=1308.6768|last1=Biryukov|first1=Alex|title=Content and popularity analysis of Tor hidden services|last2=Pustogarov|first2=Ivan|last3=Thill|first3=Fabrice|last4=Weinmann|first4=Ralf-Philipp|class=cs.CR|year=2013}}{{cite magazine|author=Davidson, Amy|date=15 May 2013|url=http://www.newyorker.com/online/blogs/closeread/2013/05/introducing-strongbox-anonymous-document-sharing-tool.html |title=Introducing Strongbox|magazine=The New Yorker|accessdate=26 December 2013}}
Security
SecureDrop uses the anonymity network Tor to facilitate communication between whistleblowers, journalists, and news organizations. SecureDrop sites are therefore only accessible as onion services in the Tor network. After a user visits a SecureDrop website, they are given a randomly generated code name. This code name is used to send information to a particular author or editor via uploading. Investigative journalists can contact the whistleblower via SecureDrop messaging. Therefore, the whistleblower must take note of their random code name.
The system utilizes private, segregated servers that are in the possession of the news organization. Journalists use two USB flash drives and two personal computers to access SecureDrop data. The first personal computer accesses SecureDrop via the Tor network, and the journalist uses the first flash drive to download encrypted data from the SecureDrop server. The second personal computer does not connect to the Internet, and is wiped during each reboot. The second flash drive contains a decryption code. The first and second flash drives are inserted into the second personal computer, and the material becomes available to the journalist. The personal computer is shut down after each use.
Freedom of the Press Foundation has stated it will have the SecureDrop code and security environment audited by an independent third party before every major version release and then publish the results.{{cite news|last1=Timm|first1=Trevor|title=SecureDrop Undergoes Second Security Audit|url=https://pressfreedomfoundation.org/blog/2014/01/securedrop-undergoes-second-security-audit|accessdate=13 July 2014|agency=Freedom of the Press Foundation|date=20 January 2014}} The first audit was conducted by security researchers at the University of Washington and Bruce Schneier.{{cite web|last1=Czeskis|first1=Alexei|last2=Mah|first2=David|last3=Sandoval|first3=Omar|last4=Smith|first4=Ian|last5=Koscher|first5=Karl|last6=Appelbaum|first6=Jacob|last7=Kohno|first7=Tadayoshi|last8=Schneier|first8=Bruce|title=DeadDrop/StrongBox Security Assessment|url=http://www.czeskis.com/research/pubs/UW-CSE-13-08-02.PDF|publisher=University of Washington Department of Computer Science and Engineering|accessdate=13 July 2014}} The second audit was conducted by Cure53, a German security firm.
SecureDrop suggests sources disabling JavaScript to protect anonymity.[https://docs.securedrop.org/en/stable/source.html Source Guide] SecureDrop
Prominent organizations using SecureDrop
The Freedom of the Press Foundation now maintains an official directory of SecureDrop instances. This is a partial list of instances at prominent news organizations.{{cite news|last1=ssteele|title=Tor at the Heart: SecureDrop|url=https://blog.torproject.org/tor-heart-securedrop|work=Tor Blog|date=6 December 2016|language=en}}
Awards
- 2016: Free Software Foundation, Free Software Award, Award for Projects of Social Benefit{{cite news|last1=Sullivan|first1=John|title=SecureDrop and Alexandre Oliva are 2016 Free Software Awards winners|url=https://www.fsf.org/news/securedrop-and-alexandre-oliva-are-2016-free-software-awards-winners|work=Free Software Foundation|date=25 March 2017|language=en|format=Press Release}}
See also
{{Portal|Journalism}}
References
{{Reflist|30em}}
External links
- {{URL|https://securedrop.org/|SecureDrop.org}}
- {{Github|freedomofpress/SecureDrop|SecureDrop}}
- [https://freedom.press/organizations/securedrop/ SecureDrop] at Freedom of the Press Foundation
{{Authority control}}
Category:Free content management systems
Category:Free software programmed in Python
Category:Software using the GNU Affero General Public License