slides
2013
- Raised $500,000 for transparency journalism organizations, including $200,000 for WikiLeaks
- Funded transcripts for Chelsea Manning Trial
- Advocacy around First Amendment, whistleblowers, and digital security
First audit
Adopted DeadDrop in August 2013
Second audit
Current deployments
- New Yorker
- Forbes
- BalkanLeaks
- Global Mail
- ProPublica
- The Intercept
- More coming soon...
Why is SecureDrop needed?
- For decades, journalists protected their sources by going to jail rather than giving them up to prosecutors.
- Starting around 2008, the government realized they didn’t need journalists to testify against their sources anymore.
Why is SecureDrop needed?
- Unprecedented crackdown on whistleblowers
- Government has access to your digital trail
- NSA revelations
- Some sources demand it
Crypto the rescue!
... or is it?
Usability
- For journalists
- the "Glenn Greenwald problem" (apologies to Glenn)
- For sources
- Do you need the technical skills of a Chelsea Manning or Edward Snowden to safely blow the whistle in 2014?
- Should you?
Threat Model
- Published documents should not be attributable to a source
- Source is default anonymous, even to the journalists
- Ultimate goal: resist powerful adversaries (nation states)
Architecture (0.x)
- Current system is a web application (Python/Flask)
- Plaintext submissions are encrypted by the server
- Source reply keys are managed by the server
Interesting problems
- Usable, transparent encryption
- Establishing trust in journalist keys (PKI)
- Submission metadata (potentially identifying)
- DoS prevention
- Improving journalist workflow (while maintaining security)
Architecture (1.x)
- API
- End-to-end encryption
- Distributed Auditability
- Resist traffic analysis?
Opsec
- Technology alone is not enough
- "Tor is not magic OPSEC sauce"
- Sources need to practice good OPSEC to stay safe.
- Journalists need good OPSEC to protect their sources (and are already being targeted)