SecureDrop me a message

My installation of the anonymous submission system SecureDrop is now live. This means that you can contact me secretly if you have material intended for my eyes only.

SecureDrop open-source submission system was originally developed by Aaron Swartz and Kevin Poulsen, but is now maintained by Freedom of Press Foundation.

Strengthening source protection

Journalists communicating online must take special care to properly protect their sources. This is especially true due to current knowledge of certain government institutions’ online surveillance and data retention programs.

I think not only of NSA’s obscure methods, as these were disclosed by the American whistleblower Edward Snowden in 2013. I’m also referring to a domestically-relevant fact:

NorCert — a Norwegian security operations center representing one of the national secret services (NSM) — is actively monitoring network traffic going to and from my employer, the Norwegian Broadcast Corporation (NRK).

The system is called VDI.

The objective of VDI is to detect cyber attacks at an early stage. NorCert is very clear on the fact that this is the sole intention of the monitoring. I personally don’t doubt that, but my assumptions are irrelevant in this context.

My sources have no reason to trust collected metadata never to fall astray or be handed over to some officials holding a court order.

This is where my SecureDrop installation comes into play.

An impossible task

I first started out by writing a short tutorial on how to use the Tor network along with strong encryption to stay under the radar. My initial thought was that anyone could follow a simple set of guidelines to avoid risking their real identity being disclosed when contacting me.

I was wrong in attempting to simplify this issue. Nowadays, there are no «simple steps» for people who want to stay out of the server logs.

As my «brief» tutorial kept growing in size, I realized that I had taken on an impossible task. For example, it has increasingly become harder to register an email account without giving away your phone number. To trust any such service, even when it claims to respect your privacy, is nothing short of craziness.

There is no way to safely guide inexperienced users towards an anonymous safe haven without involving a robust, composite system like SecureDrop.

Certainly, a skilled computer geek would have no problems getting in touch with me completely anonymously. However, for non-technical people the risk of being compromised is too high. The level of dicipline required to stay behind the veil poses too high a risk of making irreversible mistakes that might lead to full disclosure.

Security guidelines

The burden of sustaining a firm security regime should not rest on the whistleblower’s shoulders. On the contrary, proper source protection is an editorial responsibility.

SecureDrop puts this responsibility back in place by providing a framework for anonymity. It reduces users’ need for in-depth knowledge of web proxies, encryption schemes and security protocols.

Installation and configuration of the SecureDrop rig.
SecureDrop setup.

SecureDrop utilizes the Tor network for anonymity. It uses strong encryption to protect message content, and provides a carefully orchestrated server environment that is constantly monitored for a range of potential network attacks.

Following the deployment best practices from Freedom of Press Foundation, my web site does not log user activity. In particular, I have disabled IP address logging of anyone visiting my contact page with instructions on using SecureDrop.

I do not use cookies and have no third-party analytics software that might trace my users. The web server is configured with the suggested security headers, and delivers secure content (https) only.

You’ll find instructions on how to use my SecureDrop server on my contact page.

Leave a Reply

Your email address will not be published. Required fields are marked *