clock menu more-arrow no yes mobile

Filed under:

The New Yorker launches Strongbox, an anonymous inbox developed by Aaron Swartz

New, 6 comments
security code graphic
security code graphic

Before his suicide in January, hacktivist Aaron Swartz was working on an ambitious project: an encrypted dead drop system that could receive and protect files from anonymous sources. Wired editor Kevin Poulsen, who met Swartz when his site Reddit was sold to Condé Nast (which owns both Wired and The New Yorker), had asked him to help design a secure and anonymous inbox for investigative reporting. Over the course of a year, Poulsen and Swartz worked out the system with help from security expert James Dolan, creating a stable version by December 2012.

But the tentative launch plans were derailed by Swartz's death. "In the immediate aftermath, it was hard to think of anything but the loss and pain of his death," writes Poulsen. "A launch, like so many things, was secondary." In the months afterwards, though, he put together the remaining pieces and offered it to The New Yorker. Today, The New Yorker launched its implementation of the system, called Strongbox.

Unless a source chooses to identify themselves, they're known only by a randomly generated codename

Strongbox is essentially a secure dropbox combined with various protocols that will make messages harder to trace. To connect to it, a source must use the TOR anonymization network; from there, they can upload a file and receive an randomly generated code name in return. Files will be encrypted and sent to a server separate from the rest of Condé Nast's network, and editors must take a number of security precautions — including decrypting the files themselves on a separate computer not connected to the internet — in order to view them. Further communication will use the code name. A basic breakdown of the process can be found at The New Yorker.

The launch comes only a few days after the AP revealed that Justice Department investigators had monitored phone calls from reporters to get at their sources. Strongbox is designed to make news organizations at least somewhat less vulnerable to government or corporate requests: unless a source chooses to identify themselves, even the reporters won't know who they are, and unlike with an email from a throwaway account, there's no Google or Yahoo to subpoena. Strongbox is used only by The New Yorker, but the underlying code, known as DeadDrop, is available under an open source license on GitHub.