Skip to main content

SecureDrop and the problem with anonymous leaks

SecureDrop and the problem with anonymous leaks


Do sources still need journalists?

Share this story

Yesterday, The Intercept published a blockbuster report, revealing that a major prison phone company may have been recording calls between prisoners and their attorneys. It was fascinating news, but just as interesting was where the information came from. It was based on tens of thousands of call records, which had arrived through The Intercept's SecureDrop server — a nested combination of Tor, PGP, and other tools designed to separate the leaker from anyone trying to expose him. In this case, it worked just the way it was supposed to: The Intercept got the documents and a way to communicate with its source, while the source stayed comfortably in the shadows.

It's the first major example of SecureDrop being used for its intended purpose, but what's interesting is how long it took. It's been two and a half years since publications first started setting up the system, and over the same period, public document dumps have become an almost commonplace part of the media. Leaked archives from Sony Pictures, Hacking Team, and Ashley Madison have established a new playbook for drawing media attention to incriminating or otherwise scandalous documents. It's a far messier playbook than the one SecureDrop laid out, fraught with all sorts of moral and journalistic hazards, but it's already threatening to overtake SecureDrop's more traditional notions of journalism.

There are serious drawbacks to torrent leaks, but they're all on the journalist's side

The new playbook is simpler than SecureDrop, beginning with an anonymous Pastebin statement, including a torrent link where any curious citizens can download the full data cache. It's a less secure way to leak things — P2P file transfers are notoriously difficult to disguise, even routed through a VPN — but so far the protection seems to have been enough, generally because the companies involved don't have the technical resources to follow up. The Sony leaks are the only incident to have been effectively traced back to its source, and that required the NSA's help. In practice, the Pastebin method offers roughly what they would have gotten from a system like SecureDrop — a simple way to make documents public and then disappear.

There are serious drawbacks to torrent leaks, but they're all on the journalist's side. He has less time to research, since the materials been made public to everyone at once, which may lead to inaccuracies or haphazard publication. There's also no way to talk to the leaker, a channel SecureDrop takes pains to include. That makes it difficult to verify where the documents came from and why they've been released. But while those are serious problems for anyone writing the story, they're arguably positive for someone releasing documents. There's no way to scrutinize their motives, and no concern that a publication will pass on a story it can't verify.

Leaks are shuffling off journalistic norms entirely

If you believe in classic investigative journalism, that's a depressing thought. Developed by free-software hero Aaron Swartz, SecureDrop was meant to fuse the anarchic, free-data ethos of Wikileaks with the classic investigative journalism of Watergate and the Pentagon Papers. Publications like The New Yorker, The Washington Post, and ProPublica rushed to adopt it as a best practice in the wake of the Snowden leaks. When that system works, it looks like a lot of the stories published at The Intercept — first Snowden, then the Drone Papers, and now Securus. But increasingly, leaks are shuffling off journalistic norms entirely, and the price for doing so is lower every day.

That doesn't mean publications should abandon SecureDrop — The Intercept is surely glad they kept theirs running — but it raises real questions about how leaks will work in today's media. SecureDrop was a genuinely visionary product — but like many visionary technologies, the world has gotten away from it. The idealistic view of anonymity has been replaced by something more chaotic. Having solved the problem of anonymous disclosures, we're facing the trickier problem of making them accountable.