CPJ's SecureDrop instance sits in the organization's San Francisco office prior to being transported to New York. (Geoffrey King)
CPJ's SecureDrop instance sits in the organization's San Francisco office prior to being transported to New York. (Geoffrey King)

How SecureDrop helps CPJ protect journalists

CPJ is proud to announce our instance of SecureDrop, the anonymous submission system engineered to resist even nation-state surveillance. In a time of unprecedented, technologically-mediated threats to journalism both online and offline, CPJ’s adoption of this state-of-the-art system will help us protect journalists who need help the most. There has never been a safer way to tell CPJ about press freedom violations anywhere in the world — or request direct support when you’re under fire for your reporting.

CPJ’s SecureDrop submission system is live at 2x2hb5ykeu4qlxqe.onion. To contact us, download the latest Tor Browser and head to our SecureDrop onion address.

SecureDrop allows for secure and anonymous submissions to newspapers, watchdogs, oversight groups — or anywhere else that someone might be concerned about being identified as the source of a submission. The project is maintained by the nonprofit Freedom of the Press Foundation (FPF). SecureDrop is easy to use but difficult to compromise. Behind the friendly submission form is a sophisticated system which separates different tasks onto independent computers. Each machine only performs part of the puzzle, so it’s very difficult to exploit them together.

FPF engineer Conor Schaefer, foreground, and CPJ staff technologist Tom Lowenthal spent several days finalizing and testing CPJ's SecureDrop instance in San Francisco. (Geoffrey King)
FPF engineer Conor Schaefer, foreground, and CPJ staff technologist Tom Lowenthal spent several days finalizing and testing CPJ’s SecureDrop instance in San Francisco. (Geoffrey King)

SecureDrop relies on the Tor network, which the National Security Agency (NSA) once called “The king of high-secure, low-latency anonymity.” Tor conceals the origin and contents of communication with CPJ’s SecureDrop server. The Tor Browser is a version of the free and open source Firefox Web browser developed by Mozilla, which the Tor Project has extensively modified to protect against a slew of possible ways that one’s anonymity could be compromised. Micah Lee, journalist and technologist at The Intercept and First Look, has written clear and detailed instructions about the best ways to stay safe when anonymously submitting materials via SecureDrop.

More technically-sophisticated sources wanting to contact CPJ may want to use the Tails live operating system, which uses Tor to anonymize all connections into and out of a computer. Tails leaves no traces, history, or logs, and provides a selection of state-of-the-art anonymity, privacy, security, and cryptography software for savvy users. British government surveillance agency Government Communication Headquarters (GCHQ) described Tails as “CNE [computer network exploitation] hell” for the no-traces features which make it much harder to attack and reliably take control of Tails — unlike most other operating systems, such as Windows, Mac OS X, or Linux distributions which aren’t specifically security-focused.

Once documents have been submitted to SecureDrop, they can’t be decrypted by any computer connected to the Internet — including the SecureDrop server. Even if the server were hacked, an attacker would not obtain access to the contents of submissions (they’re encrypted and the server doesn’t have the decryption key) or the identities of sources. Because the source accesses SecureDrop anonymously using Tor, the server — and CPJ — never know who a source is unless the source chooses to tell us. If they do, that information would be part of the submission: encrypted and inaccessible from the server.

When we receive submissions, CPJ’s staff uses Tails to securely download and copy the data to a separate disk, which is then physically moved over to the SecureDrop viewing station. This is an air-gapped computer — it has no network capabilities and is never connected to any networks (wired or wireless). Only the air-gapped viewing station has the decryption keys necessary to access submissions. Keeping it disconnected makes it much harder to attack; even if it were attacked, it would be very difficult to retrieve the keys or decrypted documents.

The goal of all this technical cloak-and-dagger is to protect the contents of submissions and the identities of sources from even a nation-state attacker like the U.S. or China, which have immense resources and capabilities. SecureDrop masks a source’s identity through technology, adding a layer of protection to journalists’ promises of anonymity. Unless a source chooses to reveal their identity, CPJ couldn’t unmask the source even if we tried.

CPJ’s San Francisco-based Technology Program worked with FPF to build and set up CPJ’s SecureDrop instance. Once the system was ready for launch, we physically transported it to CPJ’s New York headquarters.

We live in a world where ubiquitous government surveillance forces journalists to think and act like spies. Even comparatively free states like the U.S. and U.K. engage in mass surveillance, and many other states use technology to harm journalists and suppress journalism. In this environment, tools like SecureDrop will continue to be necessary for the effective practice of journalism without putting reporters or their sources at risk.

Already, CPJ’s deployment of SecureDrop has resulted in numerous submissions — from journalists who are under fire and require CPJ’s assistance to those informing us about attacks in their region. We expect it to be a core part of our Journalist Assistance and research workflow.