The limitations of SecureDrop and Tor for whistleblowers

The use of security software for the purpose of maintaining privacy boils down to physical safety. If you decide to take on the responsibility of educating someone about security software, you have an ethical obligation to provide a holistic understanding of the technology while being willfully transparent about your goals.

The Rule: You cannot let anyone’s idealism, including your own, fill in the gaps of what is not known about security software.

Privacy leaders, including organizations that employ or advocate the use of SecureDrop and Tor, must understand that any security technology that they choose to employ will be part of many delicate systems, including (in order):

  1. The user’s actual risks from external actors
  2. The user’s real life decisions concerning what, when, why, and how
  3. The user’s entire software environment
  4. What the software is capable of
  5. What the user wants

If you do not talk about these things in a targeted and meaningful way, you are violating The Rule. Tor, the protocol, is a means of probabilistically disassociating unavoidable network metadata generation from the user. SecureDrop, the environment, compartmentalizes information (cryptographically) and components (physically) to minimize metadata creation and to avoid vulnerabilities inherent with networking. 1, 2, 3, and especially 5 do not change what the respective security software is capable of. If you host SecureDrop and you choose to not inform the users about the security software that you want them to use, you are violating The Rule.

The following is one way that your organization could assist users with their secure document submission planning.


SecureDrop security and privacy advantages

1. Our SecureDrop system is under the physical control of our organization.

2. Connecting to our SecureDrop server is end-to-end encrypted because it is a “Tor hidden service,” a website that is only accessible through the Tor network. Information submitted through SecureDrop is cryptographically authenticated and private.

3. SecureDrop requires the use of encryption keys to maintain the confidentiality and integrity of the information that we receive. We keep our SecureDrop encryption keys on air-gapped computers that never connect to the Internet or our corporate network. Even if our SecureDrop server gets hacked or the physical hardware gets confiscated, the files and messages previously submitted should still be shielded from the attacker.

4. Using the Tor network helps mask your activity from anyone that is monitoring your Internet connection, and it helps mask your identity from anyone monitoring our Internet connection.

5. SecureDrop does not log connections, and your IP address or physical location is not disclosed to our organization because of SecureDrop’s dependency on Tor. Even if a government agency tried to compel our organization to provide logs, we could not do so.

6. It is very difficult or impossible for passive surveillance techniques to determine that you are interacting with SecureDrop. The use of a Tor hidden service prevents network traffic from ever leaving the Tor network thereby supporting anonymity and complicating any broad surveillance of entire networks.

7. Tor Browser is a portable application, so you do not need to install any software to access SecureDrop.

8. SecureDrop is free and open source software that is available to the public. Freedom of the Press Foundation hires an independent auditing company and publicly publishes the results.

9. Tor, the network protocol, and Tor Browser, the Internet browsing application, are both free and open source software that is available to the public. Tor Project uses Coverity and Veracode bug scanning software.

SecureDrop security and privacy warnings

1. If you believe that you or your computer system is under active, targeted surveillance, do not risk your personal safety by sending our organization sensitive material.

2. Presume that computer systems legally or physically owned by anybody but you are compromised and under active surveillance. Most corporate and government owned systems monitor and log activity. If they do not monitor or log activity, they still have legal rights to the hardware, software, and data on the device. Use a personally owned computer system that you trust.

3. An already-compromised computer will likely defeat the privacy protections that SecureDrop and Tor provide, such as keystroke logging, activity logging, or screen grabbing spyware. If you are at all suspicious of malware of any kind, use Tails Linux instead (see additional details below). Using SecureDrop presumes that your computer system is safe to be doing sensitive work from.

4. By default, Tor Browser does not save website history or website cookies. This data is ordinarily not recoverable after you close Tor Browser and fully shut down your computer. However, all mainstream operating systems betray their user’s expectations by saving browsing activity information in various ways. It is your responsibility to accept the risk that your computer may be physically confiscated and analyzed. Disk encryption can help mitigate this risk. Tor Browser is designed for privacy, but it does not mitigate the risk of local metadata generation since the operating system that it runs in is not designed for privacy.

5. Passive network monitoring and data retention are practices performed by all Internet Service Providers (ISP). They deliver Internet to your home, office, and every coffee shop that offers Wi-Fi. ISPs document all kinds of specific metadata, including the facts that someone is using Internet service and when, and that someone is generating Tor traffic and when. Places that offer Wi-Fi often have connection requirements like accepting a Terms of Service. This process dictates that it will be recording hardware identifiers that belong to your computer. Taking advantage of the Tor anonymity network allows you to distance what you are doing from the metadata generation inherent with Internet surfing. Tor Browser may help you mitigate certain data linkability risks, but it does not evade the risks entirely.

6. When using Tor, it is unlikely that passive network monitoring can determine the destination of your Internet use, including connecting to our organization’s SecureDrop server. Access SecureDrop from a public location that you do not regularly visit to help make unavoidable metadata collection by intermediaries or possible attackers less useful for identifying or targeting you.

7. Our organization’s website (presumably) employs mandatory HTTPS to protect all of our website visitors. Using standard web browsers such as Firefox or Chrome to access any of our web pages creates network metadata showing that you are visiting our domain, not this page specifically (presuming we’re NOT using a uniquely identifiable sub-domain). However, advanced network monitoring software can analyze the metadata of encrypted traffic to determine exactly which pages you are reading. Be conscious of who might use this information against you, and choose your Internet access carefully.

8. Using Tor guarantees that SecureDrop does not know who you are or where you are unless you explicitly share identifying information with us. If you are thinking about releasing information to us and doing so would put you in harm’s way, do not share personal details with our organization unless it is critical information pertinent to the disclosure.

Security problems that our technology cannot help with

1. If you plan on checking back for SecureDrop messages that are only accessible with your private codename, be sure to keep your codename private. Treat your codename like you would a bank password. Ideally, keep your codename on an encrypted USB drive that is only accessible by you.

2. If you expect a response from our organization via SecureDrop, do not email, call, or contact us via social media.

3. Do not share, with anyone, that you are sharing material with our organization unless you are advised by explicit legal representation.

4. Before utilizing public Internet access to leak information, consider your data’s linkability, your own risk profile, and your personal goals. Plan carefully. You may want to avoid using electronic payment systems including credit cards, debit cards, reward cards, or mass transit payment cards in proximity to the location where you make the disclosures. You may want to avoid using automobiles that are susceptible to license plate readers or have internal GPS or cellular tracking mechanisms. Leave your cellular devices behind at home. Pay with cash and be nice to everyone you meet, but of course, try to avoid interaction as much as possible.

Tails Linux

While not every person’s risk profile may warrant its use, Tails a free and open source operating system that you burn to a DVD or install onto a USB drive. Tails runs directly from that DVD or USB drive, meaning it does not get installed onto any of your computer’s internal disk drives. Tails is developed exclusively for privacy-minded individuals and forces all Internet connections over Tor. Using Tails to connect to our organization’s SecureDrop server resolves several problems that Tor Browser alone cannot, including:

1. Tails evades most forms of client-side surveillance software and malware. When you start Tails, it does not use or change your computer’s existing operating system, applications, or data. Tails loads into your computer’s temporary memory and allows you to access the Internet over Tor with a Firefox-like browser called Iceweasel. However, if there is a hardware surveillance system installed, or the system has been compromised at a deeper level than the operating system, Tails may not provide any privacy benefits.

2. Tails does not save any data to local disk storage, so all activity performed during its use is lost forever once you shut down the computer. Remember that Tails still creates network metadata when connecting to and using the Internet but with one exception: the hardware ID that wireless access points save is randomly generated and automatically shared when using Tails, not the real hardware ID for your computer.

For more information about Tails Linux, including installation documentation and good practices, please visit https://tails.boum.org/.


Article feedback:

yawnbox AT riseup DOT net, GPG key

Article license:

CC0

To the extent possible under law, the person who associated CC0 with The limitations of SecureDrop and Tor for whistleblowers has waived all copyright and related or neighboring rights to The limitations of SecureDrop and Tor for whistleblowers. This work is published from: United States.