SecureDrop

Image Description

Subreption’s SecureDrop

Welcome

This is the landing page for our SecureDrop instance. Please do read through its contents prior to submitting or attempting to submit any content to us. We will not engage submissions over any other method of contact. Your safety ultimately is only up to you.

Neither Subreption nor this page offer legal advice. Please engage patiently in your own research.

What is SecureDrop?

SecureDrop is an anonymity tool typically used by organizations, journalists and whistleblowers, to facilitate reasonably safe anonymous submission of documents and information. It leverages well tested technologies (including the Tor Project) to preserve the privacy of sources and the materials exchanged inside the installation.

As a source, you can use our SecureDrop installation to anonymously submit documents to our organization. Our staff use SecureDrop to receive source materials and securely communicate with anonymous contacts.

What should I know before submitting material through SecureDrop?

To protect your anonymity when using SecureDrop, it is essential that you do not use a network or device that can easily be traced back to your real identity. Instead, use public wifi networks and devices you control.

  • Do NOT access SecureDrop on your employer’s network.

  • Do NOT access SecureDrop using your employer’s hardware.

  • Do NOT access SecureDrop on your home network.

  • DO access SecureDrop on a network not associated with you, like the wifi at a library or cafe.

Got it. How can I submit files and messages through SecureDrop?

Once you are connected to a public network at a cafe or library, download and install the desktop version of Tor Browser <https://www.torproject.org/download/>_.

Launch Tor Browser. Visit our organization’s unique SecureDrop URL at

Please do not browse the above link unless using the aforementioned Tor Browser or Tails OS.

Follow the instructions you find on our source page to send us materials and messages.

When you make your first submission, you will receive a unique codename. Memorize it. If you write it down, be sure to destroy the copy as soon as you’ve committed it to memory. Use your codename to sign back in to our source page, check for responses from our staff, and upload additional materials.

As a source, what else should I know?

No tool can absolutely guarantee your security or anonymity.

The best way to protect your privacy and anonymity as a source is to adhere to best practices.

You can use a separate computer you’ve designated specifically to handle the submission process.

Or, you can use an alternate operating system like Tails, which boots from a USB stick and erases your activity at the end of every session.

A file contains valuable metadata <https://ssd.eff.org/en/module/why-metadata-matters>_ about its source — when it was created and downloaded, what machine was involved, the machine’s owner, etc. You can scrub metadata from some files prior to submission using the Metadata Anonymization Toolkit featured in Tails.

Your online behavior can be extremely revealing. Regularly monitoring our publication’s social media or website can potentially flag you as a source. Take great care to think about what your online behavior might reveal, and consider using Tor Browser to mitigate such monitoring.

Our organization retains strict access control over our SecureDrop project. A select team of researchers in our organization will have access to SecureDrop submissions. No public mention or disclosure of any submission will be considered without your consent. We control the servers that store your submissions, so no third party has direct access to the metadata or content of what you send us.

Do not discuss leaking or whistleblowing, even with trusted contacts.

Do not store documents or files, or engage in conversations referring to this SecureDrop instance with your mobile phone or “tablet” devices. Although all devices are vulnerable to forensic analysis, smartphones and tablet devices are especially vulnerable for several reasons, included but not limited to the closed nature of their internals, their propensity to be carried in an active state, and the existence of dedicated tools for forensic extraction with and without knowledge of lock codes and other credentials. These will readily obtain data, including deleted messages and media, regardless of the use of encryption. As a rule of thumb, consider all information in your smartphone as readily available for extraction without your cooperation.

What are you interested in?

We are interested in anything related to our areas of expertise and work in information security, as well as details about any intellectual property violations affecting our products, services and offerings, as well as any information related to any sort of scheme or attempts to undermine the safety of Subreption’s staff, its contributors, clients and projects, and its business operations.

In specific cases, rewards will be considered for any information that is verifiable. If the information pertains to schemes or attempts to threaten Subreption, its staff or business operations, if the source is involved or has been involved in such schemes, we will honor our commitment to recognize the source’s good faith in disclosing them to us and assist in reducing the source’s legal liability whenever possible.

Privacy policy

Collection of Information From Sources

  • We don’t ask or require you to provide any personally identifying information when you submit materials through SecureDrop.

  • The system does not record your IP address, information about your browser, computer, or operating system. Furthermore, the SecureDrop pages do not embed third-party content or deliver persistent cookies to your browser.

  • The server will only store the date and time of the newest message sent from each source. Once you send a new message, the time and date of your previous message is automatically deleted.

  • We decrypt and read each message offline. We delete messages from the server on a regular basis.

  • Please keep in mind that the actual messages you send and receive through SecureDrop may include personally identifying information. For this reason, once you read our message, we recommend you delete it.

Also please note that when you submit certain types of files through SecureDrop, you may be sending us metadata associated with that file.

For example, if you submit a photo through SecureDrop in JPEG format, the file may include information about the date, time, and the GPS location of where it was taken, and the type of device used to take the photo. Similarly, if you submit a Word file (.doc or .docx) through SecureDrop, it may include the identity of the document’s author, the author’s operating system, GPS data about the author’s location, and the date and time when the document was created.

Our policy is to scrub metadata from the files we receive through SecureDrop. If you don’t want to send us metadata, please use the Metadata Anonymization Toolkit to scrub the file before you submit it.

Data Security

Subreption works diligently to protect the identities of our sources and keep the information they give us confidential.

We take extraneous precautions in securing access to the information: it is better to lose the information than lose a source.

The SecureDrop servers for this installation are under the physical control of Subreption and do not share common elements of the Subreption’s other infrastructure.

However, no one can truly guarantee 100% security of any system. Like all software, SecureDrop may contain bugs. Ultimately, you use the SUbreption’s SecureDrop service at your own risk.

Share: