ACLU of Washington’s SecureDrop Risk Analysis

Not everyone is Edward Snowden and needs to go to extraordinary lengths to anonymously provide documents. However, if the Snowden revelations have shown us anything, it is that we face an extraordinary amount of surveillance with all forms of communication technologies. It is important to consider this in light of your own risk assessment when using the ACLU of Washington’s SecureDrop server.

The Electronic Frontier Foundation publishes a free “Surveillance Self-Defense” guide that we encourage you to explore. Specifically, “An Introduction to Threat Modeling” is a helpful thought process for anybody thinking about becoming a whistleblower.

This page is intended to provide a more detailed explanation of the values and benefits of SecureDrop as opposed to other methods of communication you might use to interact with us. In addition, we want to clearly outline certain limitations and risks that we believe are important to assessing when and how to use this service. Please consider using Tor from a public location prior to accessing any third-party resources that we reference on this page.

SecureDrop security and privacy advantages

  1. Our SecureDrop server is under the physical control of the ACLU of Washington.
     
  2. Connecting to our SecureDrop server is end-to-end encrypted because it is a “Tor hidden service,” a website that is only accessible through the Tor network. Information submitted through SecureDrop is cryptographically authenticated and private.
     
  3. SecureDrop requires the use of encryption keys to maintain the confidentiality and integrity of the information that we receive. The ACLU of Washington legal team keeps our SecureDrop encryption keys on air-gapped computers that never connect to the Internet or our corporate network. Even if our SecureDrop server gets hacked or the physical hardware gets confiscated, the files and messages previously submitted should still be shielded from the attacker.
     
  4. Using the Tor network helps mask your activity from anyone that is monitoring your Internet connection and it helps mask your identity from anyone monitoring our Internet connection.
     
  5. SecureDrop does not log connections, and your IP address or physical location is not disclosed to the ACLU of Washington because of SecureDrop’s dependency on Tor. Even if a government agency tried to compel the ACLU of Washington to provide logs, we could not do so.
     
  6. It is very difficult or impossible for passive surveillance techniques to determine that you are interacting with SecureDrop. The use of a Tor hidden service prevents network traffic from ever leaving the Tor network thereby supporting anonymity and complicating any broad surveillance of entire networks.
     
  7. Tor Browser is a portable application, so you do not need to install any software to access SecureDrop.
     
  8. SecureDrop is free and open source software that is available to the public. Freedom of the Press Foundation hires an independent auditing company and publicly publishes the results.
     
  9. Tor, the network protocol, and Tor Browser, the Internet browsing application, are both free and open source software that is available to the public. Tor Project uses Coverity and Veracode bug scanning software.

SecureDrop security and privacy warnings

  1. If you believe that you or your computer is under active, targeted surveillance, do not risk your safety by sending the ACLU of Washington sensitive material.
     
  2. Presume that computer systems legally or physically owned by anybody but you are compromised and under active surveillance. Most corporate and government owned systems monitor and log activity. Please use a personally owned computer that you trust.
     
  3. An already-compromised personal computer will likely defeat the privacy protections that SecureDrop and Tor provide, such as keystroke logging, activity logging, or screen grabbing spyware. If you are at all suspicious of malware of any kind, use Tails Linux instead (see additional details below). Using SecureDrop presumes that your computer is a safe system to be doing sensitive work from.
     
  4. By default, Tor Browser does not save website history or website cookies. This data is ordinarily not recoverable after you close Tor Browser and fully shut down your computer. However, all mainstream operating systems betray their user’s expectations by saving browsing activity information in various ways. It is your responsibility to accept the risk that your computer may be physically confiscated and analyzed. Disk encryption can help mitigate this risk. Tor Browser is designed for privacy, but it does not mitigate the risk of local metadata generation since the operating system that it runs in is not designed for privacy.
     
  5. Passive network monitoring and data retention are practices performed by all Internet Service Providers (ISP). They deliver Internet to your home, office, and every coffee shop that offers Wi-Fi. ISPs document all kinds of specific metadata, including the facts that someone is using Internet service and when, and that someone is generating Tor traffic and when. Places that offer Wi-Fi often have connection requirements like accepting a Terms of Service. This process dictates that it will be recording hardware identifiers that belong to your computer. Taking advantage of the Tor anonymity network allows you to distance what you are doing from the metadata generation inherent with connecting to the Internet and browsing. Tor Browser may help you mitigate certain data linkability risks, but it does not evade the risks entirely.
     
  6. When using Tor, it is unlikely that passive network monitoring can determine the destination of your Internet use, including connecting to the ACLU of Washington SecureDrop server. Please access SecureDrop from a public location that you do not regularly visit to help make unavoidable metadata collection by intermediaries or possible attackers less useful for identifying or targeting you.
     
  7. The ACLU of Washington’s website employs mandatory HTTPS to protect all of our website visitors. Using standard web browsers such as Firefox or Chrome to access any of our web pages creates network metadata that you are visiting our domain, not this page specifically. However, data retention and advanced network analysis of even encrypted traffic can determine exactly which pages you are reading. Be conscious of who might use this information against you, and choose your Internet access carefully. Use Tor whenever possible.
     
  8. Using Tor guarantees that our SecureDrop server does not know who you are or where you are unless you explicitly share that information with the ACLU of Washington.
     
    • If you are a whistleblower, do not share personal details with the ACLU of Washington unless it is critical information pertinent to the disclosure.
       
    • If you are an existing client of the ACLU of Washington, it may be expected that your identity is known and shared within our organization.

No method for protecting your security is without limitation. We’ve made this very high level chart to help in identifying particular threats and privacy protections that some of these technologies provide:

   Yes  Yes    It Depends  It Depends    No  No
  Firefox or Chrome (your OS) Tor Browser (your OS) Iceweasel on Tails Linux
Can I access SecureDrop with...? No Yes Yes
Is my network traffic better protected from monitoring? No Yes Yes
If my computer gets taken from me later, can anyone see my activity history? No It Depends Yes
Am I better protected from spyware installed on my computer’s operating system? No No Yes
Am I better protected from hardware key loggers or other spy sensors? No No No
Am I better protected from viruses, trojans, or other malware on my computer’s operating system? No

No

It Depends
Am I better protected for malicious software installed in my computer’s BIOS, EFI, CPU, or other system firmware?

No

No No
Can a global spy network identify me or my connection to SecureDrop? No It Depends It Depends
Can these help me obtain documents to leak? No No No

For additional operational security considerations relating to SecureDrop use, please review Micah Lee’s, “How To Leak To The Intercept” from theintercept.com.

Security problems that our technology cannot help with

  1. If you plan on checking back for SecureDrop messages that are only accessible with your private codename, be sure to keep your codename private. Treat your codename like you would a bank password. Ideally, keep your codename on an encrypted USB drive that is only accessible by you.
     
  2. If you expect a response from an ACLU of Washington’s legal team via SecureDrop, do not email, call, or contact us via social media.
     
  3. Do not share, with anyone, that you are sharing material with the ACLU of Washington unless you are advised by explicit legal representation.
     
  4. Before utilizing public Internet access to leak information, consider your data’s linkability, your risk profile, and your goals in providing information to the ACLU of Washington using SecureDrop. Plan carefully, as SecureDrop can only limit generation of metadata as you interact with our server, but cannot prevent your other interactions in the world from being logged and analyzed. You may want to avoid using electronic payment systems including credit cards, debit cards, reward cards, or mass transit payment cards in proximity to the location where you make the disclosures. You may want to avoid using automobiles that are susceptible to license plate readers or have internal GPS or cellular tracking mechanisms. Leave your cellular devices behind at home. Bring cash and be nice to everyone you meet, but of course, try to avoid interaction as much as possible.

About Tails Linux

While not every person's risk profile may warrant its use, Tails a free and open source operating system that you burn to a DVD or install onto a USB drive. Tails runs directly from that DVD or USB drive, meaning it does not change anything about your computer. Tails is developed exclusively for privacy-minded individuals and forces all Internet connections over Tor. Using Tails to connect to our organization's SecureDrop server resolves several problems that Tor Browser alone cannot, including:

  1. Tails evades most forms of client-side surveillance software and malware. When you boot up Tails, it does not initiate the operating system that you regularly have installed. Tails loads into RAM and allows you to access the Internet over Tor with a Firefox-like browser called Iceweasel.
     
  2. Tails does not save any data to local disk storage, so all activity performed during its use is lost forever once you shut down the computer. Remember that Tails still creates network metadata when connecting to and using the Internet but with one exception: the hardware ID that wireless access points save is randomly generated and automatically shared when using Tails, not the real hardware ID for your computer.

For more information about Tails Linux, including installation documentation and good practices, please visit https://tails.boum.org/.

Creative Commons License

The resources on this page are licensed under the Creative Commons Attribution-ShareAlike 4.0 license.  As such, you may use the contents on this page provided you provide proper attribution and make your version available under this same Creative Commons license. You may find the entire text of the license here: https://creativecommons.org/licenses/by-sa/4.0/. The materials on this page were created using Micah Lee’s “How To Leak To The Intercept” from theintercept.com as a resource.

Creative Commons License