Kushal Das

FOSS and life. Kushal Das talks here.


How to leak information securely?

There are times when one may have access to the information which can be very important for the world to know. But, sharing any such information safely to journalists is always a risky task. In the modern era of Internet communications, it is, on one hand, very easy to share documents over Internet, and on the other hand, easy for the government/private organizations to track the source using just the metadata. For example, we know that GPG can encrypt our emails properly and no one can read the content, but one can easily figure out when someone mailed a journalist or vice-versa. Often, that information is enough to deanonymize a source.

SecureDrop is a free software project from Freedom of the Press Foundation which helps journalists and whistleblowers by providing an platform to share information anonymously. Read the end of the blog post to find out links to the different news organizations and SecureDrop. You may want to visit the URLs only using Tor browser (explained below). Even if you are just visiting the sites, your network admin can monitor which sites you are visiting, and the same goes for your home ISP (Internet Service Provider).

In this blog post I am going to talk about a few points to keep in mind while thinking/searching or actually leaking the information when using SecureDrop.

  • DO NOT SEARCH OR VIEW anything on your WORK NETWORK This is the most important point to start with. Make sure you are not researching or viewing any website which you want to contact in future while you are on your office network. This also means you are not supposed to use any of the office provided devices. Always use personal devices.

  • Make sure that the documents you want to share does not have anything which can identify you directly. For example if it has your employee code or any such unique number/name written on it.

  • Go to a public wifi place (for example, a coffee shop), and use that network. Once again, please do not use work or home network.

  • Use Tor Browser Download Tor Browser at your home computer and only use that to do any kind of research. Tor browser is a web browser pre-configured with Tor network so that it can make you anonymous. Tor Browser by default uses duckduckgo.com as the search engine. Duckduckgo do not keep track of what are you searching.

  • Download Tails OS, this can be installed on a USB drive. Remember that using Tails is harder than just using Tor browser in your daily computer. So, you will have to go through a few steps to install and use Tails. Tails uses the Tor network for all traffic by default. Use this on a personal laptop, and visit any public network space (for example coffee shop or shopping mall) and use their free wifi to upload the real documents. Now, we do maintain a directory listing of all the SecureDrop instances. Open this URL using Tor browser. The .onion addresses given in the site can only be opened using the Tor browser.

As I mentioned at the beginning of the post, SecureDrop is a free software which is developed by an active community, the source code is hosted at github. The primary application is written in Flask, and various other Python modules. Feel free to look at the issues, and contribute to the project as you wish.