New Yorker launches new leak submission system, written by Aaron Swartz

The New Yorker today launched ‘Strongbox,’ a whistleblower submission system designed to allow anonymous leakers to digitally transmit important information to journalists.

"The underlying code, called 'Dead-Drop,' is an open-source project and was written by the Internet pioneer and legendary coder Aaron Swartz, before he tragically died in January," writes Trevor Timm at a Freedom of the Press Foundation blog post. "You can read the underlying code here and the details for how it works and the background, written by the project's manager Kevin Poulsen, here."

Strongbox makes use of the anonymizing Tor network.

From the introductory blog post by Amy Davidson:

Strongbox is a simple thing in its conception: in one sense, it’s just an extension of the mailing address we printed in small type on the inside cover of the first issue of the magazine, in 1925, later joined by a phone number (in 1928—it was BRyant 6300) and e-mail address (in 1998). Readers and sources have long sent documents to the magazine and its reporters, from letters of complaint to classified papers. (Joshua Rothman has written about that history and the magazine’s record of investigative journalism.) But, over the years, it’s also become easier to trace the senders, even when they don’t want to be found. Strongbox addresses that; as it’s set up, even we won’t be able to figure out where files sent to us come from. If anyone asks us, we won’t be able to tell them.
The project was many months in the making, but launches at an interesting time: just days after the Associated Press revealed the Justice Department had secretly acquired some 60 days of call records for 20 different AP phone lines, in a leak investigation involving the outing of a CIA agent in Saudi Arabia.

Projects like this need deep security scrutiny from the security community. Now that it's launched, of course, that can happen more easily; the open-source nature of the project could help facilitate robust review.

This won't be the first time that a news organization has launched a Wikileaks-style leak transmission system—Al-Jazeera and the WSJ encountered big problems when they launched similar projects two years ago, and their usefulness is dubious. Hopefully Strongbox won't suffer the same fate.

Again, Trevor Timm at Freedom of the Press Foundation (disclosure: I'm a board member):

Leaks have never been more critical to democracy, given that government secrecy is at an all time high. Countless times over past decade—from NSA warrantless wiretapping and CIA secret prisons, to secret drone strikes and unprecedented cyberattacks—leaks have exposed corruption, wrongdoing, and illegality in government when the flow of information has been stifled through other channels. In fact, virtually every unconstitutional action by the government over the last decade was initially uncovered by a leak to the press.

Yet when WikiLeaks was operating a submission system three years ago and published secret government information in the public interest, they were attacked by government officials, pundits, and sometimes even journalists. This, despite the fact, their actions were protected by the First Amendment, just like when the New York Times or Washington Post receives classified information from a government source in the physical world.

Hopefully this project will remind people that these types of WikiLeaks-like submission systems should proliferate, not wither away.

A New Yorker graphic maps out how Strongbox is designed to work: "Multiple computers, thumb drives, encryption, and Tor are all involved."

(via Trevor Timm)


  1. I have no doubt that Strongbox is very secure.  The problem is usability.  I suspect that, for most sources, Julia Angwin’s suggestion that the source should just mail a burner phone to the reporter, programmed with the number of the source’s own burner, would probably be a better secure solution.

    Overall, I believe the problem is operational security (e.g. see my Wired opinion piece) not technology tools.

    1. And then there’s the security of the source. Bob can only secure Bob’s computer, not Alice’s.

      They’ve clearly thought it through, but I hope that by erase they mean a method effective against remanence, such as Gutmann and Plumb’s algorithm for simulating degaussing.

      1. Bah, on contemporary magnetic media, a single pass of zeros is sufficient; no one can recover the overwritten data. I don’t know where things stand with solid state media but if there’s a solution at all I doubt it requires such algorithms.

          1. Very, but a better question would be “what is the basis for your claim?” I’ve read discussions of secure erasure for many years and it comes down to 1) there being no evidence of overwritten data ever being recovered and 2) as magnetic storage density has increased, the recovery techniques Gutmann hypothesized have become even more implausible.

            Because I’m not an engineer in that field, if I had the U.S. government as an adversary, I *might* use a a single pass of pseudorandom data.

            Here’s one reference:

    2. For that matter the source could just mail an encrypted thumb drive to the reporter, thereby bypassing any known weaknesses in Tor and any unknown weaknesses in Strongbox.

      The hard part (for the source) is making sure the data contains nothing that could be traced back to the source; this applies whether the source uses a thumb drive or Strongbox.


        “While Tor does provide protection against traffic analysis, it cannot prevent traffic confirmation (also called end-to-end correlation)”

        I think it’s possible is that a well-resourced actor could insert a large enough number of nodes into the network to enable sufficient end-to-end monitoring. Alternatively, such an organization could search for all active nodes and either compromise or set up monitoring at the nodes. If they control or watch your entry and exit nodes, well, who cares what happens in the middle? If I were in charge of such an operation, I’d most certainly make it a priority to compromise the new yorker strongbox. Now that I think about it, even a poorly-resourced actor with a strong brain could get the job done. Write a virus to zombify tor nodes, send it out and own as many boxes as you want for free.

        Using tor wrong can lead to problems. I think the smart thing to do would be to use it once in a public location and never go back – library, best buy, apple store… and while using it for your drop, don’t check your email, facebook or post on your blog, etc. — I think those are the kinds of activities that break the effectiveness of the system.

        Maybe I’m wrong.

        1. I certainly that the approach you outline in your final paragraph will help – but what the New Yorker has built is a *distributed* drop box.  And Tor, to date, has withstood attacks from such well-resourced adversaries as China, Iran, and Syria.  Undoubtedly, the US could attack it as you describe:  but you will have to think – would you rather put your trust in Tor, trusted by people whose lives depend on it all over the world, or some “other” mechanism?

  2. Why are the contents of the laptop erased after every use?

    If it’s already gone through the TOR network and encrypted, the source is already hidden. At that point, no one other than the New Yorker can read the files, and no one at all can figure out the source (presumably, but if these two assumptions are false then the whole thing fails).

    So now the New Yorker editor has the files on this secure laptop. If the files are important, he’s going to want to write a story about them. And if he writes a story about them, he’s going to need to back it up with the files.

    So the erasure deletes any unimportant files, which I guess is good, but it’s not clear what happens to files that are important. Clearly they’re not just going to get erased when the laptop is closed for the day. Are they archived somewhere and are accessible by subpoena?  Are they accessible to anyone who asks once the story is written, the way WikiLeaks files are?

    This looks good, but they need to be clearer about what happens to the files at the end.

  3. The second laptop is probably erased to prevent a scenario like this:
    1) interested agency drops some sort of malware in the drop box
    2) malware infects laptop that will be used for decryption
    3) malware mails decryption keys to interested agency
    4) interested agency can now decrypt future messages intercepted by various means.

    A freshly wiped laptop would be an attempt to insure that the keys are never exposed to a compromised machine.   It’s not to keep anyone else from reading the decrypted files, it’s to keep new files intercepted before they get to decryption phase encrypted.

    Still, I agree that the last step should be fleshed out more.

Comments are closed.