At Freedom of the Press Foundation, we’re excited to announce the release of a brand new version of SecureDrop, our open source whistleblower system which media organizations can use to communicate and receive documents from sources.
Version 0.3 has been over a year in the making, and is the result of extensive feedback from both news organizations who already have SecureDrop—like the New Yorker and The Intercept—and from a security audit done by iSec Partners. In addition, we have a new website for SecureDrop, SecureDrop.org, which will serve as a hub for all the news organizations that have installed their own instances, and where you can find all the information you need to use it yourself.
We adhere to a policy of getting a security audit of each new version of SecureDrop. This is our third audit (Hi Lawfare!), and you can read our detailed explanation of the security and usability changes we made here, as well as the full audit here. We’ve made so many changes to this version that we’ve asked iSec to put us through a another audit on the new components. We’ll post the results of the fourth audit as soon as we can.
Version 0.3 has a redesigned interface that is hopefully easier to navigate for sources and journalists (check out the visual comparison below). The installation process has been simplified and those trying to install it will hopefully run into less problems. While the installation process still has a long way to go so that anyone—regardless of technical skills—can install it, the process is night and day different from when Bruce Schneier and a team of University of Washington researchers spent thirty hours attempting to do so on the original version of SecureDrop before Freedom of the Press Foundation took the project over.
There are new security features as well. Every version of SecureDrop will now be installed with grsecurity, a well-respected operating system enhancement that attempts to prevent zero-day exploit attacks, and we’ll be able to automatically send security updates to all SecureDrop instances with the push of a button.
In a few days, we’ll also be launching a bug bounty program with the help of BugCrowd. If you’re a security researcher, you’ll be able to set up your own instance of SecureDrop and pentest it.
The Toronto Globe and Mail and Gawker Media have launched the new version of SecureDrop in the last couple weeks, bringing the total number of news organizations using it to at least seventeen. We hope by the end of the year we can help even more.
SecureDrop was originally coded by Aaron Swartz, in one of the last projects he worked on before he tragically passed away. After his death, Freedom of the Press Foundation adopted the project and we’ve spent the past year and a half making significant upgrades to both the security and usability of it.
Special thanks to the SecureDrop team past and present who made this possible: James Dolan, Garrett Robinson, Kevin Gallagher, Runa Sandvik, and the many open-source contributors who volunteered their time and are too numerous to name here.
Our goal over the next year is to continue to improve SecureDrop for both sources and journalists, and spread it far and as wide as possible.