Summary: SecureDrop AMA

Thank you to all who participated in the recent Ask Me Anything with the SecureDrop team! The discussion was littered with diverse questions about who uses and can use SecureDrop, the tool's technical features and localization needs. Below you will find some key resources and questions as well as an abridged transcript of the discussion.

Want to see more AMAs with Localization Lab supported projects? Let us know who you would like to see an AMA for or if you are a project that would like to host one.

 SecureDrop Attendees:

@redshiftzero: Lead Developer
@dachary: Contributor, admin for Weblate.SecureDrop.club
@fpoulain: Contributor, sysadmin for SecureDrop.club

Key SecureDrop Resources

General:
SecureDrop Website : With a project overview, project news and links to documentation for sources, journalists and admins.
SecureDrop Community Portal : The one-stop-shop for SecureDrop contributors to code, localization and more. 
Official SecureDrop Directory : Here you will find some of the organizations currently using SecureDrop.

Localization:
Getting Started with Weblate Translations
SecureDrop Weblate (SecureDrop hosts its own Weblate instance)
SecureDrop Localization Timeline and Priorities

Contact SecureDrop:
SecureDrop Forum : Engage with SecureDrop team members and contributors on discussions ranging from UX to hardware to translation.
Gitter

AMA Highlights

Below are selected, paraphrased questions from the AMA. A manicured version of all of the AMA questions is available in the following section and the full unabridged conversation is available on our Mattermost channel.

Note: Freedom of the Press Foundation and SecureDrop do not do marketing or outreach. If you know of organizations that would benefit from using SecureDrop, spread the word and direct them to the SecureDrop resources listed above. SecureDrop is currently localized and can be used by organizations in Arabic, Chinese (Traditional), Dutch, French, German, Hindi, Italian, Norwegian (Bokmål), Portuguese (Brazil) and Turkish.

General

Who would benefit from using SecureDrop?

Any organization that needs to get data securely and / or anonymously from individuals could benefit from running a SecureDrop instance. This can include media organizations, human rights organizations, environmental protection groups, government agencies and more. GreenPeace is an example of a non-media organization using SecureDrop.

What are the technical skills required to use SecureDrop and run a SecureDrop instance?

Using SecureDrop as a source or a journalist does not require special technical skills. In order to administer a SecureDrop instance however you need to have comfort with basic Linux administration.

Can I demo SecureDrop?

You can demo the web applications that journalists and sources use at: http://demo.securedrop.club/

This Canadian Globe & Mail walkthrough is also a great way to view how SecureDrop is used by sources and journalists to communicate and share data :

 

 

How much does it cost to setup your own SecureDrop instance? Is there support for freelancers and organizations who don't have the resources to run their own instance?

In terms of financial costs you need about 1,500 USD in hardware to setup a SecureDrop instance. You can save costs by reusing or refurbishing older hardware.

Depending on location, there are supports for individuals and organizations that cannot run their own SecureDrop instances. If you are in the United States, Freedom of the Press Foundation is a non-profit that you can ask for support. There are also some volunteers in Europe that can help. For example, @dachary supports a few French investigative journalists who do not have the resources for professional support.

Use the contact information above for more information.

If the Tor network is blocked in a certain region, how would people send information using SecureDrop?

redshiftzeroIn such a case, to access SecureDrop, a whistleblower can use gettor to get the tor browser and a bridge to circumvent censorship in their region. An organization that is trying to contact sources from such regions such include language to this effect on the page on their website that explains how to use SecureDrop (we call this the "SecureDrop landing page." Example: The Intercept_

Localization

What are the current localization priorities for the SecureDrop team? And what is the localization timeline?

Translation priorities are kept up-to-date on the SecureDrop forum along with the localization timeline and deadlines.

19 new strings were just released on April 23rd and will be available for comment and feedback leading up to a May 1st string freeze. Translation and review deadline for SecureDrop v. 0.7 is May 7th.

Current priorities for the upcoming translation & review deadline include: 

New String Updates & Review: ItalianPortuguese (Brazil)SpanishChinese (Traditional)FrenchArabicNorwegian BokmålGermanHindiDutch & Turkish
Full Review: FinnishRussianRomanian & Swedish
Translation & Review: Polish & Vietnamese

The team is also looking for Kurdish Kurmanji resources to consult on translation of SecureDrop into Kurmanji. If you or anyone you know is a native Kurmanji speaker or works with Kurmanji speaking organizations, please get in touch!

As a localizer, can I demo my translations in context?

The SecureDrop internationlization demo is frequently updated with the latest updates to strings and translations. There you can review translations in context and then update them as necessary in Weblate

Who are some of the organizations currently using localized versions of SecureDrop?

Abridged and Remixed (or “Untangled”) AMA Transcript

Below is an abridged version of the SecureDrop AMA with casual comments and content unrelated to questions removed for ease of reading. Questions are in bold and have been matched up with related responses which are in italics. You can access the full unabridged transcript on the Localization Lab Mattermost channel.

erinm: We have one question from twitter: "How can freelancers, without institutional support of a big media company, install secure-drop or ensure they have a similar facility for whistle-blowers to contact them securely? Independents with specific beats could really use this functionality but don't have the resources."

dachary: It really depends on which country you live in. If you're in the USA, Freedom of the Press Foundation would be the non-profit to go to and ask for help.
If you're in Europe, there are a few volunteers who can help. I actively support a few french investigative journalists who do not have the means to pay for professional support.

redshiftzero: Yeah right now in terms of financial costs you need to spend about 1.5k in hardware but reusing older hardware can help. for journalists that are not technically oriented finding a volunteer admin (someone like @dachary ;)) is usually the most common way to get a securedrop up and running for a single journalist.

dachary: I was also able to provide hardware (because 1.5k is a lot of money for a journalist). Hackers are good at refurbishing used hardware that cost very little.

dkaurin: How easy is SecureDrop to use? What level of technical skill would one need? I actually haven’t seen a demo, Idt.

redshiftzero: As a journalist it is relatively easy to use and does not require special technical skill, but to administer the securedrop instance you do need to find someone who is comfortable doing basic linux administration.
A technically skilled journalist can also act an administrator (we have people doing this in a few cases) but most commonly they are separate roles
And there is a demo of the web application that journalists use at: http://demo.securedrop.club/ if you use the credentials on the page after clicking on "journalist interface."

dachary: From a localizer point of view, SecureDrop is super easy: there only are ~250 strings to translate. And in addition to what @redshiftzero points to, http://source.i18n.securedrop.club/ is a demo dedicated to localizers, with frequent updates with the latest strings.

redshiftzero: by the way:

provides a high level view of the flow for sources / journalists.

dkaurin: And with that actually—are there other use cases for SecureDrop? For human rights organizations, for example.

redshiftzero: Any organization that has a need to get data from anonymous people might benefit from a securedrop instance.

erinm: So the tool can really apply to more than just "traditional" media organizations.

dkaurin: Awesome—I think that would be useful for folks to know. Do you have any examples of use within HROs yet?

dachary: Some human right organizations need very high level of security and SecureDrop. Most of them need to get out of Dropbox / Google Drive and self-host with something like Nextcloud.

redshiftzero: We do have some organizations that aren't news orgs - e.g. greenpeace - using securedrop, but i'm not sure of any in the HRO context off the top of my head.

D: Do the instances hosted by the people get administered by the Securedrop team or by them?

redshiftzero: @D: instances are administered by the news organization or non-profit itself (usually by their IT staff)

D: Do securedrop supports the new V3 of Tor?

redshiftzero: @D: so for background v3 onion services are Tor's latest version of onion services which provide server anonymity (the changes in v3 are described in brief https://blog.torproject.org/tors-fall-harvest-next-generation-onion-services) - we are not supporting v3 of Tor onion services yet, but we plan to migrate the source interfaces over (tracking here: https://github.com/freedomofpress/securedrop/issues/2951)

One more note on the onion service question: one challenge we have for migrating the journalist and SSH interfaces away from v2 onion services is that we make heavy use of a feature of v2 onion services that provides client auth (HidServAuth) which makes it such that only users that have a special cookie can even connect - that is not yet in v3 onion services but hopefully will be soon.

erinm: On that note, do you have more examples of organizations, media or otherwise, currently using SecureDrop? And do you know of any using localized versions in particular?

dachary:

    
kwadronaut: There's French and Dutch at https://apache.be/securedrop/ however, it can be improved a lot (ie: showing the right content depending on accept language header).

erinm: Have any organizations asked for localization support for a language not currently available?

redshiftzero: Hmm, there is at least one organization that started installing securedrop before their primary language was available - they have not announced yet so i can't share their name yet unfortunately.

erinm: No need to share the organization name, but if possible, interested in hearing the language that is in need so that we can prioritize finding individuals to support it.

redshiftzero: The language is arabic!

dachary: I heard of one news organization who was interested in having a SecureDrop in Arabic.

Now that @d finished reviewing Hindi... I'm hopeful an organization will use SecureDrop in India.

It has been suggested that the landing page content suggestion are translated so news organizations like the intercept do not have their landing page in english only.

It would also be great to have investigative journalists provide SecureDrop in Arabic so the good work from @r and others is put to good use. There is a tricky chicken and egg problem: should the installation come first or the translation?

D: How do you check the authenticity of the files or data people send? Have you ever had instances where the info wasn't real?

dachary: We are developers and we do not actually handle any document. But journalists do and that's challenging indeed

redshiftzero: People do send false information through securedrop - but @dachary is correct - we leave it up to news organizations to verify the authenticity of the documents. they can use document metadata, cross-checking with other sources ("does it sound reasonable that...") to validate what they are getting is accurate.

dkaurin: How would a potential whistleblower know whether or not a media org has SecureDrop?

redshiftzero: Potential whistleblowers ideally will find out an organization has securedrop through the news organization itself - this might be through the physical newspaper (some include the securedrop address on the front page or in ads in the news paper) or from the news organizations website, e.g. https://theintercept.com/ has a "Become a source" link in their sidebar.

dkaurin: And the SecureDrop directory? Is that up to date? Do you know of everyone who uses SecureDrop, or can orgs download and use independently?

redshiftzero: We have a bit of a backlog in terms of getting people into the official directory at https://securedrop.org/directory - the reason being there is a validation process where we make sure that the landing page does not have unsafe trackers, etc. and that the securedrop was installed following the official recommendations

Organizations can download and use securedrop without needing to talk to the securedrop team

D: Since some governments use DPI and block Tor network, how would people send info from that region?

redshiftzero: In such a case, to access securedrop, a whistleblower can use gettor to get the tor browser (https://www.torproject.org/projects/gettor) and a bridge to circumvent censorship in their region. an organization that is trying to contact sources from such regions such include language to this effect on the page on their website that explains how to use securedrop (we call this the "securedrop landing page" - here's an example: https://theintercept.com/source/)

erinm: Do you do any outreach to organizations who would benefit from using SecureDrop? How to organizations find out about you?

redshiftzero: I know of another organization that had a billboard with their source interface onion address outside a certain US government agency to solicit leaks, heh

Right now freedom of the press foundation is no longer doing outreach to organizations we think could benefit from securedrop, so most organizations are finding out from other organizations that use securedrop - i.e. they see the tips page of another news org and think "oh we should have that too"

We [freedom of the press foundation] used to do outreach to news organizations to try to get them to install it back when the use of a whistleblowing platform was more uncommon, but in the past few years many major news organizations have started using them (e.g. the new york times, the washington post, etc.) so we no longer need to do so

S: I have a friend who is Bosnian. Can anyone explain which link I could send to him?

dachary: The localization guide has everything.

Ideally this friend would also know an investigative journalist willing to use SecureDrop. We can help them get started.

dachary: having SecureDrop translated in a given language is great. But it also needs to be used in order to be sustainable. I can imagine it is frustrating to translate and wait months for the work to be displayed to the public.

erinm: I think there are quite a few organizations that would be interested in using SecureDrop in Arabic. The key is outreach. Going back to @redshiftzero 's response about outreach, it is too bad that there is no active outreach/marketing effort. This is a key aspect of post-localization life of a tool. We should brainstorm some ideas for outreach for at least the currently available locales.

C: An idea about the post-localization life of a tool is to ask the organizations that use SecureDrop to release a note or an article about SecureDrop, saying additionally that anyone can use it.

erinm: I wonder if incentive can be given to orgs already supporting SecureDrop to volunteer resources to small media orgs or freelancers?

D: Like providing the Yubico keys?

dachary: https://www.nitrokey.com/ is my personal favorite replacement of Yubikey

C: Even if it is not sustainable to localize in languages that have no user, in some cases that might still be a good option when it is a language largely spoken, such as arabic.

erinm: +1 I was just about to say the same. What I would recommend is reaching out to potential users and collaborators in parallel to gauge interest and get feedback and start to build a network to support the tool for that language/region.

erinm: Like @C mentions, for Arabic, Spanish, French etc. and other large language groups this is less essential because of the sheer number of speakers and potential users, but for small language groups, minority languages etc, this will be quite important.

D: It would be great if the organizations can display the securedrop in the landing page where people can see it, which has all the instructions to be followed

dachary: I think the major blocker for most journalists is that they do not understand most of the security concepts and practices that it requires. The Freedom of the Press Foundation trainings, as well as other similar programs all around the world gradually help them to better understand Tor, 2FA and other aspects of infosec. It will take a long time but we'll get there.

dkaurin: My next question, as a whistleblower, would be how exactly does it work? How does it keep me anonymous? Would the person receiving the doc know my identity, and wouldn’t they eventually have to confirm my identity?

Redshiftzero: As a source, you are anonymous because you are using the tor anonymity network - so a network observer cannot determine you are using securedrop, and the journalists at the news organization cannot determine your identity. that said, in your messages to journalists you can choose to reveal your identity if you trust the organization.

dachary: In addition to what @redshiftzero said sometime the source anonymity is compromised for [reasons unrelated to SecureDrop or the journalist](https://forum.securedrop.club/t/journalist-assessment-of-a-source-at-risk/557)

d: I'm not sure journalist in India aware about these kind of tools. Any thoughts @D?

D: I heard few chatter about it few months back. It is mostly kept under wraps and also I don't know if anyone from India hosts the securedrop instance.

dachary: Journalists covering Aadhaar would be good people to talk to.

D: The case going on in Supreme Court

After the "Elliot Anderson" revelations more people started to see the problems in Aadhaar.

dachary: What do you miss most, as a SecureDrop localizer? How can we (developers) make your life better?

d: what do you miss most, as a SecureDrop localizer? -> Hope more users use localized version of securedrop. Developer can't spread awareness about it but securedrop org can do.

D: Have you ever faced security breaches on securedrop or the hosted by the organizations?

redshiftzero: So far we are not aware of any securedrop instances being hacked, though there have been a few vulnerabilities and proof of concept attacks like this one https://securedrop.org/news/security-advisory-do-not-scan-qr-codes-submitted-through-securedrop-connected-devices (note: we wrote a document asking security researchers not to attack production instances after this event - we do welcome security research and have a bounty at https://bugcrowd.com/freedomofpress for anyone that is interested)

D: Do you have support for the U2F, if yes what are the products you recommend?

Redshiftzero: We currently support only HOTP, TOTP for two factor auth (for HOTP we recommend and test Yubikeys but we don't strictly require their use)

erinm: A comment from Twitter: Would be a very interesting @Squarespace integration

dachary: I'm not sure what the question means.

erinm: I think the individual is suggesting they would like a way to integrate SecureDrop with a SquareSpace site.

dachary: Since it is advertisement based, it pretty much defeats the idea of anonymity I'm afraid

D: Do securedrop host any trainings or webinars for organizations, specifically to tackle the problems in deploying the securedrop instance?

Redshiftzero: freedom of the press foundation does offer trainings for administrators (you can request help here: https://securedrop.org/help) and you can also ask any questions you have as you are deploying securedrop at https://forum.securedrop.club/c/support

erinm: What are your highest localization priorities right now, and why?

dachary: We have priorities and deadlines listed at https://forum.securedrop.club/t/about-the-translations-category/16

Review: Arabic, Finnish, Romanian, Russian, Swedish are the priority one items, with a focus on Arabic but @r already did most of the work.

I would very much like to see Kurdish Kurmanji : it is my mission in life

erinm: And are these priorities based on an identified need? Or just on the progress of translation?

dachary: just progress.

D: Have you ever faced problems since you work on securedrop from any authorities or organizations who knows your work?

dachary: I feel very safe working on SecureDrop as a developer. No pressure, very relaxed and friendly community. And the authorities did not manifest themselves at my home or during my travels.

Redshiftzero: Nope, no issues so far! i think some might see securedrop as a controversial tool, but really it is just preserving what has existed in news organizations for a long time - the anonymous tip line - in the presence of the mass surveillance that now exists in many countries.

D: Difference between "OnionShare" "Securedrop" "GlobalLeaks"?

Redshiftzero: Onionshare provides synchronous file sharing, e.g. the source would need to be online at the same time as a journalist to transfer - still useful but slightly different use case (though i hear the feature set might be increasing in coming releases...). in terms of globaleaks, my understanding is that securedrop is more targeted at news organizations specifically, and we also make an assumption that the adversary have very sophisticated technical capabilities so we do a lot of hardening for all securedrop instances (e.g. all securedrops install a hardened kernel) to mitigate those threats

erinmIf people have follow-up questions, what is the best way for them to communicate with you?

Redshiftzero: If others have questions or suggestions, they can feel free to drop into our regular chat at https://gitter.im/freedomofpress/securedrop or our forum at https://forum.securedrop.club/

erinm: And, are there any closing remarks or things that you would like the Localization Lab community to know?

redshiftzero: Just a huge thanks for all the excellent contributions so far!

Tagged: