• Lab
  • AndroidForMobile Foundation at
    Just showing our work isn’t enough
    ABOUT                    SUBSCRIBE
    Jan. 27, 2017, 10:39 a.m.
    Reporting & Production

    How easy is it to securely leak information to some of America’s top news organizations? This easy

    One quick download and a codename: If I can use SecureDrop, you can do it too.

    The Trump administration, in its first full week in office, moved to , including the media. And while at least some of those restrictions , the new administration’s stance on the press is quite clear. chief White House strategist and Steve Bannon said Thursday, adding that the press should “keep its mouth shut” for a while.

    The week’s events and the new climate of uncertainty spurred a number of news organizations to remind readers that they are ready and willing to accept leaks, via regular mail and also online with secure tools like , the encrypted anonymous communication software maintained by the Freedom of the Press Foundation.

    I wanted to see just how easy it actually was to use SecureDrop, which I’d never done before. I enlisted ProPublica’s help: I told them I’d be sending them a document (a single-page PDF with “This is a test” on it), and asked them to confirm that they received it. This is not what you do if you are actually leaking something and want to remain anonymous, duh, but I was interested to see what things look like on the other side. The for sources to use SecureDrop are on the SecureDrop website, but essentially, this is what I did — and what you need to do.

    1. Download the Tor browser . Install it just as you would install any app on your computer.

    2. Open Tor. It’s like using any Internet browser. I was mainly surprised by how slow it is — but that’s a feature, not a bug: “Tor is never going to be blazing fast. Your traffic is bouncing through volunteers’ computers in various parts of the world, and some bottlenecks and network latency will always be present,” Tor .

    3. Paste the SecureDrop address of the news organization you want to reach (all of these are listed below, ending in .onion) in Tor’s address bar. You’ll see the option to send a document or check the status of one you’ve already sent.

    4. You’ll be given a secret codename, which will serve as your login for SecureDrop. Write it down on paper. “The best way to protect your codename is to memorize it,” SecureDrop advises. “If you cannot memorize it right away, we recommend writing it down and keeping it in a safe place at first, and gradually working to memorize it over time. Once you have memorized it, you should destroy the written copy.”

    5. Select the file that you want to upload from your computer, or type a message.

    6. You can check back for replies to your message by redirecting the Tor browser to the news org’s SecureDrop address and then typing in the secret codename that you wrote down.

    ProPublica’s confirmed that ProPublica had received my test. Here’s what it looked like on their end — note that ProPublica saw me only as a codename: “surprising prominence.”

    I logged back in, using the seven-word codename I’d been assigned in step 4, and saw my response from ProPublica.

    That’s it. It was way easier than I thought it would be. Leakers shouldn’t use their work computers and should use public wifi, “like a Starbucks or at a hotel or for public use.” And, of course, just using Tor and SecureDrop isn’t a perfect solution for security: If you were doing this from one of your employer’s computers, it might be able to notice that the Tor network was accessed, even if it couldn’t see the contents of whatever you sent. Use as much caution and good sense as you can about distancing yourself from equipment and network locations you might be connected to.

    You may also want to watch , from Canada’s Globe and Mail, for a visual representation of the above steps.

    What follows is a list of news organizations and how to leak to them. The official SecureDrop directory is , and recommends that you “compare the .onion address provided on the organization’s Landing Page to the corresponding entry in this list, and verify that the addresses match before continuing. This provides a strong layer of defense against certain types of attacks that might try to trick you into visiting a malicious SecureDrop instance masquerading as a legitimate one.”

    The Guardian also notes: “We recommend that you to the SecureDrop site when uploading, especially on business networks that may be monitored. Best practice would be to make a note of the Tor url and upload your content from a different machine at a later time.”


    Leaks landing page [for regular browser]:
    Address in Tor: pubdrop4dw6rk3aq.onion
    Mailing address: ProPublica, 155 Avenue of the Americas, 13th floor, New York, NY 10013-1507

    The New York Times

    Leaks landing page:
    Address in Tor: nytimes2tsqtnxek.onion
    Mailing address: Tips, The New York Times, 620 8th Avenue, New York, NY 10018
    WhatsApp and Signal: 1-646-951-4771
    Email: [email protected], PGP Fingerprint: 44B6 6121 3CE6 66D6 5403 B4CC 44A3 475A E1AA A9EB

    The Washington Post

    Leaks landing page: . See also ““
    Address in Tor: vbmwh445kf3fs2v4.onion
    Mailing address: The Washington Post, 1301 K Street NW, Washington DC 20071


    Leaks landing page:
    Address in Tor: 6cws3rcwn7aom44r.onion
    Mailing address: BuzzFeed News NY, c/o Mark Schoofs, Investigations & Projects Editor, 111 East 18th Street, BuzzFeed Newsroom, New York, NY 10003
    Signal: 1-646-379-1975
    Email: [email protected], PGP fingerprint: B077 0E9F B742 ED17 B4EF 0CED 72A9 85C4 6203 F09C

    Gizmodo Media Group

    Leaks landing page:
    Address in Tor: gmg7jl25ony5g7ws.onion
    Mailing address: Special Projects Desk, Gizmodo Media Group, 2 West 17th Street, Floor 2, New York, NY 10011
    Phone, WhatsApp, Signal: 1-917-999-6143

    The Associated Press

    Leaks landing page:
    Address in Tor: 3expgpdnrrzezf7r.onion
    Mailing address: The Associated Press, c/o Ted Bridis, investigations editor, 1100 13th Street NW, Suite 500, Washington, DC 20005
    Phone, WhatsApp, Signal: 1-202-556-1927

    The Guardian

    Leaks landing page:
    Address in Tor: 33y6fjyhs3phzfjj.onion
    Mailing address: The Guardian (US Main office), 222 Broadway, 22nd and 23rd Floors, New York, NY 10038

    The New Yorker

    Leaks landing page:
    Address in Tor: strngbxhwyuu37a3.onion
    Mailing address: The New Yorker, 1 World Trade Center, New York, NY 10007

    The Intercept

    Leaks landing page:
    Address in Tor: y6xjgkgwj47us5ca.onion
    Mailing address: The Intercept, P.O. Box 65679, Washington, DC 20035 or The Intercept, 114 Fifth Avenue, 18th floor, New York, NY 10011


    Leaks landing page:
    Address in Tor: cxoqh6bd23xa6yiz.onion

    The Globe and Mail

    Leaks landing page:
    Address in Tor: n572ltkg4nld3bsz.onion

    POSTED     Jan. 27, 2017, 10:39 a.m.
    SEE MORE ON Reporting & Production
    Join the 50,000 who get the freshest future-of-journalism news in our daily email.
    Just showing our work isn’t enough
    “There’s very little current demand for the majority of reproducible code from newsroom leadership or the general audience.”
    Let’s talk about power (yours)
    “If we don’t use it in ways that give people quality news, useful information and power, people will find a way around us.”
    Newsrooms take the comments sections back from platforms
    “Local news organizations should become a driving force for better online public discourse, because Facebook and Twitter aren’t cutting it.”