SecureDrop simplification (take 2)

1

Bonjour,

A few month ago I proposed an idea to simplify SecureDrop. In the last two months I came to realize there should be two kind of SecureDrop users. Those that are threatened by nation state actors and the others. Maybe SecureDrop should propose a simpler workflow to users (sources and journalists) when the sources think they are not targeted by nation state actors.

In the many discussions I had about this idea, the most frequent remark was: but… what if the sources thinks they are not targeted by nation state actors and they are wrong? It would go like this, for instance:

  • Julie is an employee of the intelligence agency of her country and ex-filtrated classified documents
  • She sends an encrypted e-mail from her personal computer at home
  • She has a discussion over Signal with the journalist a few days later, on her personal mobile phone
  • The journalist recommended to Julie that she uploads the documents using the SecureDrop instance of the news organization
  • Julie sends the documents using SecureDrop

Or, in a country where the intelligence agency monitors every communications channels (mobile and Internet):

  • Julie is a resident in the country and works for an ONG
  • She meets with a source in a public place
  • She is given documents that prove human rights are being violated by a government agency
  • She sends an encrypted e-mail to a news organization established outside of the country
  • The journalist recommended to Julie that she uploads the documents using the SecureDrop instance of the news organization
  • Julie sends the documents using SecureDrop

In both cases, because Julie is not aware she is targeted by nation state actors, she left a trail of metadata that will incriminate her. If she is actively monitored, there also is a good chance she is detained before the story can even be published. In our digital world, it is extremely unlikely that you will not leave such a trail… unless you are actively wiping it. SecureDrop will not be enough to protect sources who think they are not targeted by nation state actors, they will leave a metadata trail before and after using SecureDrop.

Assuming this is a sound reasoning (which I’m not, please contradict me if you disagree ;-), it would make sense to couple SecureDrop as we know it with a less secure system that better matches the threat model of people who think they are not targeted by nation state actors. The source would choose:

  • Yes, I’m targeted by nation state actors, please activate the maximum security you can provide. I went to great length to wipe metadata while exfiltrating documents and communicate with journalists, I don’t want your leak platform to be the reason why my anonymity is compromised or my documents intercepted before the story can be published. You are my last line of defense, please do you best. This is what SecureDrop currently is.
  • No, the nation state is not after me, please let me send you documents in an encrypted way and get back to me as soon as you can. I expect your news organization to have a sound security hygiene and use strong encryption for files and all phone and mail communications. But I don’t think you need to worry about our intelligence agency actively trying to work against us. This is what the simpler SecureDrop could provide.

An example of software that could be used to implement the simpler version of SecureDrop is nextcloud with an open registration to upload files or a combination of well tested, well supported off-the-shelf Free Software solutions. As a software developer I know how difficult it is to create a software that can be widely used and perceived as user friendly. This is why I don’t think it would make sense to have a dedicated code base for the simpler use case: bundling and configuring existing software should be good enough.

  • When nation state actors are involved, we need a dedicated, minimal, hand made solution: This is what SecureDrop currently is.
  • When nation state actors are not involved, we are better off bundling widely used components: This is what the the simpler SecureDrop could provide.

What do you think?

2

I never yet used SecureDrop rigorously as would do a source or a journalist, but for what I understand, most of the difficult/complex part is on the journalist side.

So if I am not wrong it could be possible to have a unique source front-end with an option “I am not targeted by nation state actors” ; depending on the option choosed by the source, the journalist could use (or not) some simpler way to get access to the decrypted docs.

1 Like
3

There is no Nextcloud app to anonymously upload a document. It could be developped with a mixture of the registration app to implicitly create an account with an account name based on a diceware phrase.

Here is a fictitious workflow to illustrate what I have in mind:

  • The home page shows the the SecureDrop home page and states that it is not hardened. The source clicks Submit Documents:
    d
    d.png1914×792 106 KB
  • The source is presented with the upload form and the codename
    f
    f.png1638×1252 106 KB
  • When the source submits, the account is created, the user logged in, the file uploaded and a notification is sent to the users in the group want-to-be-notified-when-something-is-uploaded.
    c
    c.png2466×379 29.1 KB
  • At a later time the source comes back and clicks on Check for a response instead of Submit Documents on the home page and is presented with a login screen that only asks for the user name (i.e. the codename)
    g
    g.png910×591 61.5 KB
  • The source can chat using the comments associated with the document.
    b
    b.png1989×1140 145 KB
4

Actuallly… there is :slight_smile: You can share a folder and mark it as a drop point. The URL then shows an upload form and that’s it.

5

The long and short of it is Journalists use many different methods of sharings things.
Many of which are not ideal.
Regular e-mail: 0-25 MB
Sharing service A B and C: Anything bigger
Sneakernet: Bulk footage

Adding a great security but slightly cumbersome way to do it is just obligatory xkcd.

Having this one easier way, but still sufficiently secure, could do away with all of that, in a way that is easy to teach everyone.

Nextcloud currently does encrypted files, though I am not sure of the details.

6

It is good to encrypt files at rest. This is stable, well tested, user friendly. E2E encryption where the clients encrypt and the server does not has been released this year and will hopefully stabilize by 2019. Ideally it will be good enough to become the default.