Comparing SecureDrop Community & Tor Community organizations


I did not know that. Where can I read more about it? I assumed Tor Project Inc ultimately decides over all things (website, projects, employees, finances, releases…). But if the situation is similar to the SecureDrop Community (i.e. there is a horizontal community with independent resources & projects over which FPF has no control), it would be very interesting to get inspiration.

Code of Conduct, creation and collaboration

Decision making is done by rough consensus, voting.txt has more details.

The people who have a voice in this process are Core Contributors, not just anyone in the wider Tor community. There’s a process for adding new Core Contributors, removing inactive ones, and banning toxic people. Core Contributors are totally separate from Tor Project Inc. More information is in membership.txt, but the key paragraph is:

This membership concept is distinct from whether people are employees or contractors for the non-profit organization “The Tor Project Inc”: Tor the non-profit organization is different from Tor Core Contributors. The Tor Project Inc and the Core Contributors support the same goals with an overlapping, but not necessarily identical, set of responsibilities.


@micahflee I’m extremely interested in continuing this discussion but this is slightly off-topic. Do you mind if I move this to a separate thread?

After reading the Tor documents I realize it is much more horizontal than I thought it was, thanks for that :slight_smile: The SecureDrop Community is horizontal in the sense that it does not have any restricted group such as the Core Contributors. Another difference is that decision making is mostly based on consensus, meaning that if a single person can block the decision. But anyone can also call for a vote, which is an interesting mix.

It follows that enforcing the CoC ultimately relies on the dedication of people who are trusted by the other members, either because they volunteer as I did or are nominated. They can only rely on their own energy and support from other community members to resolve problems. That would most likely not be enough if the SecureDrop Community was unhealthy to begin with. But I think we are in a good place right now and I believe it will work as a mechanism to preserve what we have.


Sure! But I’ll go ahead and respond to your message here first.

I think any single person can block decisions in Tor as well? I’ve only been a Core Contributor for a short amount of time so I don’t have a lot of experience with it yet. But without some sort of membership, I’m not sure it’s possible to protect the consensus process from bad-faith people like trolls, or someone bringing in their friends to disrupt consensus and waste everyone’s time. Is it?

Of course in any case I think one step at a time is better. I’d rather have a good CoC in place first and see how that goes before deciding on something like membership.


Yes, this is definitely the risk we take.

Agreed. My hope (and I wish there were examples to follow) is that we will find ways to uphold the CoC and effectively keep the SecureDrop Community safe without adding an administrative layer like membership. It would make the community less horizontal.

Right now the SecureDrop Community has no structure and all members are on the same footing. Some members have control over centralized resources such as the domain name or the infrastructure: they are identified and belong to different organizations. The absence of structure makes the SecureDrop Community horizontal but maybe there is a better word for it. Tor is horizontal because it has only a few organizational levels. How should we call a community that has no organizational level?

I believe preserving the absence of organizational levels has merits: (with a few examples from my own experience)

  • Volunteers are empowered. I did not need ask for permission to organize a SecureDrop booth at FOSDEM or to setup the localization infrastructure based on weblate.
  • Divergence of opinions create diversity instead of dissent. In my opinion simplifying SecureDrop is best served by providing a simpler, upgradable system and the Qube workstation comes second. FPF has a different opinion and the two projects co-exist.
  • The disagreement of a minority is not silenced. I’ve been a victim of rough consensus in another collective of sysadmins who wanted to use a stackoverflow equivalent to assist voting IRL (and yes, it did not work and was a waste of energy). Allowing one person to block consensus is an effective mechanism against nonsense.
  • No personification of the project. As soon as there is an upper level in the organization, their members impersonate the project. I do not want to be less of a member of the SecureDrop Community because I do not belong to the higher spheres.
  • Transparency. There are no private lists, private meetings, all is in the open. There is one exception: the transcripts of investigative journalists interviews for obvious privacy reasons.
  • Forkability. Eventually a group of community members will want to go their separate ways and they will not need to re-implement or re-invent a structure.