Per country legal context / jurisdiction


Deploying SecureDrop in the US legal system has received a lot of attention and the documentation was written with that in mind. For instance, hosting the server in the newsroom is an advice that may not apply in all countries.

I’m trying to assert what the situation is in France and it would be great to hear what experience people have in other countries.

My first steps will be to talk to lawyers and activists. Reading the laws that were changed last November regarding the protection of the sources is interesting but figuring out how things will change is tricky. There is virtually no jurisprudence yet.


The status of news media and journalists are in many legal systems defined as special.

In Norway the Section 125 of the Criminal Procedure give journalists and media companies a special role, and the right in many circumstances to refuse to give up information or answer questions related to sources.

So keeping the servers within the full control of the news organization seems as a wise choice also here. It also gives the option to stall in order to put in place the necessary legal counter measures from legal departement / outside council.

In 2015 we had a significant case of the Police Security Service (PST) seizing the video recordings of a documentary film maker in order to try to use it as evidence in a case against islamists recruiting people to go to Syria for terrorism.
The case went all the way to the Supreme Court of Norway where the PST where finally refused to keep and use the seized material due to the risk of revealing sources.

In the case the Article 10 of the European Convention was central, and might be relevant for many European countries. The Norwegian Supreme court stated that the European Court of Human Rights “sets up broad protection for unpublished material that may reveal unidentified sources.”

A good summary of the legal facts in the case and the references to European Convention and similar cases at the European Court of Human Rights can be found here:

1 Like

This is good to know :slight_smile:

In France the state has extended legal / technical means to listen to communications, both in residential areas & by listening to sub-marine cables. I’m curious if you had to evaluate that kind of surveillance (i.e. run by the state) when deciding where to host the SecureDrop servers in Norway ?

There is a proposed new system giving intelligence services access to listen in on sub-marine cables, but it has not passed the Norwegian parliament yet. So it is not up and running, but might be something we would have to deal with. Already a lot of the internet traffic in and out of Norway, and even some domestic traffic, passes Sweden where the FRA do such monitoring.

Though there already exist a system to monitor the connections of systems with special status as critical infrastructure. Our public broadcasting company (similar to the BBC) participates in that cooperation sharing data from such network monitoring of our network with the government. In part of that system we have chosen to host the SecureDrop servers outside the normal network.

1 Like