I am researching a solution for secure communications that can be shared among a number of small, independent journalists. In the initial instance the journalists will be within a reasonably small geographic area, so data may be transferred by taking a USB on a short car drive.
By pooling resources the journalists may establish a more professional setup than any could afford as individuals/small organisations. The shared setup would include enterprise-grade hardware, a business-grade internet connection, access to the full range of technical skills, solid physical security, and strong network security.
Has SecureDrop been used in a shared-scenario such as this? Is it appropriate for such a scenario? Are there any pitfalls? And what are the additional risks or considerations of this mode of operation?
Currently, for a given SecureDrop instance, there is no feature that restricts which journalists can view which submissions. In other words, on each SecureDrop instance, all journalists (or admins) have access to all submissions, can reply to any source, and all submissions are encrypted using the same key.
While it is certainly possible to use SecureDrop using this shared setup, it depends on the level of trust between journalists for both a source protection and a journalistic process perspectice (since each journalist will be able to view all submissions).
data may be transferred by taking a USB on a short car drive.
Only the initial setup would require physical co-presence. During the initial setup, you could distribute the Journalist and Secure Viewing Station (SVS) keys to all journalists. Afterwards, the entire retrieval/decryption/viewing flow could be achieved in a distributed fashion: each journalist would have their own Journalist stick (used to retrieve submissions) and their own SVS stick (used to decrypt and view submissions).
enterprise-grade hardware
SecureDrop is designed to be run on cheap(ish) off-the-shelf hardware, which we document here. Using enterprise-grade hardware will introduce further complexity and risks (as these often come with management interfaces that must be properly configured or disabled).
It seems to me that the ideal solution would allow multiple-organisations-per-installation, and multiple-journlists-per-organisation. Sounds like a lot of work though.
The trust argument is a very important one, will they coordinate between each other responsibly? How’s the relation with the admins? Depending on the region: it might be worthwhile to check for existing installations, users or admins. Collaboration can as well be limited to the exchange of tips, pitfalls, sharing cake, coffee and upgrading all the Tails sticks together. Usually the amount of journalists is higher as the experienced admins, but it’s relatively easy to maintain several ones as a single (or couple) admin(s).