Towards SecureDrop decentralization

Bonjour,

We’ve never been equipped with better tools to enable multiple organizations or individuals to produce and distribute quality releases and cooperate together. And yet, there hardly are any Free Software project where this happens in a decentralized way. Think about the Linux kernel for instance: a well documented pyramidal and centralized distribution. Or even the Debian GNU/Linux distribution: it is a democracy, which is extremely rare, and has many other distributions derived from it. But Debian GNU/Linux is not derived from other distributions, it is the central point from which all other distributions are derived.

Even tools that are distributed by nature (such as git) reflect this centralized bias. Just think about the wealth of tools at the disposal of someone who wants to contribute to a central repository: pull requests supported by sophisticated web interfaces to review, rebase, visualize the differences etc. And compare that to the lack of tools to track forks, to harvest the diffs that are unique to the forks of a given repository, to find the stalled but potentially interesting contributions.

It is assumed that having a single organization to support and develop a Free Software project is the best (if not the only) way to go. When a new organization is created it is often because something went horribly wrong: LineageOS vs CyanogenMod, OwnCloud vs NextCloud etc. In the best case scenario they agree to cooperate under the umbrella of a foundation (OpenStack etc.) that becomes the next central point everybody is expected to turn to.

The advantages of having a centralized organization are well known: it is easier to get funding and development is faster when people work together, when they make the effort to set aside their differences and find a middle ground to move forward as one instead of going their separate ways. But there are also downsides: people who have ideas/projects for which no consensus can be found are excluded (LibreSignal etc.) and when the organization is discontinued the project is abandoned (OpenSolaris etc.).

Before 2017 SecureDrop was a Free Software project depending exclusively on the Freedom of the Press Foundation staff to keep going. Under the impulse of Conor Schaefer and Jennifer Helsby and with the support of everyone else at Freedom of the Press Foundation, development tools were put in place to enable external contributors. The daily standups and the weekly engineering meetings are now open to the public so we can understand the larger context in which the technical decisions are made. And this effort paid off: a year later the communication channels that were once silent are busy with dozens of volunteer contributors, conferences are spontaneously organized and the number of commits authored by community members grew by an order of magnitude.

I believe we (the SecureDrop community including both volunteers and paid staff) are ready to move to the next step and turn SecureDrop into a decentralized project supported by two organizations and hopefully more in the near future. To make it more resilient and also more welcoming to diverse ideas. It won’t be easy because we don’t have a good example to follow. But it is worth the effort because NGOs, journalists and sources who depend on SecureDrop deserve it. I also hope our work will help other Free Software projects find a way to break free from their own centralized model.

The first step toward decentralization is this declaration of intention and the discussion that will follow. I fully expect push back, ranging from a polite this may not be the best idea to a blunt this will be harmful to SecureDrop, don’t do that. And yes, based on how other projects did in the past, it sounds like an horrible idea. But we can do better. To make things a little more concrete, here is the new organization I have in mind.

The existing community of SecureDrop individual developers, localizers, the UX team etc. becomes a de-facto organization (i.e. not incorporated). It is organized horizontally, agrees on a set of goals and makes its own decisions, produces SecureDrop releases, provides support, controls its own communications channels and web site etc. And every participant further their own agenda, seeking consensus when it has an impact on others and resorting to vote when someone asks for it. My motivation is to see a community composed of a majority of unpaid volunteers, with some money to do their work but a fraction of what their accumulated hourly rate would be if they were paid staff. And I will work to keep maintaining a Free Software and self-hosted infrastructure because that’s my thing But that is just me and the organization will be the sum of all of us.

The difficult part is to ensure this new organization will not drift away from the Freedom of the Press Foundation and vice versa. But it’s a communication problem that can be addressed. I will alternate roles: acting as if I was a paid staff member of the Freedom of the Press Foundation; reaching out to the new organization and get the best of what it has to offer. And I will also act as a volunteer in the new organization; reaching out to the Freedom of the Press Foundation to do the same. There will be differences and divergences, there is no way to avoid it, nor should we. But there will also be a continuous efforts to understand these differences, find ways to resolve them when it makes sense or acknowledge they are part of a healthy diversity when they are legitimately unique to a given organization.

What do you think?

I am less concerned over the supposed deviation from the goals of the funder on part of SD.
They align very well now, to the point where undemocratic change for the worse would have to follow the money. I don’t think the Freedom of Press Foundation would use, nor actually want to hold that kind of power.

There could then be more funders, which now is easier to get, knowing the funded part has shown itself to work. There are however a multitude of multiple points of entry, building an even better structure of, rather than around, the currently unfunded part, may in time provide a revenue stream for itself too.

It seems unfeasible, and certainly unwarranted not to trust the development team, so in essence an esoteric team is secondary to being the most crucial component of basic function.
Consisting of individuals perhaps unable or unwilling to be developers, forking into a design-project is how some projects become two, each missing half of what makes for good functionality.

The further fortunate nature of SD is having Loïc to interface with for these things, meaning having a core of developers otherwise unburdened with it. If you will it creates developer time, but not in a directly fundable manner. The meritocracy of developers making decisions, taking away from the time they have available, is a way in which projects actually fail to incorporate good design-features. Outright, or by necessity. It would otherwise be an exercise in outpainting the attacking canvas, falling over from even the lightest touch of the brush.

So there is a secondary structure that works and is thriving, which could do with funding to make it more sustainable. A good name wouldn’t go awry either. Helps make the point and becomes a point of entry for funding. This funding doesn’t have to be central, ideally not, but until then any money is good money.

I think most funders want a little bit of a say, and look good doing it, and that the best ones could hope for nothing more than the funding not to turn into a crutch.

A really interesting discussion related to the Liberapay fundraiser clarified that such a decentralization is a new idea that needs to be explained. Maybe we should have a FAQ, here is a draft.

What do you think?

[disclaimer1: such a subject is already difficult to think/talk about in my native language. In english it can only be worse. ]

[disclaimer2: decentralization may recover different aspects; I hope we speak about the same. ]

I am a bit skeptical/interrogative about the way such a decentralized organization would react if some actors fails. By failure I mean something like collapsing, or justice seizure, or going alone by ignoring consensus in decisions.

I think many free software projects remain centralized because they have to act together to preserve some indivisible assets like e.g. a brand (formally deposed or not), an upstream distribution point, a community. Small projects may neglect those aspects because the gain to fork may be trivially better than the cost to rebuild these shared assets. Biggest projects often organize in some kind of foundation, allowing each stakeholder to control parts of projects decision. This usually “protect” the project from forking but may compromise it by taking it away from good radical decisions, or by drifting in power/political calculus done by some actors for soft domination.

Imho the good aspect of such foundations, is that they are thought for long term duration and include very early in their rules how the power will be distributed when people will not according (even if this come with bad aspects). In comparison, most “de facto decentralized” experiences I seen (into and out from free sotfware stuff) are usually bad in resolving long term conflicts. (By “de facto”, I mean “tacitly organized”, in opposition from “de jure”.) So they are very good in preserving individuals inspirations, but at some time they often finish with a breakout, leaving the power to the stronger – which is often the opposite of the original reason of their organization. Maybe I am wrong, but I guess this is because, trivially, there is no “superior authority” than can (with equanimity) proceed and/or force mitigations.

To give an example, when I read:

Q: How do you prevent each organization to rule its own kingdom and ignore the others?
A: When one organizations does something in the name of SecureDrop, it has an impact on all other organizations. Every organization is accountable for all the others. An organization must keep in touch with the others and understand what they do. If an organization fails to do that, it becomes unable to explain the project as a whole, to speak in its name, to support it.

I think the question is important and the answer a bit light. If e.g. FPF is changing very hard in a way that make angry all community. For what I understand, the community, even “decentralized”, will have no other solution that forking, if FPF control all SD upstream and is owner of the branded (popularized) domain.

So you may have to be in a situation where, even if community shows itself as decentralized when all is green, you may face to the worst of centralizations aspects when the community will face to a deep conflict. In my opinion, this is not very better from community point of view than having some “benevolent dictator for life” aside with a community which takes care of maintaining the best project’s forkability as its best freedom insurance.

So, to conclude,

• it is unclear for me if “de facto decentralization” aside with some precious centralized stuff (domain name, upstream distribution point) may address properly the problem of having a failure of people/orgs which control some major indivisible ressource of the project;
• in my understanding, decentralization would mean that each organization have (maybe under the same brand, maybe protected by a charter), under its control, its own domain, its own upstream repo, and its own branding.

Then, imho, the big challenge (that I have never seen resolved), is in getting such a multi-stakeholder distribution of (usually centered) “entry points”.

I think many free software projects remain centralized because they have to act together to preserve some indivisible assets like e.g. a brand (formally deposed or not), an upstream distribution point, a community.

I agree that decentralization cannot happen when there is even a single indivisible asset. A domain name is such an asset and the fact that securedrop.club is controlled by multiple independent people does not make a difference: it points to a single IP. Or it could point to multiple IP but that would be massively confusing

most “de facto decentralized” experiences I seen (into and out from free sotfware stuff) are usually bad in resolving long term conflicts. (By “de facto”, I mean “tacitly organized”, in opposition from “de jure”.)

I believe rules must be established from the start because more often than not implicit means the strong rule over the weak. This is the motivation behind the rules on how funds are spent.

For what I understand, the community, even “decentralized”, will have no other solution that forking, if FPF control all SD upstream and is owner of the branded (popularized) domain.

Yes. This is the reason why I conclude that we can’t have a decentralized SecureDrop organization.

So you may have to be in a situation where, even if community shows itself as decentralized when all is green, you may face to the worst of centralizations aspects when the community will face to a deep conflict.

We are in uncharted territory and my hunch is that there may be a critical mass where this is unlikely to happen. Maybe if there are about ten organizations (twenty? more?) that have an equal influence on all aspects of the project. To my knowledge there is no Free Software project where this ever happened. A lot of them brag about their strong community but when you take a closer look you often see a single organization dominates the project.