Variable user interface depending on the threat model and the server setup


After reading / hearing various people who have years of experience operating or using whistleblower platforms it looks like the user interface varies a lot depending on the threat model and how the receiving side of the tips / documents was setup.

  1. paper
  2. encrypted voice conversation (Signal, etc.)
  3. encrypted email
  4. encrypted instant messaging (OTR, etc.)
  5. web form to send encrypted mail ( etc.)
  6. web form to store encrypted documents on a server ( etc.)
  7. framework for secure and anonymous communications between sources and journalists

Would it be a good idea for a user interface to first ask the user about the kind of anonymity she/he desires ? I don’t know of a software implementing that, maybe there is a reason ?

For instance, if I’m going to leak proof that the mayor of my home town has been bribed by a company to grant a construction contract, a web form over HTTPs is probably good enough. However, if I’m going to send proof that my government is illegally spying on its own citizens, it makes more sense to use the full range of precautions a framework such as SecureDrop has to offer.

What do you think ?

Hi, and thanks for the invitation. The vast majority of journalists don’t properly understand information security and, that said, are not willing (nor able) to use SecureDrop, Globaleaks, OTR nor GPG. But this reminds me the day where I finally managed to make an investigative journalist install Signal on his mobile phone : it took him 1’, and when he discovered how much of his contacts were also using Signal, that made his day… but he still don’t use OTR nor GPG.

That said, most of the potential whistleblowers are in the same condition and, thus, unable to properly secure their comms’, that’s why I tend to think we should also begin to let them be able to contact journalists by snail mail, and Signal/WhatsApp. is a good alternative for journalists who already use GPG, as it let ppl who don’t use GPG encrypt messages for them. But, at this stage, TipBox doesn’t seem to have been properly audited : do you know how we could manage this tool to be audited ?

Globaleaks & Securedrop are definitivly the most secured; I wanted to test the Document interface for me to be able to figure out what could potentially be improved, but for unknown reasons, with or whithout an empty character between the 2 Google Authenticator code, “login failed” ;-( Could someone test it please ?

@manhack, investigative (and infosec) journalist

A post was split to a new topic: Https:// needs an upgrade

4 posts were split to a new topic: Auditing SecureDrop & other whistleblower software