After reading / hearing various people who have years of experience operating or using whistleblower platforms it looks like the user interface varies a lot depending on the threat model and how the receiving side of the tips / documents was setup.
- encrypted voice conversation (Signal, etc.)
- encrypted email
- encrypted instant messaging (OTR, etc.)
- web form to send encrypted mail (http://TipBox.is etc.)
- web form to store encrypted documents on a server (https://secure.frenchleaks.fr/ etc.)
- framework for secure and anonymous communications between sources and journalists
- leaning toward ease of use (http://globaleaks.org etc.)
- leaning toward strong security (http://securedrop.org etc.)
Would it be a good idea for a user interface to first ask the user about the kind of anonymity she/he desires ? I don’t know of a software implementing that, maybe there is a reason ?
For instance, if I’m going to leak proof that the mayor of my home town has been bribed by a company to grant a construction contract, a web form over HTTPs is probably good enough. However, if I’m going to send proof that my government is illegally spying on its own citizens, it makes more sense to use the full range of precautions a framework such as SecureDrop has to offer.
What do you think ?