Choose who to submit to¶
Each SecureDrop instance is totally independent, and submissions to that instance are only available to journalists associated with that organization.
All organizations have a landing page that provides their own organization-specific recommendations for using SecureDrop. We encourage you to consider an organization’s landing page before submitting to them.
Most organizations make their landing page prominently accessible from their main website’s homepage. You can also find an incomplete list of organizations accepting submissions through SecureDrop on the SecureDrop Directory maintained by Freedom of the Press Foundation.
Get the Tor Browser¶
Each SecureDrop instance has a publicly available Source Interface: a website where sources can create anonymous accounts, submit files and messages, and check back for replies.
Each Source Interface is only available as a Tor Hidden Service, which is a special type of website with an address ending in ”.onion” that is only accessible through Tor. Tor is an anonymizing network that makes it difficult for anybody observing the network to associate a user’s identity (e.g. their computer’s IP address) with their activity (e.g. uploading information to SecureDrop).
The easiest and most secure way to use Tor is to download the Tor Browser Bundle from the Tor Project website. This bundle includes the Tor Browser, a modified version of the Firefox web browser designed to protect your security and anonymity while using Tor.
Once you have the Tor Browser, launch it and enter the ”.onion” address for the Source Interface of the organization that you wish to submit to. You can find this address on the organization’s landing page, or listed on the SecureDrop Directory.
While using the Tor Browser on your personal computer helps hide your activity on the network, it leaves traces (of its own installation) on your local machine. For even more deniability, we recommend booting into a live system such as Tails for a higher level of security. Tails is specifically designed to run on your computer without leaving traces of your activity, and automatically routes all of your Internet browsing through Tor so you can easily access SecureDrop safely.
Making your First Submission¶
Open the Tor Browser and navigate to the .onion address for the SecureDrop Source Interface you wish to make a submission to. The page should look similar to the screenshot below, although it will probably have a logo specific to the organization you are submitting to.
The page should now look similar to the screenshot below. If this is the first time you are using SecureDrop, click the Submit Documents button.
You should now see a screen that shows the unique codename that SecureDrop has
generated for you. In the example screenshot below the codename is
catering zit isotope consonant tiny shriek provider, but yours will
be different. It is extremely important that you both remember this code and
keep it secret. After submitting documents, you will need to provide this code
to log back in and check for responses.
The best way to protect your codename is to memorize it. If you cannot memorize it right away, we recommend writing it down and keeping it in a safe place at first, and gradually working to memorize it over time. Once you have memorized it, you should destroy the written copy.
For detailed recommendations on best practices for managing your passphrase, check out Passphrase Best Practices.
Once you have generated a codename and put it somewhere safe, click Continue.
You will next be brought to the submission interface, where you may upload a document, enter a message to send to journalists, or both. You can only submit one document at a time, so you may want to combine several files into a zip archive if necessary. The maximum submission size is currently 500MB. If the files you wish to upload are over that limit, we recommend that you send a message to the journalist explaining this, so that they can set up another method for transferring the documents.
When your submission is ready, click Submit.
After clicking Submit, a confirmation page should appear, showing that your message and/or documents have been sent successfully. On this page you can make another submission or view responses to your previous messages.
Once you are finished submitting documents, be certain you have saved your secret codename and then click the Exit button:
The final step to clearing your session is to restart Tor Browser for optimal security. You can either close the browser entirely or follow the notification: click on the Tor onion in the toolbar, click New Identity and then click Yes in the dialog box that appears to confirm you’d like to restart Tor Browser:
Continuing the Conversation¶
If you have already submitted a document and would like to check for responses, click the Check for a Response button on the media organization’s SecureDrop homepage.
The next page will ask for your secret codename. Enter it and click Continue.
At the time of this writing, the current version of Tor Browser (7.0.2) shows a warning on the Enter your codename password input field when you focus it that says “This connection is not secure. Logins entered here could be compromised.” It looks like this:
This warning seems alarming, but there is actually no cause for concern. The warning is the result of a relatively new Mozilla Firefox feature that is intended to protect users from submitting potentially sensitive information on web sites that do not use HTTPS to encrypt the connection between the user and the site. While some SecureDrop sites use HTTPS, most do not; however, this is acceptable because SecureDrop uses Tor Hidden Services, which encrypt the connection without having to use HTTPS.
Unfortunately, this new Firefox feature is unaware of the special properties of hidden services, and so it mistakenly shows these warnings on any hidden service that isn’t also using HTTPS. This issue is being addressed upstream by the Tor Browser developers, and we hope it will be resolved in a new version of Tor Browser soon. In the meantime, you can safely ignore these warnings and continue to use SecureDrop.
For the latest on this issue, and how it affects SecureDrop users, see the GitHub issue.
If a journalist has responded, their message will appear on the next page. This page also allows you to upload another document or send another message to the journalist. Before leaving the page, you should delete any replies. In the unlikely event that someone learns your codename, this will keep your identity secret as no one will be able to see the previous correspondences you had with journalists.
After you delete the message from the journalist, make sure you see the below message.
If the server experiences a large number of new sources signing up at once and is overloaded with submissions, the journalist will flag your message on their end and you will see the message below. They can’t write a reply to you until you’ve seen this message for security reasons. This will only happen the first time a journalist replies and with subsequent replies you will skip this step. Click Refresh or log in again to see if a journalist has responded.
Repeat these steps to continue communicating with the journalist.