Source Guide

Note

This guide provides an introduction to using SecureDrop as a source. It is not exhaustive, it does not address ethical or legal dimensions of whistleblowing, and it does not speak to other methods for confidentially communicating with journalists. Please proceed at your own risk. For additional background, also see the Freedom of the Press Foundation guide, How to Share Sensitive Leaks With the Press.

Warning

Freedom of the Press Foundation has no access to any other organization’s SecureDrop instance, and cannot assist directly in your communications with them. If you plan to use SecureDrop to maintain your anonymity, you should not discuss your own use of it with others via unsafe methods, including email to Freedom of the Press Foundation.

What is SecureDrop?

Dozens of news organizations — from ProPublica to The New York Times — use SecureDrop to accept tips securely and anonymously. You can reach out and share files, and messages, but for real anonymity, it’s important to take some extra precautions. This resource will describe things you can do to help protect your anonymity when using SecureDrop.

Before moving ahead, note that your Internet Service Provider, or ISP (e.g., Comcast), may already have a record of your visit to this website, docs.securedrop.org. Likewise, any related activity should be conducted outside of your workplace; if you are reading this page on a workplace device or network, they may also have a record of that.

Here are some things you can do to further minimize risk.

Choosing the Right Location

If you don’t have sensitive information to send to a news organization, it may be okay to use a traditional computer when reaching out. But when sensitive disclosures (e.g., national security) are involved, we suggest you buy a new computer and a USB flash drive, using cash. Either way, you should then find a busy cafe you don’t regularly go to and sit at a place with your back to a wall to avoid cameras capturing information on your screen or keystrokes.

Get Tor Browser

Each SecureDrop page is only available as an onion service, which is a special type of website with an address ending in “.onion” that is only accessible through Tor. Tor is an anonymizing network that makes it difficult for anybody observing the network to associate a user’s identity (e.g., their computer’s IP address) with their activity (e.g., uploading information to SecureDrop).

The easiest and most secure way to use Tor is to download Tor Browser from the Tor Project website. The Tor Browser is a modified version of the Firefox web browser. It was designed to protect your security and anonymity while using Tor. If there is a chance that downloading Tor Browser raises suspicion, you have a few alternatives, for example:

  • If your mail provider is less likely to be monitored, you can send a mail to gettor@torproject.org with the text “linux”, “windows” or “osx” in the body (for your preferred operating system) and a bot will answer with instructions.

  • You can download a copy of Tor Browser for your operating system from the GitLab mirror. maintained by the Tor team.

While using Tor Browser on your personal computer helps hide your activity on the network, it leaves traces of its own installation on your local machine. Your operating system may keep additional logs, for example, of the last time you used Tor Browser.

In general, when you are trying to stay anonymous, many time-saving features of your computer or phone turn into threats: bookmarks, recommendations, synchronization features, shortcuts to frequently opened files, and so on. This is why using a dedicated computer for whistleblowing activities is generally safer.

For greater deniability and security, we recommend booting the computer into the Tails operating system (typically from a USB stick). Tails is specifically designed to run on your computer without leaving traces of your activity or saving logs. It automatically routes all of your Internet browsing through Tor so you can easily access SecureDrop safely. This may take some additional technical steps, but it’s safer, and fairly simple to get started.

Even if you are using a dedicated computer for your SecureDrop activity that you have never used and will never use for anything else, we recommend also using Tails to avoid leaving traces of your activity on the computer’s hard disk, in your ISP’s logs, or on cloud services.

Important

Tor protects your anonymity, but third parties who can monitor your network traffic can detect that you are using Tor. They may even be able to do so long after your browser session, using network activity logs. This is why we recommend using Tor Browser from a cafe you do not visit regularly.

Choose Who to Submit To

We recommend conducting all research related to your submission in Tor Browser. If you are unsure whether you are using Tor, you can visit the address https://check.torproject.org.

All organizations operating SecureDrop have a landing page that provides their own organization-specific recommendations for using SecureDrop. We encourage you to consider an organization’s landing page before submitting to them.

Note

Each SecureDrop instance is operated and administered independently by the organization you are submitting to. Only the journalists associated with that organization can see your submissions.

Most organizations make their SecureDrop prominently accessible from their main website’s homepage (for news organizations, typically under sections called “Tips” or “Contact us”). You can also find an incomplete list of organizations accepting submissions through SecureDrop in the SecureDrop Directory maintained by Freedom of the Press Foundation.

Using Tor Browser, find the “.onion” address for the SecureDrop for the organization that you wish to submit to.

Tip

If the organization does have an entry in the SecureDrop Directory, we recommend comparing the address of the entry with the one on the organization’s own SecureDrop landing page.

If the two addresses don’t match, please do not submit to this organization yet. Instead, please contact us through the SecureDrop website, using Tor Browser. For additional security, you can use our .onion service address in Tor:

sdolvtfhatvsysc6l34d65ymdwxcujausv7k5jk4cy5ttzhjoi6fzvyd.onion/report-an-error

We will update the directory entry if the information in it is incorrect.

Once you have located the “.onion” address, copy it into the address bar in Tor Browser to visit the organization’s SecureDrop.

Making Your First Submission

Open Tor Browser and navigate to the .onion address for the SecureDrop you wish to make a submission to. The page will invite you to get started with your first submission or to log in. It should have a logo specific to the organization you are submitting to.

Example home page of a SecureDrop instance.

If this is the first time you’re using Tor Browser, it’s likely that you have JavaScript enabled and that the Tor Browser’s security level is set to “Low”. In this case, there will be a purple warning banner at the top of the page that encourages you to disable JavaScript and change the security level to “Safest”.

Warning banner: Your Tor Browser's Security Level is too low.

Click the Security Level link in the warning banner, and a message bubble will pop up explaining how to increase the security level to Safest.

Example home page displaying instructions to increase Tor Browser's Security Level.

  1. Click the shield icon in the toolbar

  2. Click Change

  3. Select Safest

Advanced Security Settings in Tor Browser.

Note

The “Safest” setting disables the use of JavaScript on every page you visit using Tor Browser, even after a browser restart. This may cause other websites you visit using Tor Browser to no longer work correctly, until you adjust the Security Level again. We recommend keeping the setting at “Safest” during the entirety of the session in which you access an organization’s SecureDrop instance.

The SecureDrop page should now refresh automatically and stop displaying the warning. If this is the first time you are using SecureDrop, click the Get Started button.

Example home page of a SecureDrop instance.

You should now see a screen that shows the unique codename that SecureDrop has generated for you. Note that your codename will not be the same as the codename shown in the image below. It is extremely important that you both remember this code and keep it secret. After submitting documents, you will need to provide this code to log back in and check for responses.

Example welcome page displaying a codename.

The best way to protect your codename is to memorize it. If you cannot memorize it right away, we recommend writing it down and keeping it in a safe place at first, and gradually working to memorize it over time. Once you have memorized it, you should destroy the written copy.

Tip

For detailed recommendations on best practices for managing your passphrase, check out Passphrase Best Practices.

Once you have generated a codename and put it somewhere safe, click Submit Documents.

You will next be brought to the submission page, where you may upload a document, enter a message to send to journalists, or both. You can only submit one document at a time, so you may want to combine several files into a ZIP archive if necessary. The maximum submission size is currently 500MB. If the files you wish to upload are over that limit, we recommend that you send a message to the journalist explaining this, so that they can set up another method for transferring the documents.

Example submission page, where documents and messages can be submitted.

When your submission is ready, click Submit.

After clicking Submit, a confirmation page should appear, showing that your message and/or documents have been sent successfully. On this page you can make another submission or view responses to your previous messages.

Example submission page, displaying a confirmation message after a submission was sent successfully.

Once you are finished submitting documents, be certain you have saved your secret codename and then click the Log out button.

The final step to clearing your session is to restart Tor Browser for optimal security. After logging out, you should see a new page recommending you to click the New Identity button in the Tor Browser toolbar.

Page displaying instructions to clear your Tor Browser session by resetting your identity.

You can either close the browser entirely or follow the instructions on the page:

  1. Click on the New Identity button in the Tor Browser toolbar

  2. Click Yes in the dialog box that appears to confirm you’d like to restart Tor Browser

Dialog box asking for confirmation before Tor Browser is restarted.

Continuing the Conversation

If you have already submitted a document and would like to check for responses, click the Log in button on the media organization’s SecureDrop page.

Example home page of a SecureDrop instance.

The next page will ask for your secret codename. Enter it and click Continue.

Example login page asking you to enter your secret codename.

If a journalist has responded, their message will appear on the next page. Before leaving the page, you should delete any replies. In the unlikely event that someone learns your codename, this will ensure that they will not be able to see the previous correspondences you had with journalists.

Example submission page, displaying a reply from a journalist.

After you delete the reply from the journalist, make sure you see the confirmation message: “Reply deleted”.

Example submission page, displaying a confirmation message after a reply was deleted.