Guardian Installed SecureDrop Outside The UK, Due To Legal Threats

from the incredible dept

As part of the whole Reset the Net effort yesterday, the Guardian announced that it is now using SecureDrop to allow whistleblowers and sources to send them information in a protected manner. As you may recall, SecureDrop (nee DeadDrop) was Aaron Swartz's last project (built with Kevin Poulsen), which the good folks at the Freedom of the Press Foundation took over last fall. It's great to see The Guardian adopt SecureDrop, but what caught my eye was this tidbit:
The Guardian’s SecureDrop system is installed outside of the UK. Last year, the UK government was criticized by international press freedom organisations for applying pressure to the Guardian over its publication of the NSA documents leaked by Snowden, leading to the news organization relocating its reporting on the files to the USA, and destroying all copies of the documents stored in its UK headquarters.
In other words, the Guardian, a UK newspaper, is admitting that it simply doesn't feel safe locating its SecureDrop implementation inside the UK. For people who believe in press freedom in the UK, this is a pretty scary statement -- just the latest in the past few years that have really called into question the UK's support for a free and open press.

Filed Under: freedom of the press, securedrop, uk, whistleblowers
Companies: the guardian

Reader Comments

Subscribe: RSS

View by: Time | Thread

  1. icon
    Nicholas Weaver (profile), 6 Jun 2014 @ 7:29am

    Re: Re: Securedrop is pointless theater...

    No, I'm being realistic, as an expert in the field. Tor is really good at keeping an adversary from saying "what are you doing over Tor", but it positively stinks at saying "is this person using Tor".

    Tor by default glows in Netflow, since the public relays are known, which everyone keeps, let alone any real IDS which goes "hey, these certificates don't validate, oh, and are odd in the CN/SN structure".

    This is why it was so easy to track down the Harvard hoaxer: "Look in Netflow for contacts to the Tor relays. Thats his IP. Look at the access logs to find out who it is. Oh, its this one person, go knock on his door Mr FBI".

    Alternate plug-in transports to bridge nodes prevents this, but your Tor Browser Bundle can't use those by default, since if it could, they'd no longer be good at hiding "this person is using Tor".

    It comes down to this unfortunate fact: A source which knows how to use Tor without being identified as a Tor user (using Tails on a public WiFi hotspot, ideally divorced from normal habits/movements) already has enough OPSEC skills that they don't need Tor, but can instead use burner phones and the US mail.

    Yet how many sources email the Guardian, the New York Times, the Washington Post, etc and not realize that the mail servers are outsourced, and a subpoena or a search warrant away from every local cop or fed (or Google or Microsoft for that matter)?

Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here

Subscribe to the Techdirt Daily newsletter

Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Insider Shop - Show Your Support!

Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Report this ad  |  Hide Techdirt ads
Recent Stories
Report this ad  |  Hide Techdirt ads


Email This

This feature is only available to registered users. Register or sign in to use it.