What is SecureDrop?
SecureDrop is an anonymity tool for journalists and whistleblowers. It was originally coded by the late Aaron Swartz, and is now managed by the Freedom of the Press Foundation. Dozens of news organizations including the New York Times, ProPublica, and The Washington Post use SecureDrop as a way to receive messages securely and anonymously. As a source, you can use the Documented SecureDrop installation to anonymously submit documents to our team. Our journalists use SecureDrop to receive source materials and securely communicate with anonymous contacts.
What should I know before submitting material through SecureDrop?
To protect your anonymity when using SecureDrop, it is essential that you do not use a network or device that can easily be traced back to your real identity. Instead, use public wifi networks and devices you control.
Do NOT access SecureDrop on your employer’s network.
Do NOT access SecureDrop using your employer’s hardware.
Do NOT access SecureDrop on your home network.
DO access SecureDrop on a network not associated with you, like the wifi at a library or cafe.
How to use Documented's Secure Drop
Once you are connected to a public network at a cafe or library, download and install the desktop version of Tor Browser.
Launch Tor Browser. Visit our organization’s unique SecureDrop URL at:
Follow the instructions you find on our source page to send us materials and messages. They are routed to a secure dropbox that Documented checks regularly.
When you make your first submission, you will receive a unique codename. Memorize it. If you write it down, be sure to destroy the copy as soon as you’ve committed it to memory. Use your codename to sign back in to our source page, check for responses from our journalists, and upload additional materials.
As a source, what else should I know?
No tool can absolutely guarantee your security or anonymity. The best way to protect your privacy and anonymity as a source is to adhere to best practices.
You can use a separate computer you’ve designated specifically to handle the submission process. Or, you can use an alternate operating system like Tails, which boots from a USB stick and erases your activity at the end of every session.
A file contains valuable metadata about its source — when it was created and downloaded, what machine was involved, the machine’s owner, etc. You can scrub metadata from some files prior to submission using the Metadata Anonymization Toolkit featured in Tails.
Your online behavior can be extremely revealing. Regularly monitoring Documented’s social media or website can potentially flag you as a source. Take great care to think about what your online behavior might reveal, and consider using Tor Browser to mitigate such monitoring.
Documented retains strict access control over our SecureDrop project. A select few journalists within our organization will have access to SecureDrop submissions. We control the servers that store your submissions, so no third party has direct access to the metadata or content of what you send us.
Do not discuss leaking or whistleblowing, even with trusted contacts.