SecureDrop is a free and open source software specifically designed for news organizations to securely communicate with and receive documents from anonymous sources over the Internet.

A new report, Guide to SecureDrop, provides the history, significance and use of the system, which was developed over the last four years. The report, written by Charles Berret, a fellow at the Tow Center for Digital Journalism at Columbia Journalism School, is a must read for any journalist or news outlet.

“One of the explicit purposes behind developing SecureDrop has been to restore the possibility for journalists to protect sources whose communication devices might otherwise expose their identities,” Berret writes. 

SecureDrop achieves this goal by operating as a Tor hidden service on servers that reside in-house at news organizations. With the system, a reporter’s source cannot be identified through digital traces via third parties that can be traced, and used, by authorities without a subpoena.

Berret writes about a fairly consistent set of practices among the journalists using SecureDrop. “Many organizations designate just a handful of employees to check their system, and these employees act as operators, in a sense, who monitor the inbox and distribute promising submissions to the reporter who is best suited to assess and potentially act on that information. This is by far the most common model for the coordination of SecureDrop in newsrooms, and it appears to be so common largely because these practices were imprinted at the time of the system’s initial, guided installation by the SecureDrop developers.” 

The Tow research project included interviews with 12 journalists and three technical administrators at 10 organizations using SecureDrop as well as five people actively building the system and training journalists to use it.

The report provides case studies on the use of SecureDrop by The Intercept, The Washington Post, Gawker, The Globe and Mail and ProPublica.