What is SecureDrop — and should your newsroom deploy one?
6 min read
SecureDrop is an open source whistleblower submission system, originally developed by Aaron Swartz and now maintained by the Freedom of the Press Foundation. It allows sources to submit documents and messages to news organizations anonymously — without revealing their identity to anyone, including the journalists receiving the submissions.
Over 70 news organizations worldwide use SecureDrop, including The New York Times, The Washington Post, The Guardian, and ProPublica. But the system isn't limited to major outlets — any newsroom that handles confidential sources can benefit from one.
How SecureDrop works
SecureDrop is designed around a principle: the newsroom should not be able to identify a source, even if compelled to by legal process.
Here's the basic architecture:
The source interface is a Tor hidden service — a website accessible only through the Tor browser. Sources visit this site to submit documents or messages. No account creation, no email address, no identifying information.
The journalist interface is a separate Tor hidden service where journalists log in to read and download submissions. The two interfaces are isolated from each other at the network and server level.
The viewing station is an air-gapped computer (no network connection, ever) where journalists decrypt and view submitted documents. This prevents malware in submitted files from reaching the newsroom's network.
Each source gets a unique codename — generated automatically — that they can use to return and check for responses or submit additional materials. The newsroom never learns the source's real identity through the system.
All communications are encrypted end-to-end, and the servers are configured to retain minimal logs. Even if the SecureDrop servers were seized, they wouldn't contain information identifying sources.
What SecureDrop requires
SecureDrop is not a SaaS product you sign up for. It requires physical hardware and careful operational procedures:
Dedicated servers. At minimum, two physical servers — one for the source interface, one for the journalist interface — that are not used for anything else.
An air-gapped workstation. A dedicated computer that has never been and will never be connected to a network. This is where submitted documents are viewed.
Physical security. The servers and air-gapped workstation need to be in a physically secure location with controlled access.
Operational procedures. Staff need to follow specific procedures for checking submissions, transferring files to the air-gapped workstation, and handling documents. These procedures are part of the security model — cutting corners undermines the protections.
Ongoing maintenance. SecureDrop requires regular updates, monitoring, and system administration. The Freedom of the Press Foundation provides update guidance, but someone needs to execute it.
Who should deploy SecureDrop
SecureDrop makes sense for newsrooms where:
You regularly work with confidential sources who face legal, professional, or physical risk if identified
You publish stories that powerful actors want to suppress — government agencies, corporations, or criminal organizations
Sources have tried to reach you before but didn't know how to do it safely — or were scared off by the lack of a secure option
You want to signal to potential sources that you take their security seriously — having a SecureDrop instance is a visible commitment to source protection
SecureDrop is not the right fit for every newsroom. If your reporting doesn't involve confidential sources who face serious risk, the operational overhead may not be justified. In that case, publishing clear secure contact methods (Signal numbers, PGP keys) may be sufficient.
Who should not deploy SecureDrop
Be honest about your capacity before committing:
If no one on staff can maintain it. SecureDrop requires ongoing system administration. If you don't have someone who can apply updates and troubleshoot issues — or a partner who can do it for you — the system will degrade.
If you can't commit to checking it regularly. A SecureDrop instance that isn't monitored is worse than not having one — sources submit sensitive materials expecting someone to read them.
If you can't secure the physical hardware. The security model requires physical access control. If the servers are sitting under a desk in an open office, the technical protections are undermined.
How deployment works
The Freedom of the Press Foundation provides detailed deployment documentation and supports newsrooms through the setup process. The typical deployment involves:
Hardware procurement. Purchasing the required servers and air-gapped workstation according to FPF specifications.
Physical setup. Installing hardware in a physically secure location with appropriate access controls.
Software installation. Installing and configuring SecureDrop following FPF's step-by-step documentation.
Operational training. Training the journalists and administrators who will use and maintain the system.
Public launch. Publishing your SecureDrop URL through the FPF directory and on your news organization's website.
The process typically takes two to four weeks, depending on hardware availability and staff scheduling. The software installation itself can be completed in a day — the bulk of the time is preparation, physical setup, and training.
How we can help
We deploy SecureDrop instances following the Freedom of the Press Foundation's official guidelines — including the physical security setup that's often the most challenging part for newsrooms to handle on their own. We also provide training for your team and can handle ongoing maintenance as part of a managed services arrangement.
Note: Because SecureDrop is a physical, on-premises deployment, our SecureDrop installation services are currently available in the greater Los Angeles / Southern California area only.
If you're not sure whether SecureDrop is right for your newsroom, we can help you evaluate the decision based on your actual threat model, your reporting focus, and your team's capacity.
We handle the full deployment — hardware, installation, physical security, and training — following FPF's official guidelines. Currently available in the greater Los Angeles area.