SecureDrop is a whistleblower submission system used by news organizations worldwide, including the Washington Post, Der Spiegel, The New York Times, The Guardian, ProPublica, and others. It is designed to help whistleblowers reach out and share information safely and anonymously.
As a whistleblower, you should protect yourself as much as you can. SecureDrop is intended to help you do that while you perform an essential role in civil society. Thank you, and stay safe.
To protect your anonymity while submitting a tip via SecureDrop, follow these steps:
Before you blow the whistle, be mindful of workplace surveillance, and never use a work computer for anything related to whistleblowing!
If you are considering sharing sensitive data, bear in mind that both your work devices and your workplace’s network are likely to be monitored. Many workplaces also record access to sensitive data. Exercise caution before you leak — don’t leave an audit trail.
Using a Wi-Fi connection not associated with you, such as in a public place you don’t normally go, will reduce the risk your internet usage will raise suspicion.
Almost all workplace networks are heavily monitored, and your activity on your workplace computer is likely monitored as well. Don’t use the Wi-Fi at work.
You should already be viewing this in Tor Browser on a computer you own — if not, stop, download Tor Browser on your computer, and only then continue. Do not use a smartphone or tablet.
If you are technically inclined, you may want to consider preparing a USB drive with Tails (https://tails.net/) to use Tor Browser and access SecureDrop. Tails is more complex to use, but it minimizes any traces left on your computer.
The SecureDrop directory lists news organizations worldwide that have verified themselves and passed basic validation for their SecureDrop installations. You can search by name, or filter by supported language, country, and topics covered.
Each organization listing in the directory will contain two key pieces of information:
Some organizations may have their 56-character long-form address listed along with their human-friendly short-form address, like <orgname>.securedrop.tor.onion. Either will work.
You will be given a random seven-word code name. Make a note of it if you want to send more messages and files in the future, or if you want to be able to receive replies from journalists. You can use it to log in again later.
Ideally, you should memorize your code name. If that's not possible, then try to record it safely, in a way that doesn't link it to your use of SecureDrop. Never share it with anyone, including journalists. Keep it secret, keep it safe.
If you are planning to upload large files, you should be prepared to wait — uploading files via Tor Browser can be slow — and for really large submissions (larger than 500MB) you may need to message journalists via SecureDrop first to arrange other safe transfer methods.
Do not reach out with more information or look for updates on your SecureDrop messages via other communication methods, as this may compromise your anonymity. Journalists may ask you to switch to other communication methods for follow-up conversations — make sure to insist on methods that use secure encryption, such as Signal, bearing in mind that by default they may not offer the same level of anonymity.
Protect yourself and others by keeping your whistleblowing to yourself.
If you need to seek legal counsel, you may decide to contact trusted organizations that provide aid to whistleblowers. If you do so, you should continue to use systems like Signal or SecureDrop to make contact, and you should share as little information as possible, preserving your anonymity if you can.
