The "strongest-ever" whistleblowing tool for sources to speak anonymously with journalists, partly developed by the late Reddit co-founder Aaron Swartz, has been launched by the Freedom of The Press Foundation.

Aaron Swartz
Reuters

Before his suicide in January 2013, Swartz had been working on a tool for sources to anonymously submit documents to journalists online, without using traceable email and in a way that could be easily catalogued by news organisations.

Called SecureDrop, the tool can be installed on any news organisation's website as a 'Contact Us' form page. But where these pages usually require a name and email address, the encrypted SecureDrop system is completely anonymous, assigning the whistleblower two unique identifiers - one seen by the journalist, and one seen by the whistleblower. These identities stay the same, so a conversation can be had without names being shared or known.

The launch of SecureDrop comes at a time when people are more aware than ever of the insecurity of online commuications. The leaks from NSA-whistleblower Edward Snowden has revealed widespread government monitoring of email and other forms of online communication.

SecureDrop, which is similar to the Wikileaks submission system, began life as Swartz's DeadDrop project - a way of helping journalists communicate anonymously with their sources. In May this year, The New Yorker used some of the tool's code to create its own system, called StrongBox.

'Strongest-ever' whistleblowing tool

The non-profit Freedom of The Press Foundation now has control of the renamed project and has pledged to provide continuous support and improvements for the submission tool, which is built on Python code and is open source, letting users modify it to best suit their needs.

The Foundation believes that, while "no security system can ever by 100% impenetrable," SecureDrop system is "the strongest ever made available to media outlets," claiming several major, but unnamed, news agencies have already signed up for the service. Their names will be announced in the coming weeks, the Foundation claims.

Co-founder and board member of the Foundation, JP Barlow, said: "We've reached a time in America when the only way the press can assure the anonymity and safety of their sources is not to know who they are. SecureDrop is where real news can be slipped quietly under the door."

In a bid to make the system available to everyone, regardless of their technical ability, the Foundation will help news outlets install the system on their websites, provide instructions on keeping their security tight, and offer long-term technical support. Smaller organisations can apply to the Foundation for help in obtaining hardware, such as servers on which SecureDrop data is stored.

Before launching, SecureDrop was subject to a detailed security audit conducted by a team of University of Washington researchers which included security expert Bruce Schneier and a developer of the anonymous Tor internet browser, Jacob Appelbaum.

Grave challenges

Foundation executive director Trevor Timm said: "A truly free press hinges on the ability of investigative journalists to build trust with their sources...recent NSA revelations and a record number of whistleblower prosecutions under the current administration have shown the grave challenges to this relationship and the lengths governments will go to undermine it."

Timm said the Foundation is committed to "ushering in a new era of security for journalists and newsrooms of all sizes."

Since the leaking of thousands of top secret NSA and GCHQ documents by Edward Snowden, it has been widely reported that email - even through services claiming enhanced encryption - can be traced.

Lavabit

One such email service is Lavabit, used by Snowden, which was shut down in August, with its owner citing legal reasons preventing him from explaining the sudden closure.

Owner Ladar Levison said he would rather close his company, which had over 400,000 users, than become complicit in "crimes against the American people."

However, from 14 October the service has been reinstated, giving users 72 hours to change their passwords and recover data stored on their accounts.

A legal fund set up to help pay for Levison's legal costs has so far raised more than $93,000 (£58,000).