The New Yorker Hopes "Strongbox" Is a Wiretap-Proof Sieve for Leaks
BY Miranda Neubauer | Thursday, May 16 2013
The New Yorker yesterday became the first outlet to implement DeadDrop, a new system for sources to submit information to journalists online in a more secure and anonymous way than, for example, email.
The announcement comes just a few days after the Associated Press announced it had been notified that the Justice Department subpoenaed journalists' phone records in secret, building a contact list for phone lines in offices where as many as 100 journalists were at work.
Wired Investigations Editor Kevin Poulsen writes that the project was developed with the help of the late activist and programmer Aaron Swartz, and the code is open-source for others to use. The New Yorker, which, like Wired, is owned by Conde Nast, calls its implementation "Strongbox" and has made it available for use already. Observers who develop software in newsroom say it's just another early step on the continuing path towards a 21st-century delivery system for sources to give sensitive information to journalists, and are offering ideas for improvement and highlighting challenges.
The platform is only accessible to people using Tor, software that connects a computer to a secured, anonymized network. The New Yorker says it will not record a Strongbox user's I.P. address or other information about a user's browser, computer or operating system, nor embed third-party content or deliver cookies to a user's browser. (Journalist Julia Angwin noted on Twitter that the Ghostery extension shows six trackers for the New Yorker's explanatory website on Strongbox, but Strongbox itself, says Poulsen, has no cookies.) Anyone who uses the system to submit a document receives a unique "code name" which New Yorker writers or editors can use to contact the user, and that is the only way communication between the two sides can take place. The system, Poulsen explains, is even stored on servers physically separate from the rest of the magazine's infrastructure.
But in shades of WikiLeaks — which lost its star source, Bradley Manning, despite its own technological expertise — the New Yorker also cautions that Strongbox does not offer "perfect security." If a user shares his or her codename, or if a user's computer is compromised, problems can begin, The New Yorker warns.
As response to the platform starts to trickle in, Poulsen said, the development team has already started making changes.
"Since yesterday there have been a few changes to the distribution mostly in the documentation and in the setup," he said.
There are also ongoing discussions about further improvement, he said.
"I would like there to be future iteration mechanisms to guard against a malicious attack that floods the system with false and spammy contributions," he explained, adding that the challenge in implementing that feature would be for it not to inconvenience users.
Many observers have also taken a closer look at the security of the platform, which launched just a day after another Wired article highlighted the challenges future "Deep Throats" might face if they wish to communicate safely with a journalist.
Other observers offered feedback for the Knight-Mozilla OpenNews blog Source.
Jacob Harris, New York Times software architect, called the platform "a very solid design with some very strong components." In comments to Source, he praised the use of Tor, writing that it is "an excellent development beyond the HTTPS-based approaches taken by some earlier dropboxes." But he also cautioned that Tor is not perfect and not a "magical leak safety device."
"If a leaker is foolish enough to upload a file from their work computer, it still might be possible to figure out who he or she is by noting which machine has made a massive upload through a Tor relay recently," Harris wrote. He suggested platforms like Strongbox include guidance for potential leakers.
"[Imagine] if law enforcement was able to hack into and control the machine quietly," he also wrote. "Even if prior messages were deleted, the law could request a further meet or try some other trick to solicit information from the leaker." Harris also cautioned that the success of such a system depends on both sides maintaining "perfect operational discipline," which can be an almost impossible mandate.
It's also unclear how much demand there will be for platforms like these.
"Are anonymous leakers out there and common, or was Bradley Manning a black swan?" he wrote. "As much as I find this topic interesting, I still feel that there would be many benefits reaped from making insecure leaking easier and more effective at most newspapers ... Most news orgs are more systemic about handling photo submissions and tweets than we are at handling tips, and there is likely a lot of value in tackling that problem (although it’s not as sexy)."
Jonathan Stray from the Overview Project also praised the platform for how it addressed the specific problem of "anonymous file submission."
But Stray also worried that in practice the platform does not overcome many hurdles in secure communication between sources and journalists.
"In my experience, even savvy technologists vastly overestimate the number of people who can reliably complete tasks like 'download and install this software,'" Stray wrote to Source. "Strongbox cannot help users who are too frustrated to get it working properly ... There doesn’t seem to be any usability testing yet."
Stray also noted the limitations of the two-way communications system, remarking that "dead-drop messaging is a terrible way to work on deadline," but warned that switching to any other communications system would then void the security. In addition, he pointed out that metadata that might be contained in submitted documents could inadvertently reveal compromising information, especially if journalists or sources don't know to look for it.
Mike Tigas, OpenNews Fellow at Pro Publica, also praised the platform but questioned its usability. "Even with the Tor Browser Bundle (as easy as 'download, unzip, and run program,' no need to install anything), the usability of Tor leaves much to be desired unless you’re someone with something to hide," he wrote. "Security nerds will debate whether this is bulletproof or not—but what is, in this day and age? ... This tool, if used at all, is far more secure than the existing state of affairs for anonymous sources."