SecureDrop at The Globe and Mail

SecureDrop at

The Globe and Mail

What is it?

The Globe and Mail’s SecureDrop service provides a way to share information with our journalists with more security and anonymity than traditional means. The software comes from the Freedom of the Press Foundation, who have worked with other news organizations to provide a safer way for sources to talk to reporters. You can also email our journalists (without anonymity, but with encryption of the contents) using PGP.

Before getting started

To reduce the probability that a third party, such as your employer or a government agency, can tell that you’re using SecureDrop, you should connect to it from a network that you don’t normally use, such as a public wifi network at a cafe that you’ve never visited before.

You should also use a computer that you control, because a laptop issued to you by your employer may contain monitoring software that captures keystrokes or tracks the sites that you visit.

It might help you to watch this step-by-step video on how to contact us using SecureDrop. It illustrates many of the principles outlined below.

I’m at a coffee shop with my computer, now what?

Once you are connected to a network that you don’t normally use, download and install the Tor Browser – this provides an anonymous web browser that you can use to access the service Open the Tor Browser, and once a secure connection to the Tor network has been set up, enter this address in the address bar: sml5wmpuq7ifq2mh.onion Follow the instructions provided to upload files and leave messages Don’t visit any other sites where your identity can be discovered in the same session

You will be allocated a unique code phrase as part of the process. If you want to check for responses later, you will need to use this code phrase. Ideally you will memorize it and not write it down. In any event, keep it safe. You should not contact our journalists in connection with your SecureDrop uploads through any other method, such via social media or email.

SecureDrop provides an anonymous connection to The Globe and Mail, and securely encrypts any files you upload to the service. However, it cannot protect the original files on your own computer, or prevent your computer from being compromised by malware. For added security we recommend using Tails, an operating system that loads from a USB stick and wipes any trace of its use when you shut down your computer. You should also consider encrypting sensitive files on your computer.

How does SecureDrop work?

SecureDrop uses the Tor network to anonymize your interactions with us. It provides a Tor hidden service, hosted on computers isolated from our main internal network and under our physical control. Files and messages uploaded to this service are encrypted using PGP, and can only be decrypted by our journalists on a dedicated air-gapped decryption station also under The Globe and Mail’s control.

Files and messages may be uploaded for the attention of any of our journalists, but only a small number of senior investigative reporters have access to the decryption station. After uploads have been decrypted, they are passed securely to the intended journalist, who will treat them appropriately as sensitive data.

What protection do I have as a source if I use SecureDrop?

The Globe and Mail does not log any of your interactions with the SecureDrop system, including your visit to this page. It installs no tracking cookies or tracking software of any kind on your computer as part of the process. Your identity is not exposed to us during the upload process, and we do not know your unique code phrase. This means that even if a code phrase is compromised, we cannot comply with demands to provide documents that were uploaded by a source with that code phrase. SecureDrop itself is an open-source project that is subject to regular security audits, reducing the risk of bugs that could compromise your information.

Information provided through SecureDrop is handled appropriately by our journalists. Journalists working with uploaded files are required to use only computers with encrypted hard drives and follow security best practices. Anonymous sources are a critical element of journalism, and The Globe and Mail has always protected its sources to the best of its abilities. In most circumstances, there will be no need to require any information from you. However, there may be times when a Globe and Mail journalist might seek your permission to meet before certain information is published. The use of anonymous sources is governed by our Editorial Code of Conduct.

No form of communication, electronic or otherwise, can be made 100% secure. Correct use of the SecureDrop service, along with appropriate security precautions on your own computer, will provide you with a greater level of security than traditional methods. As with all other methods, we will take all the steps we can to protect you as a source, but use is at your own risk.