SecureDrop

SecureDrop (securedrop.org) is the *whistleblower submission system the serious newsrooms actually run* — an open-source platform from the Freedom of the Press Foundation that lets a source send documents to journalists with a threat model that assumes the network, and the source's own situation, are hostile.

Background. SecureDrop traces to the *DeadDrop* project (originally worked on by Aaron Swartz and journalist Kevin Poulsen) and has been stewarded since 2013 by the *Freedom of the Press Foundation*, a non-profit. It is deployed by major investigative outlets worldwide, each running its *own per-newsroom Tor onion service* for source submissions. That non-profit stewardship, open-source codebase, and decade of real-world use in adversarial conditions are why it earns an A in /tools — this is battle-tested infrastructure, not a privacy gadget.

What you trust. The architecture, because the *code is open source and the threat model is explicit and pessimistic*. A source uploads via *Tor* to the newsroom's dedicated `.onion`, so neither the source's IP nor the fact of the connection is exposed to a passive network observer. Journalists retrieve submissions on an *air-gapped workstation* (the recommended setup uses Qubes OS), decrypting documents on a machine that never touches the internet — which contains the damage if a journalist's everyday laptop is compromised. The Foundation publishes a *public directory of which newsrooms run an instance*, so a source can verify they're submitting to the real outlet rather than a lookalike. You're trusting an auditable system and a non-profit, not a vendor's promise.

Operational specs. Submission is Tor-only via the newsroom's onion, with no account, no email, and no identifying metadata required of the source. The server side is a hardened, documented deployment newsrooms self-host; the journalist side prescribes air-gapped decryption (Qubes/Tails workflows) and GPG. Codenames, not identities, track a source's submission thread. Everything is free and open-source, the deployment guides and hardening steps are public, and the directory of live instances is maintained at securedrop.org (and over its own onion).

Philosophy. Source protection is a press-freedom problem, and the only durable protection is *technical, not procedural* — you cannot subpoena metadata that was never collected, and you cannot coerce a journalist into revealing a source they were architecturally prevented from identifying. SecureDrop encodes that principle: assume the network is surveilled, assume devices get seized, assume the adversary is a state, and design so that the system still protects the source. Open-sourcing it and running it as a non-profit public good is the only configuration consistent with that mission.

Grade rationale. A in /tools. The grade reflects open-source, non-profit (Freedom of the Press Foundation) stewardship; a rigorous, explicitly adversarial threat model; Tor-only metadata-minimal submission; air-gapped journalist workflows; and a verifiable public directory of instances. It is the reference implementation for whistleblower infrastructure — nothing else in the category combines this provenance, adoption, and discipline.

Useful when. SecureDrop is for *sources with something genuinely sensitive to disclose to a newsroom*, and for *newsrooms that need a credible, source-protecting intake channel*. If you're a potential source, use the Foundation's directory to find your target outlet's instance, follow the Tails/Tor instructions exactly, and submit only over the verified onion. If you're an organization, it's the gold standard to deploy — with the operational seriousness it demands.

Caveats. SecureDrop's protection is only as strong as the *operational security around it* — a source who connects from an identifying network, leaks their codename, or ignores the Tails/Tor guidance can deanonymize themselves regardless of how sound the system is. Running an instance properly (air-gapped Qubes/Tails, hardware, maintenance) is non-trivial and demands real commitment from the newsroom; a misconfigured deployment is worse than none. And it solves *submission*, not the downstream legal and physical risks a source may face. These are caveats of operational discipline, not of the design — which is precisely why SecureDrop pairs the software with detailed hardening guidance, and why it sits at the top of the category.