My Own Whistleblower Dead Drop
If you want to send me material for a story securely and anonymously, I’ve set up a new way for you to do so.
The German email provider Tutanota provides an end-to-end encrypted contact form called Secure Connect free of charge to journalists. They were nice enough to give me access, so now I can provide my own secure method for sources and whistleblowers to contact me. When I was at Heise, I was a founding member of their team of investigative journalists (“Heise Investigativ”) and I was also part of the team that evaluated, modified, installed and maintained SecureDrop for their own whistleblower contact form.
Since I’ve left the company, I can no longer use their infrastructure, of course. Throughout my first year as a freelancer, I’ve thought many times about providing my own dead drop for whistleblowers, but have come to the conclusion that setting up and maintaining my own SecureDrop instance in a secure way is not possible with the resources of a one person operation.
I feel like using Tutanota’s system is a good compromise. Naturally, it does mean I must trust the company and the end-to-end encryption their servers provide. And it also means the contact form doesn’t force added security for the whistleblower like SecureDrop does, but on the upside it is very easy to use. And whistleblowers of course always have the option of visiting my contact form while using Tails and/or the Tor Browser, even if the site itself isn’t a hidden service.
How to Contact Me Securely
If you want to send me information for a story securely and anonymously, you can now do so by visiting https://drop.fab.industries/contactform/secure and following the instructions on that page.
Please note: If you open this link from a computer at an organisation – say at your employer – it is very likely that their systems will log a visit to that URL. It is also likely that automated systems will detect what kind of page it is. This can uncover your identity as a whistleblower. It is best to visit the contact form from a network under your own and sole control. Or, even better, from a public network. But even then you should be aware that it is likely that you are leaving traces like your machine’s MAC address in a log somewhere.
Please consider your operational security at all times and try to provide for plausible deniability. Keep in mind that even professional journalists who have the best interests of their sources at heart can make mistakes and out whistleblowers by accident. Do not endager yourself. Be safe at all times!
That said, I am always looking for investigative stories and can probably claim to know more about infosec, opsec and secure communication than most other journalists. If you use this contact form to send me material for a valid story, I hereby promise that I will a) stop at nothing to get it published as prominently as possible and b) will do everything in my power to protect your anonymity as a source.
I have always believed that protecting one’s sources is of paramount importance to a journalist and a grave matter of professional ethics. The main reason for creating this secure contact form is that often sources send me incredibly sensitive information over less-than-secure channels and I aim to improve this situation both for the good of the source as well as for my own protection. I also hope that providing such a contact form will make whistleblowers more comfortable in contacting me.
Keep in mind that you can always use the contact form to set up a meeting in person. I am not adverse to a stealthy meeting in a public place somewhere.
→ Comment thread for this post in the Fediverse
Header image credit: Nathan Dumlao