1. bookVolume 2022 (2022): Edizione 2 (April 2022)
Dettagli della rivista
Prima pubblicazione
16 Apr 2015
Frequenza di pubblicazione
4 volte all'anno
access type Accesso libero

CoverDrop: Blowing the Whistle Through A News App

Pubblicato online: 03 Mar 2022
Volume & Edizione: Volume 2022 (2022) - Edizione 2 (April 2022)
Pagine: 47 - 67
Ricevuto: 31 Aug 2021
Accettato: 16 Dec 2021
Dettagli della rivista
Prima pubblicazione
16 Apr 2015
Frequenza di pubblicazione
4 volte all'anno

Whistleblowing is hazardous in a world of pervasive surveillance, yet many leading newspapers expect sources to contact them with methods that are either insecure or barely usable. In an attempt to do better, we conducted two workshops with British news organisations and surveyed whistleblowing options and guidelines at major media outlets. We concluded that the soft spot is a system for initial contact and trust establishment between sources and reporters. CoverDrop is a two-way, secure system to do this. We support secure messaging within a news app, so that all its other users provide cover traffic, which we channel through a threshold mix instantiated in a Trusted Execution Environment within the news organisation. CoverDrop is designed to resist a powerful global adversary with the ability to issue warrants against infrastructure providers, yet it can easily be integrated into existing infrastructure. We present the results from our workshops, describe CoverDrop’s design and demonstrate its security and performance.


[1] Signal Private Messenger - Apps on Google Play, 2019. https://play.google.com/store/apps/details?id=org.thoughtcrime.securesms. Search in Google Scholar

[2] WhatsApp Messenger - Apps on Google Play, 2019. https://play.google.com/store/apps/details?id=com.whatsapp&hl=en_GB. Search in Google Scholar

[3] Mansoor Ahmed-Rengers, Ilia Shumailov, and Ross Anderson. Snitches Get Stitches: On The Difficulty Of Whistleblowing. In Proceedings of the 27th International Workshop on Security Protocols, 2019.10.1007/978-3-030-57043-9_27 Search in Google Scholar

[4] ArsTechnica. Have a confidential news tip for Ars Technica?, 2019. https://arstechnica.com/news-tips/. Search in Google Scholar

[5] Ferdinand Brasser, Urs Müller, Alexandra Dmitrienko, Kari Kostiainen, Srdjan Capkun, and Ahmad-Reza Sadeghi. Software Grand Exposure: SGX Cache Attacks Are Practical. arXiv e-prints, page arXiv:1702.07521, February 2017. Search in Google Scholar

[6] Peng Cheng, Ibrahim Ethem Bagci, Utz Roedig, and Jeff Yan. SonarSnoop: Active Acoustic Side-Channel Attacks, 2018.10.1007/s10207-019-00449-8 Search in Google Scholar

[7] CNN. Tips, 2018. http://edition.cnn.com/feedback/tips/. Search in Google Scholar

[8] China Daily. Contact us, 2019. http://www.chinadaily.com.cn/e/static_e/contact. Search in Google Scholar

[9] Dawn. Contact us, 2019. https://www.dawn.com/contact/. Search in Google Scholar

[10] Private Eye. Contact, 2019. https://www.private-eye.co.uk/about/contact. Search in Google Scholar

[11] The Globe and Mail. PGP directory and SecureDrop links, 2018. PGP directory (https://sec.theglobeandmail.com/pgp/) and SecureDrop (https://sec.theglobeandmail.com/securedrop/). Search in Google Scholar

[12] O Globo. Contact us (Portuguese), 2019. https://oglobo.globo.com/fale-conosco/. Search in Google Scholar

[13] Google Issue Tracker. Android o prevents access to /proc/stat, 2017. https://issuetracker.google.com/issues/37140047. Search in Google Scholar

[14] Johannes Götzfried, Moritz Eckert, Sebastian Schinzel, and Tilo Müller. Cache attacks on intel sgx. In Proceedings of the 10th European Workshop on Systems Security, EuroSec’ 17, New York, NY, USA, 2017. Association for Computing Machinery.10.1145/3065913.3065915 Search in Google Scholar

[15] The Guardian. The NSA Files, 2013. https://www.theguardian.com/us-news/the-nsa-files. Search in Google Scholar

[16] The Guardian. How to contact the Guardian securely, 2017. https://www.theguardian.com/help/ng-interactive/2017/mar/17/contact-the-guardian-securely. Search in Google Scholar

[17] The Sydney Morning Herald. Contact us, 2019. https://www.smh.com.au/contact-us. Search in Google Scholar

[18] Chatham House. Chatham house rule. https://www.chathamhouse.org/about-us/chatham-house-rule. Search in Google Scholar

[19] The Intercept. The Intercept welcomes whistleblowers, 2020. https://theintercept.com/source/. Search in Google Scholar

[20] H. Jayakrishnan and R. Murali. A simple and robust end-to-end encryption architecture for anonymous and secure whistleblowing. In 2019 Twelfth International Conference on Contemporary Computing (IC3), pages 1–6, 2019.10.1109/IC3.2019.8844917 Search in Google Scholar

[21] Joseph Johnson. Daily active users (DAU) of leading iPhone news apps in the United Kingdom (UK) during October 2020, 2020. https://www.statista.com/statistics/878573/leading-iphone-news-apps-dau-united-kingdom/. Search in Google Scholar

[22] Wall Street Journal. Contact us, 2019. https://customercenter.wsj.com/contact. Search in Google Scholar

[23] The Mainichi. Contact form, 2019. https://form.mainichi.jp/mdn/common/content.html. Search in Google Scholar

[24] Sinisa Matetic, Mansoor Ahmed, Kari Kostiainen, Aritra Dhar, David Sommer, Arthur Gervais, Ari Juels, and Srdjan Capkun. ROTE: Rollback protection for trusted execution. In 26th USENIX Security Symposium (USENIX Security 17), pages 1289–1306, Vancouver, BC, August 2017. USENIX Association. Search in Google Scholar

[25] Susan E McGregor, Polina Charters, Tobin Holliday, and Franziska Roesner. Investigating the computer security practices and needs of journalists. In 24th {USENIX} Security Symposium ({USENIX} Security 15), pages 399–414, 2015. Search in Google Scholar

[26] Le Monde. Contact the editor (French), 2019. https://www.lemonde.fr/faq/?question=28465-contacter-redaction-28465. Search in Google Scholar

[27] BBC News. How to share your questions, stories, pictures and videos with BBC News, 2018. https://www.bbc.co.uk/news/10725415. Search in Google Scholar

[28] BBC News. ’whistleblower’ taped to chair and gagged, 2018. https://www.bbc.co.uk/news/uk-scotland-44222575. Search in Google Scholar

[29] BuzzFeed News. Share tips securely & anonymously, 2018. https://contact.buzzfeed.com/?country=en-uk. Search in Google Scholar

[30] Alexander Nilsson, Pegah Nikbakht Bideh, and Joakim Brorsson. A survey of published attacks on intel sgx, 2020. Search in Google Scholar

[31] The Times of India. Main page, 2019. https://timesofindia.indiatimes.com. Search in Google Scholar

[32] Spiegel Online. How to contact the Spiegel (German), 2019. https://www.spiegel.de/extra/so-nehmen-informanten-sicheren-kontakt-zum-spiegel-auf-a-1030502.html. Search in Google Scholar

[33] El Pais. Contact us (Spanish), 2019. https://elpais.com/estaticos/contacte/. Search in Google Scholar

[34] The Washington Post. Send a letter to the editor, 2019. https://helpcenter.washingtonpost.com/hc/en-us/articles/236004788-Send-a-letter-to-the-editor. Search in Google Scholar

[35] ProPublica. NY Fed Fired Examiner Who Took on Goldman, 2013. https://www.propublica.org/article/ny-fed-fired-examiner-who-took-on-goldman. Search in Google Scholar

[36] Seth Rosenblatt. NSA likely targets anybody who’s ’Torcurious’, July 2014. https://www.cnet.com/news/nsa-likely-targets-anybody-whos-tor-curious/. Search in Google Scholar

[37] Volker Roth, Benjamin Güldenring, Eleanor Rieffel, Sven Dietrich, and Lars Ries. A secure submission system for online whistleblowing platforms. In International Conference on Financial Cryptography and Data Security, pages 354–361. Springer, 2013.10.1007/978-3-642-39884-1_30 Search in Google Scholar

[38] Scott Ruoti, Jeff Andersen, Daniel Zappala, and Kent E. Seamons. Why Johnny Still, Still Can’t Encrypt: Evaluating the Usability of a Modern PGP Client. CoRR, abs/1510.08555, 2015. Search in Google Scholar

[39] Andrei Serjantov, Roger Dingledine, and Paul Syverson. From a trickle to a flood: Active attacks on several mix types. In International Workshop on Information Hiding, pages 36–52. Springer, 2002.10.1007/3-540-36415-3_3 Search in Google Scholar

[40] Steve Sheng, Levi Broderick, Jeremy J Hyland, and Colleen Alison Koranda. Why johnny still can’t encrypt: evaluating the usability of email encryption software, 02 2019. Search in Google Scholar

[41] Der Spiegel. Former US Official Reveals Risks Faced by Internal Critics, 2016. http://www.spiegel.de/international/world/ex-us-official-reveals-risks-faced-by-internal-govt-critics-a-1093360-2.html. Search in Google Scholar

[42] The Sun. The sun launches whistleblowers’ charter, 2015. https://www.thesun.co.uk/archives/news/142181/the-sun-launches-whistleblowers-charter/. Search in Google Scholar

[43] Süddeutsche Zeitung. So erreichen Sie das Investigativ-Team der Süddeutschen Zeitung, 2020. https://www.sueddeutsche.de/projekte/kontakt/. Search in Google Scholar

[44] The NYT Open Team. To serve better ads, we built our own data program, 2020. https://open.nytimes.com/to-serve-better-ads-we-built-our-own-data-program-c5e039bf247b. Search in Google Scholar

[45] New York Times. Russian Bank Reformer Dies After Shooting, 2006. https://www.nytimes.com/2006/09/15/world/europe/15russia.html?_r=1&oref=slogin. Search in Google Scholar

[46] New York Times. Manning Sentenced to 35 Years for a Pivotal Leak of U.S. Files, 2013. https://www.nytimes.com/2013/08/22/us/manning-sentenced-for-leaking-government-secrets.html. Search in Google Scholar

[47] New York Times. Got a confidential news tip?, 2018. https://www.nytimes.com/tips. Search in Google Scholar

[48] Stephan van Schaik, Andrew Kwong, Daniel Genkin, and Yuval Yarom. SGAxe: How SGX fails in practice. https://sgaxeattack.com/, 2020. Search in Google Scholar

[49] Alma Whitten and J. D. Tygar. Why Johnny Can’T Encrypt: A Usability Evaluation of PGP 5.0. In Proceedings of the 8th Conference on USENIX Security Symposium - Volume 8, SSYM’99, Berkeley, CA, USA, 1999. USENIX Association. Search in Google Scholar

[50] Wikileaks. Submit documents to WikiLeaks, 2016. https://wikileaks.org/Press.html#submit_help_contact. Search in Google Scholar

[51] Wikipedia. Indictment and arrest of Julian Assange, 2019. https://en.wikipedia.org/wiki/Indictment_and_arrest_of_Julian_Assange. Search in Google Scholar

[52] WIRED. How to tip WIRED anonymously, 2019. https://www.wired.com/securedrop/. Search in Google Scholar

Articoli consigliati da Trend MD

Pianifica la tua conferenza remota con Sciendo