SecureDrop Leak Tool Produces a Massive Trove of Prison Docs
It’s been more than two years since the debut of SecureDrop, a piece of software designed to help whistleblowers easily and anonymously leak secrets to media outlets over the Tor anonymity network. Now, that system is finally bearing fruit, in the form of a massive dump of files from one of the country’s largest prison phone companies.
On Wednesday, the investigative news site the Intercept published a story based on a collection of 70 million call records taken from a database of Securus, a Dallas, Texas-based company that provides phone service to more than 2,200 prisons around the United States. The database, which the Intercept says was stolen from Securus by a hacker, shows that the company keeps records of every phone call made by the more than 1.2 million inmates who use the service in 37 states, including the time, phone numbers called, inmate names, and even the audio recordings of every call. Those records are routinely sold to law enforcement customers, according to the Intercept’s reporting, and most damningly, include inmate conversations with lawyers that are meant to be protected by the privacy of attorney-client privilege. “This reveals exactly how much surveillance is going on in the criminal justice system,” Jordan Smith, a co-author of the story, tells WIRED. “Many of these calls should never have been recorded in the first place.”
Just as significant as those revelations, perhaps, is how the Intercept obtained the documents that enabled them: The news site has confirmed that it first made contact with the anonymous source who provided the Securus files through the Intercept’s SecureDrop platform, starting with an initial sample of the Securus database uploaded around the beginning of 2015.
That Tor-enabled leak marks a landmark for a still-evolving form of journalism that takes a page out of the playbook invented by WikiLeaks: Like Julian Assange’s secret-spilling organization, SecureDrop allows anyone to run a cryptographically anonymous submission system for leaks and tips. Because that upload site runs as a Tor “hidden service,” anyone who visits has to run Tor too, making it very difficult for anyone to trace his or her location or identity—even the news outlet on the receiving end.
The Intercept’s lead security technologist—and a co-author of the Securus story—Micah Lee says SecureDrop’s benefit isn’t just anonymity, it’s ease of use. Instead of carefully using Tor to create an anonymous email address and figuring out how to encrypt email so that service can’t read their leaked secrets, sources can upload their leak or message using SecureDrop in seconds.
Lee says that this is far from the first time the Intercept has received useful leaks through the SecureDrop system. But the Securus revelations represent the first story of national significance where a news outlet has publicly revealed that the story’s source used SecureDrop anonymous submissions.
“We use SecureDrop on a regular basis, but this story is a little exceptional because we decided it was safe for us to mention that it came from SecureDrop,” Lee says. “This is exactly why we decided to run SecureDrop: to get juicy stories like this and do it in a way where we protect our sources.”
SecureDrop, initially called DeadDrop, was created by the late digital rights activist Aaron Swartz, working with former WIRED editor Kevin Poulsen. The software was first put in place by the New Yorker. Within months, care of the open-source code was taken over by the non-profit Freedom of the Press Foundation, which has since helped to get the anonymous leak system implemented on more than a dozen media websites, including the Washington Post, the Guardian, Gawker, Pro Publica and the Intercept. As Snowden’s revelations have shown the breadth of American surveillance, and as the Obama administration has demonstrated its harsh stance towards leakers like Chelsea Manning and Snowden himself, Freedom of the Press Foundation executive director Trevor Timm says SecureDrop has proved to be an increasingly popular and useful tool. “We do know that more than a handful of news organizations have published information that’s come from SecureDrop,” Timm says. “Hearing feedback from the journalists using it, especially in the past 6 months to one year, has been really encouraging.”
None of those other newsrooms, however, has invested as much in SecureDrop as the Intercept. Aside from running the site’s SecureDrop implementation, Lee has also added features and improvements to the open-source codebase. He’s also the creator of Onionshare, a SecureDrop-like system that allows users to create a temporary Tor hidden service to anonymously and securely send one another large files. The Intercept also employs security engineer Erinn Clark, who until the last year worked as a full-time Tor developer.
Despite SecureDrop’s proven usefulness to the Intercept’s operation, it’s still far from a perfect system. It only allows for a maximum upload of 500 megabytes. In the case of the prison phone leak, that meant that after receiving a sample of the database, Lee and the source had to work out another Tor-based method, which Lee declined to detail, to anonymously share the rest of the files. And the Intercept’s reporters still had to verify the leak’s authenticity, which they did using reverse lookups of phone numbers and records of inmate names and their lawyers.
Still, as this Intercept story demonstrates, SecureDrop’s usefulness far outweighs its drawbacks. It provides sources with anonymity without requiring intimate understanding of security protocols.
Does Lee hope that revealing SecureDrop’s role in the Intercept’s latest scoop will lead to more leakers using that system? “Really we’re just trying to be transparent about the source of our information for this story,” he says. “That would be a nice side effect.”
View this article: