The "first contact" problem

[aliclark]

How can we maintain the largest anonymity set against various adversaries during the early stage of a source discovering Secure Drop, up to the point of using it?

[aliclark]

For example, the current work-flow may be something like: 1) the source acquires document 1.a) the source may already have Google'd for things such as whistleblowing safety at this point 2) the source Googles for "submitting guardian leak" https://www.google.com/search?q=submitting+guardian+leak 3) the source clicks the first hit, the article "Guardian launches SecureDrop system for whistleblowers to share files" 4) the source follows the link at the bottom, possibly after reading other articles: https://securedrop.theguardian.com 5) the source either visits torproject.org or tails.boum.org from the links in that page 6) the source downloads that software 7) possibly after a lengthy Googling of "pgp verification", the source gives up and just installs without verifying. 8) the source now revisits https://securedrop.theguardian.com and hopefully types out the .onion url in their address bar [meta: can users actually do this?] 8.a) the source may give up or retry if the HS is being slow

If this is the first contact, can we improve it?

[aliclark]

Suggestion 4.1: Modify that Guardian article and any like it to inline the HS URL and instructions. This could remove the extra hop "https://securedrop.theguardian.com" from the source's history

[aliclark]

Suggestion 1.a.1: Widely publish/advertise the details of the Guardian's submission system, for example that it is available from theguardian.com/. A small note inside every printed newspaper might be helpful This could save the source from having to Google "submitting guardian leak", and instead they can Google "the guardian" to visit the site normally

[aliclark]

Suggestion 4.2: Place the full instructions somewhere more widely visited than "https://securedrop.theguardian.com" or "Guardian launches SecureDrop system for whistleblowers to share files", perhaps by Javascript show/hide link on the front page, or by linking to an appropriate wikipedia page from the guardian front-page. The onion URL should be available on the front-page, at least to browsers that have the TBB UA string

• Although analytics software might log the javascript click, they will already be logging the "https://securedrop.theguardian.com" click anyway, so there is no loss of privacy here. At this stage the source probably already has javascript enabled

[aliclark]

Suggestion 1.a.2: widely publicise the Tor Browser Bundle (and privacy practices in general, eg. searching on startpage.com), so it's more likely the user would have known to perform these searches securely

[aliclark]

Suggestion 5.1: Do not recommend the source to download Tails: a) the extra choice will confuse the user and generate bounces - make the right choice for them b) many more people use TBB for standard day-to-day web browsing than for Tails. Tails users are more likely to be using it for a purpose, which makes it stand out to the analyst at the confirmation stage. c) the anonymity set is larger for TBB users d) the tails download instructions are more scary and confusing e) tails adds extra security, but if the source is already pwned by this point they're f*cked anyway f) we can always tell them to download Tails and use it in a secure manner later (though I still find this questionable).

[aliclark]

Suggestion 5.2: Do not link to torproject.org, instead recommend the user to "At some point (wait at least a day or more) search for the Tor Browser Bundle, install it, and start using it for day-to-day web browsing" This makes the source's download of TBB look far more organic and related to normal web browsing than to SecureDrop usage.

[aliclark]

Hopefully the above suggestions will have generated an optimised workflow: 1) The source was already browsing typically with TBB 2) The source already knew the Guardian operated a SecureDrop instance, locateable from it's home page and wikipedia https://en.wikipedia.org/wiki/SecureDrop 3) The source visited theguardian.com in a TBB session (or a normal web browser if not (1)), just like they would for reading the home page 4) The source can read off the "33y6fjyhs3phzfjj.onion" address in fine-print without clicking any links on the home page (if (2)). If not (2), then the source clicks the javascript link to reveal the meaning of the onion URL, and the instruction to organically install the TBB.

Other suggestions: a) Perform browsing activities at peak hours, ie. in the evening local time. b) Perform the TBB SecureDrop visit in the coffee shop (just taking care the screen is not visible to others). This makes things slightly less obvious from a SIGINT point of view - when looking into a Ministry of Agriculture leak, a Ministry of Agriculture Tor user's IP being active on Tor jumps out of the analyst's screen much more than a coffee shop's IP being active on Tor at that time.

nb: at the moment it's probably more secure for the source to find the onion url from here: https://en.wikipedia.org/wiki/SecureDrop

[aliclark]

TODO: needs usability trials