The New Yorker Launches Strongbox
Using Tor to help journalists and sources communicate securely
To start the Wednesday work day on the East Coast, the New Yorker released Strongbox. Strongbox allows sources to share messages and files with the New Yorker in a form that is more secure than an email or phone call by using a Tor network. And of course, the release came two days after news that the US Justice Department obtained two months of telephone records of reporters and editors at the Associated Press.
How Strongbox Came About
The plans for Strongbox started nearly two years ago. Kevin Poulsen, investigations editor at Wired magazine, described how he built the tool with Aaron Swartz, who took on the coding for the project. Strongbox runs on the open-source DeadDrop.
Through Strongbox, sources can securely and anonymously contact the New Yorker by accessing the New Yorker’s network on the Tor Project. Joshua Rothman of the New Yorker laid out the importance of tools like Strongbox to support investigative reporting, while also sharing a month’s worth of New Yorker investigative long reads.
Before lunch, Strongbox held the top three spots on Hacker News and had inspired many positive reactions. Ex-WikiLeaker James Ball described it as:
New Yorker—with Aaron Swartz’ help—delivers what WikiLeaks only ever pretended to have: a secure online dropbox: newyorker.com/online/blogs/closeread/2013/05/introducing-strongbox-anonymous-document-sharing-tool.html …— James Ball (@jamesrbuk) May 15, 2013
In addition to providing a tool for communications, the release of the project could become a teachable moment for many journalists:
I wonder how many journalists are learning about Tor for the first time today? Awesome job @NewYorker! http://www.newyorker.com/online/blogs/closeread/2013/05/introducing-strongbox-anonymous-document-sharing-tool.html … #strongbox— Travis Swicegood (@tswicegood) May 15, 2013
Knight-Mozilla Fellow Mike Tigas presented on information security at a recent journalism conference and has a course on this topic in the works for For Journalism. He explained that:
Tor is hard. Even with the Tor Browser Bundle (as easy as “download, unzip, and run program”, no need to install anything), the usability of Tor leaves much to be desired unless you’re someone with something to hide. This tool obviously won’t be for everyone, but the existence of strong tools for strong circumstances (whistleblowers come to mind) can elevate and protect the journalistic process.
To help people just encountering Tor get up to speed, Adrienne LaFrance shared a piece from the Nieman Lab about how the Tor Project can help journalists securely communicate with sources. The Freedom of the Press Foundation had a post out right away that situated the tool within the recent history of information leaks to the media. And Source gathered reactions from around the journalism code community on Storify.
Where From Here?
With the importance of secure communications increasingly clear, how can DeadDrop and Strongbox be used effectively by news organizations and potential sources? It was just released today, but some initial reactions point to ideas for further development.
@jonathanstray Safe deposit boxes at banks aren’t exactly convenient, either. Software is (slowly) getting better at it, at least.— Mike Tigas (@mtigas) May 15, 2013
The approach used by DeadDrop seems good. I probably would add an automated process for moving submissions off the drop server.— Jacob Harris (@harrisj) May 15, 2013
One idea I’ve wondered: even with Tor, you’re sending a lot of traffic to one IP address? Is there like a reverse bittorrent for upload?— Jacob Harris (@harrisj) May 15, 2013
@NewYorker DeadDrop is not open source until you open the puppet recipes. Please do that.— Jeff Larson (@thejefflarson) May 15, 2013
In addition to the Twitter commentary, we have emailed comments from Tigas, Stray, and Harris, which we’ll be publishing shortly in a follow-up post.
As people get a chance to spend some time with Strongbox, it seems that questions for further discussion are crystallizing around a few main areas:
- The technology itself: How secure is each step in the process? Where are the pain points? How can other news organizations implement the open-source DeadDrop?
- The people using it: How technically adept do people need to be to use Strongbox? What kind of training and documentation do people, both journalists and sources, need to use it appropriately? Are people willing to opt for slow and secure over quick and email?
- The use case: What problem is this solving? Are there other ways to solve that problem that may be less technically challenging? What related problems does this use case highlight that need to be addressed?
So, what do you think about Strongbox? Please, take the conversation to the comments. How can news organizations support this project? How can OpenNews help?
Co-Executive Director of OpenNews.