The Guardian has unveiled a groundbreaking tool, Secure Messaging, aimed at enhancing the protection of journalistic sources. This innovative platform not only prioritizes user-friendliness but also ensures that the very act of messaging remains concealed. By generating bait traffic through the regular activities of users on The Guardian’s mobile app, this open-source project provides robust plausible deniability, effectively safeguarding sources even in scenarios where their smartphones might be compromised or seized.
Innovative Technology for Secure Communication
The initiative is designed to empower whistleblowers to reach out to journalists with greater security, utilizing a confidential, open-source, and anonymous messaging technology known as CoverDrop. This technology is a collaborative effort between researchers at the University of Cambridge and software engineers at The Guardian. Katharine Viner, the editor-in-chief of The Guardian, elaborates on the uniqueness of this approach compared to conventional information-sharing platforms:
The technology behind Secure Messaging conceals the fact that messaging is taking place at all by making the communication indistinguishable from other data sent to and from the app by our millions of regular users. By using the Guardian app, other users are effectively providing “cover” and helping us to protect sources.
CoverDrop encompasses four primary components: a module integrated within the news organization’s standard mobile applications, an untrusted cloud-based API hosted on AWS for message distribution, a set of fortified on-premises services known as the CoverNode, and a desktop application utilized by journalists. Notably, the on-premises services are designed to prevent any incoming connections, employing a pull-based approach instead.
The CoverNode, developed as a Rust application, functions as a mix node, ensuring the anonymity of sources from both journalists and potential adversaries. It decrypts the outer layer of incoming messages to extract the recipient tag and ciphertext.
In the CoverDrop framework, every instance of The Guardian’s app exchanges small amounts of encrypted information with the organization’s servers. These messages consist of meaningless ciphertext, and the app pads all messages to a uniform length. This clever design makes all users of the mobile app appear as whistleblowers, thereby concealing the identities of those providing sensitive information. The Guardian has successfully rolled out this feature to millions of installations this year. The engineering team explains the process:
When a source writes a message for a journalist, their message plus that source’s automatically generated public key is encrypted using the public key of the journalist. That ciphertext is then swapped in for one of the routine cover messages. Both source and cover messages are encrypted in the same way, are the same length, and are sent at the same times. So from the perspective of a network observer they are indistinguishable.
Journalists can also respond to these messages, as they include the source’s public key. The storage vaults for messages on users’ apps are modified simultaneously, maintaining the same size and encryption method, ensuring that a device used for secure communication leaves no trace if seized, provided the decryption passphrase remains unknown.
The team has recently published a white paper detailing the design and implementation of this innovative system, which builds upon original research presented at PETS in 2022 by the University of Cambridge researchers.
While the user experience is designed to be straightforward for both end users and whistleblowers, this open-source solution also protects against adversaries attempting to ascertain whether an individual has been in contact with a journalist—an act that could raise suspicion. The University of Cambridge’s announcement notes that the development of CoverDrop was initiated in the years following Edward Snowden’s revelations regarding global surveillance programs.
In discussions on platforms like Hacker News, some users emphasize the importance of utilizing devices that are not linked to the source. Sam Cutler, a staff software engineer at The Guardian, responded to these concerns:
I would certainly recommend that readers not use a work phone (…) I should add that we do some basic detection devices that have been rooted or are in debug mode, and issue a warning to the user before they continue. I’d be interested in what we can do to detect MDM software, but I fear it might become a cat-and-mouse game, so it’s preferable that folks not use their work devices at all.
Currently, the platform does not support the sharing of photographs or documents, but plans are underway to incorporate handover mechanisms to SecureDrop, allowing for the linking of uploaded files with ongoing conversations. The source code for CoverDrop is accessible on GitHub under the Apache License 2.0.
About the Author
Renato Losio
Show moreShow less
