Whistleblowers can contact journalists more securely thanks to a new confidential and anonymous messaging technology co-developed by University of Cambridge researchers and software engineers at the Guardian.
The Guardian has launched Secure Messaging as a module within its mobile news app to provide a secure and usable method of establishing initial contact between journalists and sources.
It builds on a technology - CoverDrop -developed by Cambridge researchers and includes a wide range of security features. The code is available online and is open source, to encourage adoption by other news organisations.
The app automatically generates regular decoy messages to the Guardian to create 'air cover' for genuine messages, even when they are passing through the cloud, preventing an adversary from finding out if any communication between a whistleblower and a journalist is taking place.
"This provides whistleblowers with plausible deniability," said Professor Alastair Beresford from Cambridge's Department of Computer Science and Technology.
"That's important in a world of pervasive surveillance where it has become increasingly hazardous to be a whistleblower," said Cambridge's Dr Daniel Hugenroth, who co-led the development of CoverDrop with Beresford.
The technology also provides digital 'dead drops' - like virtual bins or park benches - where messages are left for journalists to retrieve. These are just two of a suite of functions that protect a source from discovery even if their smartphone is seized or stolen.
CoverDrop encrypts outgoing messages between the source and their named contact at the news organisation to ensure no other party can read their content. For this, it relies on cryptography using digital security key pairs consisting of a public and a secret key.
The source is given the public key that instructs the existing encryption technology on their smartphone to encrypt their messages to the Guardian. This key only works one way, so it can lock - but not unlock - their messages. The only person able to decode them is the whistleblower's named contact at the Guardian, who uses their secret key to retrieve and decode the messages left in the dead drop.
CoverDrop also pads all messages to the same length, making it harder for adversaries - whether acting on their own behalf or for an organisation or state - to distinguish real messages from decoy ones.
The system fulfils a need long identified by media organisations: providing a highly secure, yet easy-to-use, system for potential sources who want to contact them with sensitive information.
"The Guardian is committed to public-interest journalism," said Luke Hoyland, product manager for investigations and reporting at The Guardian. "Much of this is possible thanks to first-hand accounts from witnesses to wrongdoing. We believe whistleblowing is an important part of a functioning democracy and will always do our utmost to avoid putting sources at risk. So we're delighted to have worked with the University of Cambridge on turning their groundbreaking CoverDrop research into a reality."
The research began with workshops with UK news organisations to find out how potential sources first contacted them. The researchers learned that whistleblowers often reach out to them via platforms that are either insecure or hard to use.
Beresford said that when they started looking for a practical solution to this problem, "we realised that news organisations already run a widely available platform from which they can offer a secure, usable method of initial contact - their mobile news app."
"When sources send messages, their confidentiality and integrity can be assured through the secure messaging protocols on their smartphone," said Hugenroth. "CoverDrop goes one step further and also protects the communication patterns between sources and journalists by using decoy messages to provide cover and padding all messages to the same length."
Importantly, the researchers say, users of the new CoverDrop system won't need to install any specialist software that chews up large amounts of battery power or slows down their phones.
Its simple interface looks and works just like a typical messaging app. And there are no traces left on the device that the CoverDrop system has ever been used on that phone before.
"When you open the app," said Beresford, "even if you've already set up an account on it, the CoverDrop feature will look as though you haven't used it. Its home screen will only offer two prompts - 'Get started' or 'Check your message vault'. This is because if it's stolen, or a user is under duress, we don't want your phone to reveal to anyone that you've already used it."
The development of CoverDrop began in the years after the whistleblower Edward Snowden, a former US intelligence contractor, leaked classified documents revealing the existence of global surveillance programmes.
This showed, the researchers said, the mass surveillance infrastructure available to nation states, which has profound implications for those who wish to expose wrongdoing within companies, organisations, and government.
Work on CoverDrop was first unveiled at an international Symposium on Privacy-Enhancing Technologies in 2022 by the Cambridge researchers (who originally included the late Professor Ross Anderson, a leader in security engineering and privacy).
When they published their peer-reviewed paper on the research at the conference, it attracted interest from the Guardian which, in collaboration with the researchers, subsequently helped develop CoverDrop from an academic prototype into a fully usable technology.
"The free press fulfils an important function in a democracy," said Beresford. "It can provide individuals with a mechanism through which they can hold powerful people and organisations to account. We're delighted that the Guardian is the first media organisation to adopt CoverDrop and will use it to help protect their sources."
"All the CoverDrop code will be available online and open source," said Hugenroth. "This transparency is essential for security-critical software and allows others to audit and improve it. Open-sourcing the code also means that other news organisations, particularly those with expertise in investigative journalism, could also use it. We would be excited to see them do so."
References:
Mansoor Ahmed-Rengers et al. 'CoverDrop: Blowing the Whistle Through A News App.' Paper presented at the Privacy Enhancing Technologies Symposium. 12 July 2022, Sydney, Australia. DOI: 10.2478/popets-2022-0035
