SecureDrop: submitting documents anonymously to a newsroom
If you want to pass sensitive information to a journalist, email is not safe — even with PGP. Email leaves metadata: who sends to whom, when, via which server. If your email account is ever compromised or subpoenaed, that connection is visible.
SecureDrop: submitting documents anonymously to a newsroom
If you want to pass sensitive information to a journalist, email is not safe — even with PGP. Email leaves metadata: who sends to whom, when, via which server. If your email account is ever compromised or subpoenaed, that connection is visible.
SecureDrop solves this differently. It’s an open-source system built specifically for source protection — without email, without accounts, and routed through Tor so that even the newsroom doesn’t know who you are.
Who this guide is for
This guide is mainly for whistleblowers, sources, and journalists working with genuinely sensitive document submission.
It fits especially:
- sources who need to send documents to a newsroom without exposing a personal account
- journalists deciding whether SecureDrop is the right intake method for source contact
- readers in higher-risk or source-protection contexts where ordinary email is clearly not enough
For most readers, this is not a general-purpose communication tool. It is for anonymous document submission and source contact in specific high-stakes situations.
What you gain, and what it costs
If you use SecureDrop properly, you usually gain:
- much less linkability between you and the newsroom
- a stronger submission path than normal email, even encrypted email
- a workflow designed specifically for anonymous source contact
But it costs something:
- more preparation and more care around device security
- more friction than ordinary messaging
- the need to handle metadata and behavioural traces correctly yourself
For source protection this is a reasonable trade. It becomes overkill when the situation does not actually require anonymous submission or when a lower-friction secure channel would already be sufficient.
How SecureDrop works
SecureDrop runs on a server managed by the newsroom. The server is not reachable via the regular internet — only via the Tor network (.onion address).
The process for a source:
- Open Tor Browser
- Navigate to the newsroom’s .onion address
- Generate a codename (no name, no email, no account)
- Submit your message or document — encrypted, over Tor
- The newsroom reads your submission via their own isolated SecureDrop installation
- To reply or check progress: log in with your codename — not with personal credentials
The journalist receives your message but has no way to determine who you are unless you tell them.
What SecureDrop protects — and what it doesn’t
Protected:
- Your identity from the newsroom — they don’t know who you are
- Your identity from third parties who subpoena the server — there are no logs, no IP addresses stored
- The connection — Tor hides your IP from the server
- The content — documents are stored encrypted
Not protected:
- Metadata in documents you submit — remove it first (see metadata guide)
- Printer steganography if you submit printed documents (see metadata guide)
- What’s on your device — if your device is compromised, SecureDrop doesn’t help
- Patterns in your behaviour — if you log in every day at 9:03 from the same location, that’s traceable regardless of SecureDrop
Before you start: device security
SecureDrop is only as strong as the device you use it from.
Prefer:
- Tails OS — an operating system you boot from USB, leaves no traces on the computer, and automatically routes through Tor. This is the recommended method for high-risk situations.
- Otherwise: Tor Browser on a device you use only for this purpose, not connected to your regular accounts
Never use:
- Your work laptop or network
- A device that may already be compromised
- Home if your employer monitors your network — use a public network (library) via Tor
Finding SecureDrop
Not every newsroom has SecureDrop. Those that do publish their .onion address on their own website — often on a page like “tips” or “contact for sources”.
International news organisations with SecureDrop:
- The Guardian, The New York Times, Der Spiegel, Le Monde, BBC — see the SecureDrop directory for a current list
Verification: Always verify the .onion address through the newsroom’s official website — not via a search engine or third party. Fake SecureDrop addresses are a known attack vector.
Step by step: submitting a document
Step 1 — Remove metadata
Remove all metadata from documents before submitting. Use MAT2 or ExifTool. See the metadata guide.
Step 2 — Open Tor Browser
Download Tor Browser from torproject.org. Launch it on a clean device, preferably on a public network.
Step 3 — Navigate to the .onion address
Copy the .onion address from the newsroom’s website. Paste it into the Tor Browser address bar. Verify the address carefully.
Step 4 — Generate a codename
SecureDrop generates a series of random words as your temporary “account”. Write these down on paper — not digitally. This is the only way to log in later and read responses.
Step 5 — Submit your document
Upload the file or type a message. You can submit multiple files. The connection is encrypted.
Step 6 — Keep your codename safe
If you lose the codename, you lose access to your submission. Write it on paper and store it safely — not digitally, not in the cloud.
For journalists: setting up SecureDrop
SecureDrop isn’t only for sources — as a journalist or editor you can also receive via SecureDrop.
The Freedom of the Press Foundation offers support with installation. SecureDrop requires an isolated server and some technical knowledge — installation documentation is at docs.securedrop.org.
For most newsrooms without dedicated server experience, it’s advisable to work with someone who has Linux server administration experience, or to contact the Freedom of the Press Foundation via freedom.press.
Alternatives
SecureDrop is the standard for professional newsrooms. There are alternatives for situations where SecureDrop is unavailable:
- GlobaLeaks — similar system, also open-source, more configurable but less widely deployed
- Signal — secure for communication, but Signal knows your phone number. Use as a temporary measure while setting up a SecureDrop connection.
- Encrypted email (PGP) — better than unencrypted, but metadata remains visible. See the PGP guide.
Next step
Go further
- Removing metadata from documents — remove the most obvious deanonymising leak from your files before submitting
- PGP: encrypted email — alternative when the newsroom has no SecureDrop
Profiles
- Profile: journalist or activist — complete profile for journalists
Reviews
- Tails OS review — recommended OS for SecureDrop use