Whistleblowers now have a more secure way to contact journalists, thanks to a new messaging technology developed by researchers at the University of Cambridge and software engineers at the Guardian. The Guardian has integrated this Secure Messaging module into its mobile news app, providing a secure method for initial contact between journalists and sources.
The technology builds on CoverDrop, developed by Cambridge researchers, and offers numerous security features. The code is open source to encourage adoption by other news organizations. A key feature is the automatic generation of decoy messages to create 'air cover' for genuine communications, making it difficult for adversaries to detect communication between whistleblowers and journalists.
"This provides whistleblowers with plausible deniability," said Professor Alastair Beresford from Cambridge’s Department of Computer Science and Technology. Dr. Daniel Hugenroth, who co-led the development with Beresford, emphasized its importance in today's surveillance-heavy environment.
CoverDrop includes digital 'dead drops' where messages can be left for journalists to retrieve, protecting sources even if their smartphones are compromised. It encrypts outgoing messages using cryptography with digital security key pairs. This ensures that only the intended journalist can decode the messages.
The system addresses a need identified by media organizations for a secure yet user-friendly system for potential sources with sensitive information. "The Guardian is committed to public-interest journalism," said Luke Hoyland, product manager at The Guardian. He noted that whistleblowing is crucial for democracy and praised the collaboration with Cambridge in developing CoverDrop.
Research began with workshops involving UK news organizations to understand how sources initially contact them. Findings showed many used insecure or cumbersome platforms. Beresford highlighted that existing mobile news apps could offer a secure contact method.
Hugenroth added that CoverDrop enhances confidentiality through secure messaging protocols and protects communication patterns using decoy messages and uniform message lengths.
Users do not need specialist software that drains battery life or slows devices. The interface resembles typical messaging apps without leaving traces of usage on devices.
Beresford explained that even if an account is set up, the app's home screen will appear as though it hasn't been used, ensuring no evidence of prior use if stolen or under duress.
Development began after Edward Snowden's revelations about global surveillance programs highlighted risks for those exposing wrongdoing within organizations or governments.
CoverDrop was first presented at an international symposium in 2022 by Cambridge researchers including the late Professor Ross Anderson. The Guardian collaborated to develop CoverDrop from an academic prototype into practical technology.
"The free press fulfills an important function in democracy," said Beresford, expressing satisfaction that the Guardian adopted CoverDrop first to protect sources.
Hugenroth stated all CoverDrop code would be open source for transparency and improvement opportunities by others in investigative journalism fields.
A technical report on CoverDrop's architecture is available online.
___