What is SecureDrop?
The Washington Post’s SecureDrop is a discreet way for readers to share messages and materials with our journalists. It offers greater security and anonymity than conventional e-mail and Web forms.
How do I use it?
SecureDrop relies on Tor, an application designed to encrypt your communications and obscure your computer’s IP address.
In order to use SecureDrop:
- Go to a place with a public Internet connection, one that you don't normally frequent.
- Download and install the Tor browser bundle from https://www.torproject.org/.
- Open the Tor browser and copy this url into the browser address bar:
- NEW! Now you can use our easier to remember secure URL: https://washingtonpost.securedrop.tor.onion
- But the old long URL and any bookmarks to it will still work: https://vfnmxpa6fo4jdpyq3yneqhglluweax2uclvxkytfpmpkp5rsl75ir5qd.onion
- From this url, you will be able to send messages and files to a secure dropbox that we will check periodically.
- You will be provided with a codename that you will use it to log in to check for replies from The Post.
Keep the codename you are provided safe and secure. We will not know your codename, and you should never share it with anyone. If you forget your codename, we will have no other way to contact you.
That doesn't look like the url I've seen before. Has something changed?
One of the things the Washington Post does to keep SecureDrop as secure as possible is to keep it up to date with the latest software from the Freedom of the Press Foundation. Recent updates have enabled the use of a stronger encryption protocol, which also requires this new (longer) url.
What steps are taken to protect my privacy and anonymity?
Nearly all digital communications can leave a trail. The Washington Post's SecureDrop is designed to minimize these digital trails using best practices, such as:
- limiting collection of information logged about your browser, computer or operating system;
- using Tor to encrypt and anonymize your communications with us;
- using HTTPS. You will notice a certificate bearing our name in your browser in a similar way as you would with other HTTPS websites;
- storing submissions in encrypted form on our systems;
- physically isolating SecureDrop from the rest of our network.
However, no system is 100 percent secure, and even with these measures, there might be a risk of someone discovering who you are or what you are sending. In addition to using SecureDrop, we recommend that you:
- use a secure computer to communicate with us - one that does not maintain enterprise software or malware that might be used to record your activities;
- use an operating system that helps preserve your privacy and anonymity, such as Tails;
- delete trails of communication that you store on your computer, such as copies of messages or your secure codename assigned when using the service;
- run any files you sent to us through a metadata-scrubbing tool to minimize the risk of unintentionally sending us information embedded in the documents, such as an author's name.
Other fine print:
The Washington Post works diligently to protect the identities of our sources and keep the information they give us confidential. We do not make any warranties as to SecureDrop; use of the system is on an "as is" basis, at your own risk.
Last updated: 03/10/2022