The Guardian has recently released Secure Messaging, a highly secure and user-friendly tool designed to protect journalistic sources by concealing the very fact that messaging is occurring. The open source project achieves strong plausible deniability by generating bait traffic through the routine activity of existing users of The Guardian’s mobile app, safeguarding sources even if their smartphones are seized or compromised.
The goal of the media organization is to allow whistleblowers to contact journalists more securely, relying on a confidential, open source, and anonymous messaging technology, CoverDrop, co-developed by researchers at the University of Cambridge and software engineers at the Guardian. Katharine Viner, editor-in-chief of the Guardian, explains what makes the approach different from traditional information-sharing platforms and writes:
The technology behind Secure Messaging conceals the fact that messaging is taking place at all by making the communication indistinguishable from other data sent to and from the app by our millions of regular users. By using the Guardian app, other users are effectively providing “cover” and helping us to protect sources.
The CoverDrop system consists of four main components: a module within the news organization’s regular mobile apps, an untrusted cloud-based API deployed on AWS for message distribution, a set of hardened on-premises services (the CoverNode), and a desktop application used by journalists at the news organization. The on-premises services do not allow any incoming connections and instead use a pull-based approach.
Source: Guardian GitHub
The CoverNode is implemented as a Rust application and acts as a mix node to guarantee the anonymity of sources towards journalists and external adversaries. It decrypts the outer layer of all incoming messages to extract the included recipient tag and ciphertext.
In a CoverDrop implementation, every copy of the news organization’s app exchanges small quantities of encrypted information with that news organization’s servers. These messages contain meaningless ciphertext, and the app pads all messages to the same length, making all users of the mobile app appear to be whistleblowers and helping to conceal the true identity of those leaking sensitive information. The Guardian has already deployed the feature to millions of installations this year. As the engineering team explains:
When a source writes a message for a journalist, their message plus that source’s automatically generated public key is encrypted using the public key of the journalist. That ciphertext is then swapped in for one of the routine cover messages. Both source and cover messages are encrypted in the same way, are the same length, and are sent at the same times. So from the perspective of a network observer they are indistinguishable.
Journalists can also reply to these messages, as they include the source’s public key. Since the message storage vaults on users’ apps are modified at the same times, are the same size, and are encrypted in the same way regardless of whether they contain real messages, a device used for secure communication will show no evidence of such use if it is seized, provided the decryption passphrase is not known.
The team recently released a white paper describing the design and implementation, a design based on the original research paper presented at PETS in 2022 by University of Cambridge researchers.
While providing a simple UX to the end user and whistleblower, the open source solution protects against an adversary attempting to determine whether a given person is likely to have been in contact with a journalist, an act that can itself be a red flag. In the announcement by the University of Cambridge, the research team acknowledges that the development of CoverDrop began in the years following Edward Snowden’s leaks of classified documents revealing the existence of global surveillance programs.
On a popular Hacker News thread, some users still highlight the importance of using a device that isn’t tied to the source. Sam Cutler, staff software engineer at The Guardian, replies:
I would certainly recommend that readers not use a work phone (…) I should add that we do some basic detection devices that have been rooted or are in debug mode, and issue a warning to the user before they continue. I’d be interested in what we can do to detect MDM software, but I fear it might become a cat-and-mouse game, so it’s preferable that folks not use their work devices at all.
Currently, there is no functionality for sharing photographs or documents, but there are plans to include handover mechanisms to SecureDrop that will allow linking uploaded files with existing conversations. The source code of CoverDrop is available on GitHub under the Apache License 2.0.
