SecureDrop

We’re sorry, this feature is currently unavailable. We’re working to restore it. Please try again later.

The Sydney Morning Herald

Subscribe

The Sydney Morning Herald

SecureDrop instructions

Share confidential information with our journalists without disclosing your identity.

What is SecureDrop?

SecureDrop is an open-source whistleblower platform backed by the Freedom of the Press Foundation. It allows media organisations to securely accept electronic documents and communicate with anonymous sources. We set up and maintain a physical SecureDrop server walled off from the rest of our network. Files are decrypted and viewed on a computer that is kept completely offline.

Using SecureDrop

On a computer that you are confident is not being monitored, download and install Tor browser from https://torproject.org/. Ideally, connect from a public WiFi network (such as a cafe) instead of using your home or work network. For maximum privacy, we also suggest you use an operating system that helps preserve your privacy and anonymity, such as Tails.

SecureDrop submission steps:

  1. Start the Tor browser. It can take a couple of minutes to connect.
  2. Copy and paste the URL http://cgr5cagv423wla55j55iefcav4nj4b6j5l7clgz2f4mutblspbk6mwqd.onion/ into the address bar. When the page loads, you will find further instructions on how to use SecureDrop. (Do not type this URL into a non-Tor Browser. It will not work and it will leave a record.)
  3. When you submit documents for the first time, you will receive a unique code name, which you need to keep secure. You will use this code name to check for responses from our journalists. If you lose or forget your code name you will be unable to read replies. If you want to communicate with a specific journalist please indicate this in your submission.

Our investigations team checks for submissions to SecureDrop regularly. If we want to contact you about the information you have submitted, we will leave a message for you in SecureDrop.

You can use SecureDrop to confidentially provide us with other contact information, but if you want to remain anonymous you should not supply any personally identifying information in your exchanges with our journalists.

For other contact methods and tips on anonymity, please see our news tips page.

SecureDrop privacy policy

Please read this privacy policy carefully. It explains what type of information SecureDrop does and does not collect, and why.

Collection of information from sources

  • We do not ask or require you to provide any personally identifying information when you submit materials through SecureDrop.
  • The system does not record your IP address, information about your browser, computer, or operating system. Furthermore, the SecureDrop pages do not embed third-party content or deliver persistent cookies to your browser.
  • The server will only store the date and time of the newest message sent from each source. Once you send a new message, the time and date of your previous message is automatically deleted.
  • Journalists decrypt and read each message offline. They are encouraged to delete messages from the server on a regular basis. The date and time of any message will be securely deleted from the server when the message is deleted.
  • Please keep in mind that the actual messages you send and receive through SecureDrop may include personally identifying information. For this reason, once you read a journalist’s message, we recommend you delete it. It will then be securely deleted from the file system.

Also, please note that when you submit certain types of files through SecureDrop, you may be sending us metadata associated with that file.

For example, if you submit a photo through SecureDrop in JPEG format, the file may include information about the date, time, and the GPS location of where it was taken, and the type of device used to take the photo. Similarly, if you submit a Word file (.doc or .docx) through SecureDrop, it may include the identity of the document’s author, the author’s operating system, GPS data about the author’s location, and the date and time when the document was created.

Our policy is to scrub metadata from the files we receive through SecureDrop before publication. If you do not want to send us metadata, please use the Metadata Anonymisation Toolkit to scrub the file before you submit it.

Collection of information about journalists’ use of SecureDrop

Nine collects information about journalists’ use of SecureDrop for security monitoring and to make sure the system works properly.

This information we collect about journalists includes details about the device, browser, and operating system journalists use when accessing the system, and the date and time of each session.

We retain these access logs for 14 days, and then delete them.

Data security

Nine works diligently to protect the identities of our sources and keep the information they give us confidential.

SecureDrop servers are under the physical control of Nine and do not share common elements of Nine’s other infrastructure.

However, no one can truly guarantee 100% security of any system. Like all software, SecureDrop may contain bugs. Ultimately, you use the SecureDrop service at your own risk.

Children under 13

The Children’s Online Privacy Protection Act restricts our ability to collect personal information from children under 13. This site is not directed to children 12 or younger.

Changes to this policy

We may revise this SecureDrop privacy policy from time to time. The most current version of our general privacy policy governs our collection and use of personal information and will always be here.