SecureDrop at the Project On Government Oversight

pogo_securedrop

The Project On Government Oversight’s SecureDrop server is a way for you to share information and files directly with POGO more securely than with conventional email, other electronic means, or a phone call. Those methods might be appropriate for communications that are not sensitive or confidential, but to protect you and the information you are providing, please realize that certain steps must be followed, which are outlined below.

SecureDrop is an open-source whistleblower submission system developed by the Freedom of the Press Foundation, and the below information is based on their guidelines for using SecureDrop.

To help protect your anonymity, our SecureDrop server is only accessible using the Tor Browser, a modified version of Firefox that allows you to navigate the web with increased anonymity. When you use SecureDrop, neither POGO nor any third parties will record your IP address or information about your browser, computer or operating system. You will be able to communicate directly back and forth with POGO without revealing your identity. SecureDrop does not provide perfect security. Your anonymity can be compromised if, among other things, you share your unique codename or if your computer is compromised.

In order to use SecureDrop:

  • Go to a place with a public internet connection, one that you don’t normally frequent. Leave behind your cell phone and any other devices with a wireless internet connection, and do not purchase anything using a credit card. Do not use a government or work computer to contact POGO.
  • Download and install the Tor browser bundle from https://www.torproject.org/
  • Open the Tor browser, and copy this url into the browser address bar: http://dqeasamlf3jld2kz.onion
  • From this url, you will be able to send secure, encrypted messages and files to POGO. Please provide a brief, but detailed description of the wrongdoing, the government agency involved, and if you can provide any documents to support your statement.
  • You will be provided with a codename that you will use to log in to check for replies from us. You must periodically come back to SecureDrop to check if POGO has left you a message. This is the only way we can communicate with you. Whether you make it possible for POGO to communicate with you on a follow-up basis is your choice, but please be aware that if you do not it may be difficult or impossible for us to investigate and corroborate your information.

How SecureDrop works:

Sources who wish to communicate directly with POGO through SecureDrop will be given a codename and any documents or messages they send will be encrypted by SecureDrop. This codename should be remembered so it can be used in the future to access SecureDrop, and it allows sources to develop a relationship with POGO. Each source is known to POGO by a different codename so as to preserve the source’s anonymity, even from POGO. Any documents that POGO receives will be encrypted and stored on an air-gapped computer that never connects to the internet. The SecureDrop servers are physically stored at POGO in a secure location and are separate from the servers that run the rest of POGO’s website.

SecureDrop does not promise 100% security

SecureDrop is significantly more secure than email or other electronic ways of contacting POGO, but no system is 100 percent secure. There are always risks to whistleblowing and exposing corruption.

Exposed whistleblowers are almost always reprimanded, fired, and/or harassed, even if they have not “gone public” and even if their allegations are proven to be true. It takes a lot of courage and forethought to take on a powerful government agency or a private contractor or grantee. The mental, emotional, and financial hardships that a whistleblower may encounter should be fully understood before any steps are taken to disseminate information – publicly or not.

POGO’s SecureDrop system is provided on an “as is” basis, with no warranties or representations, and any use of it is at the user’s own risk.

What POGO does not do

  • We do not deal with local and state issues unless federal money is involved.
  • We do not provide legal advice or representation. Moreover, we will not recommend a specific legal counsel.
  • We do not look at individual cases of fraud or waste unless they are directly representative of systemic or widespread problems in the federal government and/or its contractors.
  • We do not expose cases that cannot be verified or independently corroborated by government records or other sources.

POGO evaluates every lead we receive. However, because we are a small organization, we can only pursue the few tips that meet our internal guidelines and allow us to maximize our impact by performing the greatest public service. Thank you for understanding our intentions and limitations.

Learn more about SecureDrop.
Learn more about the Tor Browser.

Project On Government Oversight