CoverDrop: Blowing the Whistle Through a News App

CoverDrop employs end-to-end encryption (E2EE) between sources and journalists to protect the confidentiality of the message content. In addition, all users of the news app regularly send cover messages to the news organization to hide the communication patterns of sources. Finally, CoverDrop uses plausibly-deniable encryption to conceal any previous usage of CoverDrop, even against adversaries that capture the smartphone and ask the user to unlock it.

The first-contact problem comprises all challenges that a potential source faces when reaching out to a journalist for the first time. First-time sources typically do not have a detailed understanding of the technical landscape and hidden threats. Hence it is imperative that the means by which a source first makes contact is both very usable and as secure as possible: while it is easy to later downgrade to less secure alternatives, upgrading anonymity is difficult when there are already digital traces, for instance as a result of making initial contact via email.

CoverDrop only allows exchanging of short text messages. This ensures that the size of cover messages is small and therefore keeps the impact on data usage and battery life low. Not allowing attachments also prevents a wide range of potential security vulnerabilities and abuse vectors. Journalists can use CoverDrop to interactively guide sources towards appropriate secure ways to share documents, e.g., via physical mail or SecureDrop.

We have carefully designed the mobile app integration to minimize its impact on all users. The exchanged messages are very small (less than a 1 KiB) and we envision that the overall data overhead during a month is equivalent to viewing a single news story in the app. Likewise, cover traffic is scheduled so that it coincides with other network activity. These design decisions draw on our research paper on the energy impact of secure communication on smartphones.

End-to-end encrypted (E2EE) messaging apps like Signal and WhatsApp provide strong confidentiality of the message content. However, they do not hide communication patterns, such as who is communicating with whom and when. In addition, users cannot plausibly deny the existence of conversations if they are forced to unlock their smartphone. CoverDrop provides both strong metadata privacy, hiding who is communicating with whom and when, and plausible deniability, even where an adversary has physical access to the device and asks the user to unlock it.

The Tor network is a great tool for general anonymous communication. However, while Tor hides who is communicating with whom, it does not hide the fact that someone is using Tor at a given point in time. In some situations, being a Tor user can draw attention to a source. CoverDrop does not require the user to install specialist software, and provides plausible deniability as long as using the integrating news reader application is okay.

SecureDrop is a great tool for anonymously and securely exchanging documents and files. However, it requires users to install specialist software, and its design often means long response times. Also, using Tor can be a red flag in some situations. Hence, SecureDrop is not an ideal solution to the first-contact problem. We believe that CoverDrop and SecureDrop complement each other: sources can securely reach out via CoverDrop and then reporters can provide interactive help to sources if uploading documents via SecureDrop is the best next step.

CoverDrop assumes a strong adversary model where both the wider internet and cloud infrastructure cannot be trusted. Our approach protects against insider attacks at internet and cloud providers as well as interference by foreign state-level actors. The system is designed such that anonymity and confidentiality of messages is guaranteed as long as the on-premises services are operated securely and correctly.

Yes, we made CoverDrop's source code available in a GitHub repository. It includes the underlying cryptographic components, the mobile app modules, the backend services, and our detailed white paper. All components have been independently audited and the audit report is publicly available. At the moment, you have to trust the news organisation to competently operate the on-premises services, including the CoverNode.

CoverDrop is a specific-purpose anonymity network that does not allow communication between arbitrary users of the system. Instead, CoverDrop's architecture enforces that one side of the communication is always a trusted journalist. Therefore, CoverDrop prevents many kinds of unwanted and nefarious communication that cause concerns in other general-purpose anonymity networks. Our paper Choosing Your Friends: Shaping Ethical Use of Anonymity Networks discusses such design principles in more detail.

In its current design, CoverDrop's anonymity guarantees rely on the news organisation to operate the on-premises services securely and correctly. Similar to other apps, CoverDrop only provides limited protection on smartphones that are fully compromised by malware which can record screen content and user actions. We discuss more areas for future work in the white paper.

The best place to start learning more about CoverDrop is our white paper, the information on this website, and the linked news articles, and research articles.

This website features the CoverDrop research project and related work. It is maintained by the University of Cambridge's Department of Computer Science and Technology. For questions and enquiries, please reach-out to the contacts below.

Please use the following BibTeX entry as reference.