CoverDrop: Blowing the Whistle Through a News App
The free press fulfills an important function in a democracy. It can provide individuals with a mechanism through which they can hold powerful people and organizations to account. A team at the University of Cambridge and The Guardian developed CoverDrop: a secure, anonymous, and usable method of establishing initial contact between journalists and sources embedded in a set of extensions to a typical news app.
The new white paper from June 2025 describes the design and implementation of CoverDrop—deployed to millions of users. It is based on the original research paper presented at PETS in 2022 by Ahmed, Vasile, Hugenroth, Beresford, and Anderson.
The CoverDrop system
Confidential
All messages between sources and journalists are end-to-end encrypted.
Ease-of-use
Included in the news reader app for every user: no technical wizardry needed.
Anonymous
Real messages hide among the cover traffic sent by all app users: CoverDrop protects metadata.
Plausible deniability
Sources can plausibly deny that they have used CoverDrop: even when asked to unlock the device.
Real world
The Guardian deployed CoverDrop to millions of news reader installations in 2025.
Research project
CoverDrop started as an academic project and remains an active research area at the University of Cambridge.
Questions and answers
These paragraphs address some frequently asked questions.
How CoverDrop works
CoverDrop employs end-to-end encryption (E2EE) between sources and journalists to protect the confidentiality of the message content. In addition, all users of the news app regularly send cover messages to the news organization to hide the communication patterns of sources. Finally, CoverDrop uses plausibly-deniable encryption to conceal any previous usage of CoverDrop, even against adversaries that capture the smartphone and ask the user to unlock it.
The first-contact problem comprises all challenges that a potential source faces when reaching out to a journalist for the first time. First-time sources typically do not have a detailed understanding of the technical landscape and hidden threats. Hence it is imperative that the means by which a source first makes contact is both very usable and as secure as possible: while it is easy to later downgrade to less secure alternatives, upgrading anonymity is difficult when there are already digital traces, for instance as a result of making initial contact via email.
CoverDrop only allows exchanging of short text messages. This ensures that the size of cover messages is small and therefore keeps the impact on data usage and battery life low. Not allowing attachments also prevents a wide range of potential security vulnerabilities and abuse vectors. Journalists can use CoverDrop to interactively guide sources towards appropriate secure ways to share documents, e.g., via physical mail or SecureDrop.
We have carefully designed the mobile app integration to minimize its impact on all users. The exchanged messages are very small (less than a 1 KiB) and we envision that the overall data overhead during a month is equivalent to viewing a single news story in the app. Likewise, cover traffic is scheduled so that it coincides with other network activity. These design decisions draw on our research paper on the energy impact of secure communication on smartphones.
End-to-end encrypted (E2EE) messaging apps like Signal and WhatsApp provide strong confidentiality of the message content. However, they do not hide communication patterns, such as who is communicating with whom and when. In addition, users cannot plausibly deny the existence of conversations if they are forced to unlock their smartphone. CoverDrop provides both strong metadata privacy, hiding who is communicating with whom and when, and plausible deniability, even where an adversary has physical access to the device and asks the user to unlock it.
The Tor network is a great tool for general anonymous communication. However, while Tor hides who is communicating with whom, it does not hide the fact that someone is using Tor at a given point in time. In some situations, being a Tor user can draw attention to a source. CoverDrop does not require the user to install specialist software, and provides plausible deniability as long as using the integrating news reader application is okay.
SecureDrop is a great tool for anonymously and securely exchanging documents and files. However, it requires users to install specialist software, and its design often means long response times. Also, using Tor can be a red flag in some situations. Hence, SecureDrop is not an ideal solution to the first-contact problem. We believe that CoverDrop and SecureDrop complement each other: sources can securely reach out via CoverDrop and then reporters can provide interactive help to sources if uploading documents via SecureDrop is the best next step.
CoverDrop's security model
CoverDrop assumes a strong adversary model where both the wider internet and cloud infrastructure cannot be trusted. Our approach protects against insider attacks at internet and cloud providers as well as interference by foreign state-level actors. The system is designed such that anonymity and confidentiality of messages is guaranteed as long as the on-premises services are operated securely and correctly.
Yes, we made CoverDrop's source code available in a GitHub repository. It includes the underlying cryptographic components, the mobile app modules, the backend services, and our detailed white paper. All components have been independently audited and the audit report is publicly available. At the moment, you have to trust the news organisation to competently operate the on-premises services, including the CoverNode.
CoverDrop is a specific-purpose anonymity network that does not allow communication between arbitrary users of the system. Instead, CoverDrop's architecture enforces that one side of the communication is always a trusted journalist. Therefore, CoverDrop prevents many kinds of unwanted and nefarious communication that cause concerns in other general-purpose anonymity networks. Our paper Choosing Your Friends: Shaping Ethical Use of Anonymity Networks discusses such design principles in more detail.
In its current design, CoverDrop's anonymity guarantees rely on the news organisation to operate the on-premises services securely and correctly. Similar to other apps, CoverDrop only provides limited protection on smartphones that are fully compromised by malware which can record screen content and user actions. We discuss more areas for future work in the white paper.
More about CoverDrop
The best place to start learning more about CoverDrop is our white paper, the information on this website, and the linked news articles (see below) and research articles.
This website features the CoverDrop research project and related work. It is maintained by the University of Cambridge's Department of Computer Science and Technology. For questions and enquiries, please reach-out to the contacts below.
Please use the following BibTeX entry as reference for the original academic CoverDrop published at PETS '22.
Please use the following BibTeX entry as reference for the implementation white paper.
@article{coverdrop2022pets,
author = {Ahmed-Rengers, Mansoor and Vasile, Diana A and Hugenroth, Daniel and Beresford, Alastair R and Anderson, Ross},
title = {Coverdrop: Blowing the whistle through a news app},
year = 2022,
journal = {Proceedings on Privacy Enhancing Technologies},
number = {2},
pages = {47--67},
doi = {10.2478/popets-2022-0035}
}
@techreport{coverdrop2025implementation,
author = {Hugenroth, Daniel and Cutler, Sam and Kendrick, Dominic and Savarese, Mario and Hunter-Green, Zeke and McMahon, Philip and Kalanaki, Marjan and Vasile, Diana A. and Bejasa-Dimmock, Sabina and Hoyland, Luke and Beresford, Alastair R.},
title = {{CoverDrop White Paper}},
year = 2025,
month = jun,
url = {https://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-999.pdf},
institution = {University of Cambridge, Computer Laboratory},
doi = {10.48456/tr-999},
number = {UCAM-CL-TR-999}
}
The launch of the Guardian's SecureMessaging feature was accompanied by announcements from the University of Cambridge, the Department of Computer Science and Technology, and The Guardian's editor-in-chief Katharine Viner.
Subsequently, it received coverage by other news outlets, including Nieman Lab, Press Gazette, and Forbes.
Contact and acknowledgements
The corresponding authors for the ongoing CoverDrop project research are Dr Daniel Hugenroth (dh623@cam.ac.uk) and Prof. Alastair Beresford (arb33@cam.ac.uk). We thank the Department of Computer Science at the University of Cambridge, The Guardian, Nokia Bell Labs, and the Open Technology Fund for their support.
