Skip to content

A first-timer’s guide to anonymously leaking information via SecureDrop

Ever wanted to leak something and remain entirely anonymous? Using SecureDrop is one of the safest methods - and it's not as difficult as you might think.

Ever wanted to leak something to the International Consortium of Investigative Journalists, and remain entirely anonymous? SecureDrop is one of the safest ways to send us information – but the process can seem intimidating.

So we commissioned our own, in-house first-timer to “leak” some information to ICIJ via SecureDrop, and document the experience.

Project manager (and SecureDrop novice) Fergus Shiel kindly volunteered to put the process to the test. We should note that, thanks to his observations, we plan on making a few changes to our instructions to help make it more accessible for users of all skill levels. Thanks, Fergus!

The Cooler movie poster
ICIJ’s Fergus Shiel fancies himself as The IT Cooler.

You’ve seen “The Cooler” right? Down on his luck Vegas guy deploys his innate ability to bring about misfortune to jinx gamblers.

Well, meet The IT Cooler. For there is no computer, printer or phone which I cannot jinx with my innate inability to log on, download, upload or any load, more or less.

So, let me be frank, being tasked, as a guinea pig, with uploading a document to ICIJ’s SecureDrop did not fill the chambers of my heart with sparkledust.

No, dear reader, I sallied forth with four heavy chambers in the center of my chest, certain in the knowledge that SecureDrop and I would never be BFFs. Never, ever.

Like the brave chroniclers of yore, however, I determined to be your guide in this my darkest hour, recording for humanity’s sake the steps that I took on my SecureDrop odyssey.

Step 1: Find the instructions

I go to Leak to Us at the top of ICIJ’s website, then click on How to Use SecureDrop. Woohoo, so far so good. Feelin’ cray, as Millennials might say.

Step 2: Read the instructions

Panic attack. Total brain spasm at seeing so many words in How-To Guide (HTG). Hoc non computato.

Step 3: Choose a secure browser/operating system

After breathing exercises, my calm restored, I read HTG.

HTG talks about “a new onion URL.” I have no idea what this is, but something tells me that it’s not a French soup.

Okay, got it! Google has revealed that there is a computer network called Tor which uses an onion as a symbol.

The Tor Browser
The Tor Browser allows internet browsers to obscure their online browsing from prying eyes.

Why the onion, pray tell Ms. Google? Because Tor encrypts and randomly bounces messages around relays – like the layers of said onion.

Next, HTG proffers two options: use Tor or Tails. For the sake of my personal amusement, I’d much prefer if it had said “Heads or Tails.”

Regardless, I opt for Tor, rather than Tails, by clicking on the highlighted link to the download page.

Step 4: Install the secure browser

Downloading Tor is impressively pain-free, taking about 30 seconds. I install it with a click. I don’t know yet about SecureDrop, but I already love The Onion.

Step 5: Go to ICIJ’s SecureDrop platform

Following instructions as if my very life depended upon them, I open the newly-installed Tor browser and navigate to the onion URL, i.e. copy the address that’s provided (http://lzpczap7l3zxu7zv.onion); paste it into Tor’s address bar and hit enter with a loud and self-satisfied ‘Voila!’:

ICIJ's SecureDrop

Step 6: Remember your code name

You may be familiar with Luther Stickell’s work as a hacker in the Mission Impossible films. Well, this is my Stickell moment.

Improbably, and to my own amazement, I have managed to get to the SecureDrop welcome page.

Now, all I have to do is to upload a document to ICIJ.

To most people, this would be a straightforward task.

For an IT Cooler, it is the equivalent of hacking the Kremlin.

First, I am given a seven word code name. The code name comes with this message:

Because we do not track users of our SecureDrop service, in future visits, using this code name will be the only way we have to communicate with you should we have questions or are interested in additional information. Unlike passwords, there is no way to retrieve a lost code name.

Frankly, my code name is not nearly as cool as I’d like, but I press on bravely, nevertheless.

Step 7: Send your file and message to ICIJ

You can submit any kind of file, a message, or both, to SecureDrop.

If you are already familiar with PGP encryption, you can optionally encrypt your files and messages with our public key before submission.

Fergus Shiel leaked this picture of a snowdrop to ICIJ.

Remarkably, I am familiar with PGP thanks to the immortal patience of ICIJ’s IT staff, but for the purpose of this exercise, I decide to live a little dangerously by doing without it, as files are encrypted as they are received by SecureDrop anyway.

So here goes. Wish me luck. I am about to upload an enigmatic winter scene to SecureDrop. A SnowDrop to SecureDrop, if you like.

I browse my files, choose the photo and hit submit.

Then I pray that it has uploaded, because SecureDrop doesn’t tell me if it has and, as previously confessed, this is far from my forte.

No, wait!! Ninety seconds later my Eureka moment comes in the form of a message certain to bring a tear to the eye of any IT Cooler. A message declaring:

Thank you for sending this information to us. Please check back later for replies.

Thus ends my odyssey in the sweet balm of unanticipated achievement. And verily I say unto you, if your humble servant can use SecureDrop, you can, too.

ICIJ is dedicated to ensuring all reports we publish are accurate. If you believe you have found an inaccuracy let us know.