Interview with CoverDrop author Dan

At the Privacy Enhancing Technologies Symposium 2022, also known as PETS, Kee sat down with Dan, one of the authors of the CoverDrop paper which proposes a secure method for initial contact between journalists and sources or whistleblowers. The interview has been transcribed below and lightly edited for readability. If you wish to view this interview in its entirety, you can watch the YouTube video embedded at the bottom of this article.

Kee: Hey guys, I’m here with Dan today who is part of the CoverDrop team. First of all, how many people worked on this paper with you? 

Dan: There were five of us in total, mostly because it took quite a long time, we started in 2018. 

Kee: Can you give us a brief rundown of the main concepts behind the paper.

Dan: The main idea is to build a tool which helps whistleblowers make initial contact with journalists. One of the biggest challenges with this is that technologies like TOR make you stand out, they’re a huge red flag. If somebody in a company blows the whistle on something and they’re the only one using TOR, it might not even be necessary to figure out who they talked to, they’ll already be in an uncomfortable position. So our idea was to embed CoverDrop within news reader apps, which already millions of people have installed. So we start with a large anonymity set, and we use the classic cover traffic and encrypted storage to give you very strong plausible deniability in the event that someone forces you to operate your device or confiscates it.

Kee: I understand you also did some interviews with journalists too, can you explain some of the findings from those? What were journalists telling you about communicating with their sources?

Dan: This is one of the reasons that it took us such a long time. For us it was really important that we didn’t build the technology and then try to find a problem and slap them together. What we had was two workshops, the first was exploratory that we did to generate ideas and the second to verify them. To your question some of the findings from that was that it’s often the case that often the sources and potential sources don’t know yet whether they’re going to provide information when they make first contact, and later as frustration grows they might decide to blow the whistle. The problem there is that they will usually start that conversation with the journalist on a more insecure channel, and then it’s really hard later to upgrade that, because you’ve already got the metadata of the initial contact. 

So what the journalists we spoke to were looking for was a way for people, even if they’re not sure if they want to be whistleblowers, to have an easy way to reach out, and it starts on the highest level. You can always downgrade your security and privacy in that regard, but not upgrade, and that’s why CoverDrop — even though it doesn’t allow for uploading documents or lots of large messages — it still allows high security on the initial contact, and then you can see where to go from there.

Kee: And how do you envision the process happening with an actual source? Say for example I had some documents I wanted to provide to a media organisation, how would I use CoverDrop?

Dan: So the process that we see is that you would reach out through CoverDrop and say something along the lines of “I have information on x and this is the reason I’m motivated to share it”. The next step will be on the journalist, and usually for them it’s really important to verify that the source is who they say they are, if they can trust them, if the documents they want to give are legitimate, but they also have a responsibility to keep the source safe.

So if they can they’ll probably meet in person so they can do a handover. If that isn’t possible they could instruct them to use SecureDrop to upload documents over TOR, probably in an internet cafe in a different town. Or go even more analogue and to prevent all the intricacies that are hard to understand for non-technical people and just ask for them to photocopy documents, go to the next town, and throw it in the mail.

Kee: In terms of deploying this in an actual media organisation, does there need to be some sort of physical infrastructure in place? How would an organisation go about implementing this?

 Dan: Basically there are two parts two it. The first is the CoverDrop library that is integrated into the news reader app. The second is the mix node that is at the news organisation. This node has one important job which is to sort out which messages are real and which are the cover traffic. It then collects them together, uploads them, and then the journalists can see which ones are intended for them and decrypt them. Compared to a normal mixnet where you have multiple mix nodes because you don’t want to trust any specific node operator, we can get away with only one here because the news organisation is assumed to be trustworthy. 

In our implementation we were a bit more detailed, because when you talk about certain regimes, they might just raid the news organisation buildings and try to take a snapshot of the service. So we employ a Trusted Execution Environment as an additional layer of defence. So the key which can sort which messages are real and which are cover traffic can’t be easily extracted.

Kee: I’m interested, with the enclave are you using Intel SGX?

Dan: Yeah, so everything in the CoverNode that is critical runs in the enclave. Which does mean that it is a kind of bottleneck.

Kee: Is that performance wise? Is there any tradeoff where with these news apps that are downloaded by millions of people and you’re having cover traffic be sent constantly, do you have performance numbers on how many messages you can handle on that node before it becomes an issue.

Dan: Yeah, so we took the download numbers from the Google Play store as rough indicators and we planned for one message per hour. What we found was that the maximum number of nodes needed is seven. Then you can handle the peaks quite well. The process isn’t super latency critical because we’re only sending one message per hour anyway, so you don’t need to over provision to lower the latency.

Kee: In terms of future directions for what you’re doing, what’s next for this project or other research directions?

Dan: There were a lot of points that came up, and of course there are always implementation challenges that arise. One of which for instance is if you run CoverDrop in a news app, then you run in the same process space as all the third party libraries in there. Which can potentially weaken your assumptions, because you don’t necessarily control all the source code there. And especially with news organisations which often link with advertisement libraries and collect lots of analytics. So you need to be careful about what you do there.

The other angle comes from the feedback we got from journalists, for instance spam is a big problem. People might want to harass journalists, send them spam, possibly even send them illegal materials to try to get them in trouble. In our initial design, it’s not incorporated, but you would want to have a front desk setup. Where you have one person who receives everything like a triage and then sends to the individual journalists. 

Kee: How is the deployment going, are your libraries being implemented, are they in the testing stages?

Dan: Our library as it is now is primarily an academic project. It works, it does all the operations, but it doesn’t necessarily bring the right engineering practices and standards that would allow you to actually bring this to millions of people. So our work first consists of revisiting the protocol and implementing the front desk system and a bunch of other stuff before we can go and implement things on a level that it can be used by organisations. It’s more of an engineering challenge than a research project from here.

Kee: Where can people go if they want to follow CoverDrop? 

Dan: First thing to do would be to read the paper. Our emails are in there, and we’re always super happy to chat, especially if you have ideas for future research or have any similar projects. We also have a GitHub and a twitter that you can follow.

Kee: Alright perfect, thanks so much for sitting down with us to talk about CoverDrop today.