Tor Source Protection Infrastructure for Newsrooms

Sources face identification through metadata analysis, traffic analysis, document fingerprinting, and insider threats. Traditional email and phone tiplines expose sources to government surveillance and corporate identification. Newsrooms operating in countries with press freedom challenges face additional legal risks. Tor addresses traffic and identity exposure but does not solve all threat vectors - a layered approach combining Tor, SecureDrop, operational security training, and legal protections is necessary. The first step is conducting a formal threat model assessment identifying likely adversaries, their capabilities, and the sensitivity of anticipated source disclosures.

SecureDrop is the standard open-source whistleblower submission system used by major news organizations. It runs as a Tor hidden service, meaning sources access it via .onion address and all submissions are encrypted. Deployment requires two separate servers: an Application Server handling submissions and an Admin Workstation running Tails OS. A VPS with sufficient RAM (4GB+) and storage handles the Application Server role. Network isolation is critical - the Application Server must not have any clearnet connectivity. All traffic routes through Tor. Configuration involves onion v3 address generation for the submission interface and admin access, Apache configuration behind Tor, and GPG encryption for received documents. The Freedom of the Press Foundation provides detailed deployment documentation and offers support for qualifying news organizations.

Not every newsroom can deploy SecureDrop. Lighter-weight alternatives include Signal (requires source to have Signal, exposes phone number to reporter), OnionShare (temporary .onion file drop, good for one-time document transfers), and self-hosted anonymous web forms running as hidden services. A simple anonymous tipline can be a hardened PHP or Python form running behind Nginx on a Tor-accessible VPS. Forms must strip metadata from uploads, avoid logging IP addresses, and encrypt submissions with a GPG key before storage. PGP-encrypted email via hidden Protonmail or Riseup addresses provides another layer. Multiple channels increase likelihood that sources can find a compatible method.

Documents received through Tor tiplines may contain steganographic tracking codes or unique formatting fingerprints inserted by organizations to identify leakers. Newsrooms must sanitize received documents before publication. Tools include MAT2 (Metadata Anonymisation Toolkit) for stripping metadata, Dangerzone for converting documents through a secure sandboxed environment, and PDF normalization to remove embedded scripts and tracking pixels. Text documents may contain zero-width characters or subtle formatting variations encoding a fingerprint. Expert analysis or comparison against multiple independently received copies helps identify tracked documents. Publishing redacted versions rather than originals reduces fingerprinting risk while preserving journalistic value.

Technical infrastructure is only one component. Source protection requires operational security training for all journalists accessing the tipline. Journalists must access the SecureDrop admin interface only from Tails OS on dedicated hardware. Communications about source identity must never cross unencrypted channels. Physical security of admin hardware prevents USB key extraction. Compartmentalization limits knowledge of source identity to minimum necessary staff. Legal preparation including shield law research, source privilege documentation, and pre-established relationships with press freedom organizations (EFF, RSF, CPJ) forms the non-technical layer. Regular security audits of the technical infrastructure detect configuration drift.