Need: Since its 2013 launch SecureDrop has earned accolades for the protections its offered whistleblowers and journalists. It’s been adopted by major NGOs and newsrooms around the world to accept anonymous tips from sources, with best-in-breed security. It’s user & maintenance experience have been a Rube-Goldberg’esque burden for the high-risk humans dependent on it, though.
Response: In 2017 the SecureDrop team architected a radical simplification of the hardware required to support a Journalist user’s experience—utilizing a virtualized Linux environment called Qubes OS. In 2018 the SecureDrop team hired me to work with them in shaping a new experience for journalists using SecureDrop, within the Qubes hypervisor; since named The SecureDrop Workstation.
Unpacking who our end users are and what they need from SecureDrop—beyond not landing themselves or their sources in jail or at a morgue—was the jumping-off point into my first open source project.
“Free and Open Source” means that even the The New York Times gets SecureDrop for free—and while a handful of newsrooms do pay for premium support, their few journalist users of SecureDrop are intentionally kept from contact with the Freedom of The Press Foundation (FPF) support engineers. Add to that the frenetic pace of most newsrooms, and recruiting for user research was a challenge from the start. Time is the most precious of all resources for journalists, it turns out; which is a whole other impact factor when felt viscerally by end users, vs managers out to impress executives.
Early sketches and prototypes felt deceptively simple. It’s really just a communications client like Email, right? Not really.
Each SecureDrop instance has a single “Inbox” for all sources, so all SecureDrop journalist users within an organization (typically 1-5) share the same inbox and a single conversation thread with each source. Journalist users are also not corresponding with individuals going by real names—or even descriptive names of a human’s choosing.
All connectivity is done over the Tor network, which is notoriously slow and can be prone to outages. Large files automatically downloading would have proven to be a performance bottleneck, and simple API/server-call tasks we take for granted with IMAP email can take several seconds. Clear communication about what is and is not encrypted, as well as infrequent things with user & software keys, were also essential to get right.
The real star of the SecureDrop Workstation experience was expected to be how Qubes made it possible for users to open files in viewer-apps within ephemeral virtual machines (or in Qubes nomenclature, “disposable VMs”). The green-framed window above, is a disposable VM, whereas the white/blue gradient framed window is a different VM (just for the SecureDrop app; went into production as a plain yellow frame to cut scope, and per later understandings of Qubes).
In reality, the Workstation’s ~2/3 reduction in time-on-task for journalist users, in addition to the experiential fluidity created by eliminating decryption as a manual step between 3 different devices, have both emerged as points of user praise that have buoyed the whole team. 4 years is a long time to bring a project to market, especially for a team that is only 1-2 full-time and 3-5 part-time developers—with only one of those folks, full-time on the Workstation project.
SDK gymnastics, inter-VM communication affordances, the tedious points of security, and with backend/frontend design choreography for fluid UX despite slow connection (a Tor limitation) had the whole team learning together about what was and was not possible in the Qubes OS environment, with getting the MVP built for its limited-pilot deployment.
A critical element of security is getting users to update their software without missing a beat. Because of the unique threats faced by newsrooms and NGOs rendering updates a non-trivial hardening need, shaping the end user’s update experience emerged as an important need. Because the Qubes OS updater could not be modified to run 3rd party apps, we also ended up having to make our own updater client app.
COVID changed the features needed by our users. Teams no longer being co-located, and journalists no longer having the ease of access to an IT resource for sanitizing files they’d hand-off on a Linux encrypted USB drive, emerged as an early pain-point. In response, we created “Export to VM” workflow shown above.
The video was captured from a UXPin prototype that also demonstrates how sanitization workflows could be built-in for journalists to use on their own. Sharing videos from functionally-rough prototypes turned out to be a lifesaver adaptation to my own workflow, with COVID limiting in-person team and user access.
This case-study is in progress. Until it is completed, links for resources that will be peppered throughout final text, are bulleted below. Enjoy!
• Wiki (cough, currently messy) page on GitHub for this project
• My talk at the 2021 Qubes OS mini-summit (begins at 29:40 mark) about work endeavored for/with Qubes that began with a few requests for SecureDrop. Following this talk, is a joint talk between myself and Qubes developer Marta Marczykowska-Górecka about our joint approach to a major new component for Qubes we worked on together.
• Article on the SecureDrop website, announcing the Workstation’s pilot launch… just in time for COVID. Yeah, that’ll be fun to write about.