Cambridge researchers have introduced secure messaging technology that can protect whistleblowers from detection even under widespread government surveillance.
Guardian has integrated the system into its mobile news app, creating what experts call the first tool to protect resources from discovery.
The technology, called CoverDrop, automatically generates bait messages to create an “air cover” to be a real communication between the whistleblower and the reporter. This approach addresses the critical vulnerability that has emerged since Edward Snowden’s revelation reveals global surveillance capabilities.
Go beyond traditional security measures
Unlike existing tools such as Securedrop or encrypted messaging apps, CoverDrop hides existing mobile apps from news organizations. Each user becomes a potential cover for the whistleblower, leaving the opponent unable to identify who actually sent sensitive information.
“This provides reasonable denial for whistleblowers,” said Professor Alastair Beresford of the Department of Computer Science and Technology of Cambridge. “This is important in a universal world of surveillance as it becomes increasingly dangerous to become whistleblowers.”
The system creates the digital “Dead Drops” – a virtual location where messages are left behind for journalists to retrieve later. These are just two features in a set of protections, even if they are caught or stolen.
Solve late reality
Development began after Edward Snowden’s 2013 Apocalypse shows how intelligence agencies monitor global communications. Traditional reporting tools usually require the download of specialized software (such as TOR browser) that can mark users for monitoring.
“If you use TOR in the office and the leak comes from the office, you may expect trouble,” the researchers noted in their study.
CoverDrop solves this problem by embedding secure communications into applications people already use every day. The system maintains a constant traffic flow, and regularly sends encrypted messages regardless of whether the actual communication is happening or not.
Technological innovation
This technology adopts several complex security measures:
- All messages are filled with the same length, making the actual communication indistinguishable from the bait
- Two-layer encryption protects message content and communication mode
- Trusted Execution Environment (TEE) technology can prevent access even when using a physical server.
- No permanent storage – Process messages in memory and delete immediately
Real-world tests show promising
Performance tests show that the system can process 833 messages per second through single thread operation and scale to 3 million messages per hour with multiple cores. Mobile app overhead is still small – less than 500kb added to the app size and only requires 4.3MB of monthly data usage.
Can this technology truly protect whistleblowers in an unprecedented era of surveillance? Early results suggest that it addresses key vulnerabilities in the source of damage in recent high-profile cases.
“The free media performs an important function in a democratic country,” Beresford said. “It can provide a mechanism for individuals to hold powerful people and organizations accountable.”
Open Source Method
Researchers have made CoverDrop’s code publicly available to encourage adoption among news organizations around the world. This transparency allows security experts to audit systems while enabling other channels to implement similar protections.
“All the cover code will be online and open source,” said Dr. Daniel Hugenroth of the University of Cambridge. “This transparency is critical to critical security software and allows others to review and improve it.”
The implementation of the guardian represents the first realistic deployment of the technology, but researchers hope other news organizations will follow suit.
Exceeding initial contact
While CoverDrop focuses on secure initial communication between sources and journalists, it aims to complement existing tools rather than replace them altogether. For document sharing and longer conversations, sources usually transition to a platform like Securedrop after contact.
The system addresses the weakest link in the reporting chain identified by researchers – a critical moment for potential sources to connect with journalists. Symposium meetings with UK news organizations revealed that this initial connection usually occurs through unsafe channels such as regular email or phone calls.
“When a source sends a message, it can be ensured for confidentiality and integrity through a secure message protocol on its smartphone,” Hugenroth said. “CoverDrop goes a step further and also protects the communication patterns between the source and journalists by providing cover with bait messages.”
The technology provides hope for key regulators in protecting democracy, when surveillance capabilities expanded faster than legal protections for whistleblowers.
Related
If our report has been informed or inspired, please consider donating. No matter how big or small, every contribution allows us to continue to deliver accurate, engaging and trustworthy scientific and medical news. Independent news takes time, energy and resources – your support ensures that we can continue to reveal the stories that matter most to you.
Join us to make knowledge accessible and impactful. Thank you for standing with us!
