Inside Strongbox, the Hyper-Secure Inbox Built by Aaron Swartz

Just before he died, Aaron Swartz built a technology that let citizens securely and anonymously send tips and documents to journalists, without having to worry about leaving their digital fingerprints all over the web.

The resulting program, called Strongbox, just launched on the New Yorker. Think of it as a hyper-secure inbox. It protects whistleblowers from being tracked, and also journalists from being pressured by the government to reveal sources—since they themselves have no earthly idea.

The technology powering Strongbox is called DeadDrop—a free, open-source web application built by Swartz. It launched one month before he died.

The app's readme on github describes how it works:

In operation, every source is given a unique "codename." The codename lets the source establish a relationship with the news organization without revealing her real identity or resorting to e-mail. She can enter the code name on a future visit to read any messages sent back from the journalist -- "Thanks for the Roswell photos! Got any more?? -- or submit additional documents or messages under the same persistent, but anonymous, identifier.

Innovations to track and locate people online have progressed much faster than innovations to protect privacy and anonymity. (You don't have to stretch your imagination too far to think why.) A brilliant civic hacker, Swartz of course understood this. His interest in free information, privacy and anonymity led him to rely on Tor, highly-encrypted software originally sponsored by the Navy for hosting and viewing websites totally anonymously. Sometimes we call the area it opens up the Darknet.

Strongbox makes access to this area of the web easier than before. To submit documents to Strongbox, users first download and install software for Tor, then go to Strongbox at http://tnysbtbxsf356hiy.onion for further intructions. (To access Strongbox on mobile, you'll have to use the Guardian's Darknet browser Android app, Orweb. Happily, they've provided an interactive tutorial.)

In a 2008 blog post about a Tor hack, the Swartz shared his thoughts on the role of anonymous publishing in a free society:

In 1787, when America’s framers wanted to argue for its Constitution, they published their arguments (the Federalist Papers) anonymously. Whistleblowers have released everything from the Pentagon Papers to the Downing Street Memos. Anonymous speech is a First Amendment right.

And yet, on the supposedly Wild West frontier of the Internet, publishing anonymously is not so easy. Hosting providers require a name and credit card, which they have to hand over to the FBi at the drop of a National Security Letter. Free hosting sites zealously obey takedown requests and require publishers to reveal their identity if they want their stuff put back up (a tactic Scientologists have used). Luckily there are now services like Wikileaks, but they only publish a very narrow range of content.

But, talking with Virgil Griffith and others, I hit upon a new way of allowing for anonymous publishing. The amazing Tor project lets you use the Internet anonymously, by disguising your traffic thru a long series of relays. Less well-known is that it also allows for anonymous publishing, by running the system in reverse. Unfortunately, you need the Tor software to visit anonymously-published sites, but we realized there’s no reason this need be so.

So I dusted off some work I’d begun years and years ago and build a tor2web proxy. Now anyone with a web browser can visit an anonymous Tor URL like http://sexy36iscapohm7b.onion/ from any Web browser, without any special software, just by going to:

http://sexy36iscapohm7b.tor.theinfo.org/

Which means that publishing an anonymous website is now also fairly easy.

So it stands to reason that fellow hacktivist-turned-journalist Kevin Poulsen, the news editor at WIRED who oversaw that website's Wikileaks coverage, approached Swartz two years ago (at that point he was already a rising star on the web) with his secure submission project. Poulsen recalls in his New Yorker article that Swartz learned he was being indicted on federal charges while they were working on DeadDrop. “By December, 2012, Aaron’s code was stable, and a squishy launch date had been set,” he writes. “Then, on January 11th, he killed himself. In the immediate aftermath, it was hard to think of anything but the loss and pain of his death. A launch, like so many things, was secondary."

Strongbox is the first use of the DeadDrop technology. (The magazine was chosen for the debut because of its history of investigative reporting.) Since WikiLeaks shut down in 2010 a few other publications have tried to build similar secure submission programs but were plagued by security and legal problems.

Seeing as the Justice Department just spied on the Associated Press and seized two months’ worth of phone records, it seems it’s high time one of them works. Let’s hope Strongbox does. As Swartz wrote, "Here's to anonymity—and more tools protecting it."

See also

[The FBI Is Coming for Your Gchats](http:// motherboard.vice.com/blog/the-fbi-is-coming-for-your-gchats)

The Motherboard Guide to Spy Kits

['Going Dark': What's So Wrong with the Government's Plan to Tap Our Internet](http://motherboardtv on Facebook motherboard.vice.com/blog/fbi-data-wiretap-trevor-timm-interview)

Assume Your Computer is Owned at All Times: A Chat with Cryptocat's Nadim Kobeissi