securedrop-docs
securedrop-docs copied to clipboard
freedomofpress
Update and publish source best practice guide
Maybe it might be wise to implement it in the repo somewhere. It might also be wise to implement it in securedrop itself.
This is going to be included as a section on the new SecureDrop website, which is currently in development.
The source best practice guide is different than the how-to use securedrop for sources guide
Sent from my iPhone
On Dec 6, 2014, at 10:08 PM, Kevin M. Gallagher [email protected] wrote:
Closing as the source guide is on GitHub and the website links to it.
— Reply to this email directly or view it on GitHub.
Thanks @trevortimm, I forgot. What should we do - did you have lawyers review it yet?
The Source Guide should be sufficient here: https://docs.securedrop.org/en/stable/source.html
@conorsch Trevor was referring to a separate guide we were once working on which was more like "best practices for leaking information" rather than how to technically use the source interface. You may want to inquire about the status of that. (see Hackpad)
This is a very important and worthwhile issue. We should remove all organization-specific content from this source operational security guide, remove the "how to use the source interface" part (since it's covered by the current Source Guide) and make any other necessary updates. At minimum, there should be a section with the "Do"s and "Don't"s distilled into a table at the top of the page for the benefit of sources who will not read a long guide.
Example dos and don't for this table include:
- [ ] Do not search on google for "SecureDrop"
- [ ] Do not discuss your leaking with your friends and family
- [ ] Do not leak documents from your employer's network
- [ ] Do use Tor to access
securedrop.orgor any other sites related to leaking
We should be mindful of how this advice changes in the different locales SecureDrop is located in, as common investigation practices and legal protections obviously depend on the country.
This content should go on:
- [ ] the securedrop.org website and docs (for sources that access securedrop.org via Tor, note that
securedrop.orgis being redesigned and a very large warning will appear for potential sources who are accessing SecureDrop through Tor) - [ ] at minimum the table should appear on news organization's SecureDrop landing pages
Does anyone have an archive of the content behind the link in @runasand's OG post? I'm just getting a dead Dropbox page. :(
@ninavizz Yes, we made sure to archive the old hackpad contents before hackpad closed down. Will be able to dig up a URL for ya and send along!
Still relevant but reducing priority given that some of this work has since been done.
- Improvements have continued over the years on the Source Guide: https://docs.securedrop.org/en/stable/source.html
- Cross-referencing the freedom.press guide which does cover some of this ground: https://freedom.press/news/sharing-sensitive-leaks-press/
- We may want to prioritize information/guidance integrated directly into the Source Interface, e.g., regarding metadata redaction.
See also the recap in freedomofpress/securedrop#4259 for additional background on historical materials that could be re-examined for this purpose. To make continued progress on this, we may want to identify some more tightly scoped targeted improvements. @martinshelton is working on some smaller tweaks in this PR: https://github.com/freedomofpress/securedrop-docs/pull/48
Adding @martinshelton per expression of interest on internal channel, a few weeks ago.
Note to @eloquence: I don't feel this is appropriate to transfer from the SD repo, as this repo is specific to a single touchpoint (docs) and communicating with & guiding sources is a multi-touchpoint experience; with developer docs, not advisable as the primary point of information.
@conorsch wd also love to get that earlier mentioned doc Runa had been working on, shared here! @huertanix may know where it lives, too.