Users
SecureDrop is a whistle-blowing submission system, uniquely designed to thwart the most capable of adversaries. The original team that designed SecureDrop (and today's maintainers) are aware that this design prohibits many organizations from adopting it. Other systems without SD's rigid hardening, such as GlobalLeaks, are reasonable alternatives. However, dozens of NGOs and media organizations still use and depend upon SecureDrop—so it is far from lacking in active users—and, its active users are assumed to be of a higher threat-profile (higher stakes in whistleblowing) than GlobalLeaks users.
Per the above: by design, SecureDrop is both exclusionary and specific. Yet within that specific subset of targeted users, we seek to be as inclusive and needs-meeting as possible.
For UX, the primary impact of that targeting means that folks in the Global South and folks vulnerable to individuals lacking social/financial power, or vulnerable to general social ills (versus a single powerful adversary), are not folks SecureDrop is built to serve. For the folks SD is built to serve, technology limitations that are a part of SD's hardening—such as no javascript for Sources—make usable design a challenge. But a worthy one, so dig in!
Why these limitations?
SecureDrop requires the Tor Network to safely operate anywhere—and it is not recommended to be adopted in countries that see fewer than 10,000 average daily users on the Tor network. That one factor alone, has SecureDrop rarely used in Global South newsrooms and NGOs. Likewise, in newsrooms or NGOs without the monetary resources to maintain their own server stack, a Linux and CLI-intensive maintenance experience, and either two laptops with 7 USB sticks or one very fancy Linux laptop—those folks are simply better served using the much easier to maintain GlobalLeaks system.
Why doesn't SD just lower its guard and make the technical compromises GlobalLeaks has? Because that would reduce its hardening, and make it easier for government intelligence agencies and Black Cube type private security firms, to either break into SecureDrop systems, or to find traces of SecureDrop access on other computers. SecureDrop was built specifically to protect folks seeking to expose the abusive governments, suppressors of democracy, and the Harvey Weinsteins or Kerr-Mcgee's of the world.
For personas themselves, we use examples of real-life whistle-blowers. Because SecureDrop's central system-design is around adversary capabilities, notable whistleblowers from history—folks with with specific capabilities, liabilities, tolerance for risks, and consequences of failure against their specific adversaries, and use needs—have been picked and prioritized.
Source users prioritized in SecureDrop development (ux + tech)
Whistleblowers are not a monolith. Ed Snowden and Karen Silkwood both faced very different adversaries, and had very different levels of comfort with and access to technology. While Karen was killed in 1974, her "persona" still holds true with helping us think about today's users; a single, factory-worker mom and union organizer, wanting to expose improprieties of her employer—a Fortune 1000 energy company (so: no, not a State level adversary, but a very powerful one—and one highly motivated to keep a whistleblower quiet). No college education, and the Karen Source persona of modern times would likely only have a light familiarity with consumer-friendly technology—and only what she'd need to manage her finances and keep in touch with her kids when they're at school or with friends. She was aware of her employer's motivation to keep her quiet, yet likely unaware of surveillance technologies available to them or the extent they'd be willing to go to silence her.
While FPF tends not to geek-out on non-State actors, private actors are still capable of death, injury, and gross reputational damage (see Black Cube + Harvey Weinstein); and that is more than likely a reality that mentally-stable whistleblowers feel far more existentially, than rationally. That matters. Likewise, a not-insignificant number of (likely) unstable individuals have been reported by customers to often make use of SecureDrop as their outlet to share what is urgent in their minds. User research to date has about ~80% of SecureDrop's use among customers, to be from these unstable folks.
For design choices made with SecureDrop, it's important to prioritize who we're shaping our product to serve: the Ed Snowdens, the Karen Silkwoods, the Frances Haugens—who? While SecureDrop's threat model has optimized the technology of SecureDrop for whistleblowers facing threats from State actors, the fear of private actors—rational or irrational—will likely have many folks still choosing SecureDrop when available, simply because "it's the safest." Likewise, are there design choices that could be made to help discourage or deter targeted individuals, folks reporting local news tips, or other unstable folks looking for an outlet?
The user profiles developed to date (below), factor in a number of data points to address all of these concerns.
- Whistleblowers from history
- Source User Profiles (below) PDF
- Source Persona: Karen
- Source Research Preso
- Position w/in power-structure their whistleblowing challenges
- Situational motivation for whistleblowing
- Risk tolerance
- Motivation for enduring that risk
- Technical capabilities
- Technical Public Servant
- Non-Technical Public Servant
- Non-management worker
- Industry Gatekeeper (management worker)
- Industry Underdog (small biz owner)
- Celebrity Sexual Assault Survivor
- Misdirected source
- Recent crime victim
- Targeted Individuals
- "Tinfoil Hat" source
- Social Justice Warriors
- Backstage User Profiles
- Journalists (persona tbd)
- Admins (persona tbd)
- Installer (persona tbd)
- Advocate (persona tbd)