SecureDrop Privacy Policy

Written by Lucy Parsons Labs

March 26th, 2016

SecureDrop strives to create a more secure environment for whistleblowers to give information to journalists. It was installed at Lucy Parsons Labs with the help of the Freedom of the Press Foundation.

Please read this privacy policy carefully. It explains what information SecureDrop does and does not collect and why.

Collection of Information From Sources

  • We will never ask you to provide any personally identifying information when you submit materials through SecureDrop.

  • The system does not record your IP address, information about your browser, computer, or operating system. Furthermore, the SecureDrop pages do not embed third-party content or deliver persistent cookies to your browser.

  • Our server will only store the date and time of the newest message sent from each source. Once you send a new message, the date and time of your previous message is automatically deleted.

  • Journalists decrypt and read each message offline. They are encouraged to delete messages from the server on a regular basis. The date and time of any message will be securely deleted from the server when the message is deleted.

  • Please keep in mind that the actual messages you send and receive through SecureDrop may include personally identifying information. For this reason, once you read a journalist’s message, we recommend you delete it. It will then be securely deleted from the file system.

Also please note that when you submit certain types of files through SecureDrop, you may be sending us metadata associated with that file.

For example, if you submit a photo through SecureDrop in JPEG format, the file may include information about the date, time, and the GPS location of where it was taken, and the type of device used to take the photo. Similarly, if you submit a Word file (.doc or .docx) through SecureDrop, it may include the identity of the document’s author, the author’s operating system, GPS data about the author’s location, and the date and time when the document was created.

Our policy is to scrub metadata from the files we receive through SecureDrop before publication. If you don’t want to send us metadata, please use the Metadata Anonymization Toolkit to scrub the file before you submit it.

Collection of Information About Journalists’ Use of SecureDrop

Lucy Parsons Labs collects information about journalists’ use of SecureDrop for security monitoring and to make sure the system works properly. This information includes details about the device, browser, and operating system journalists use when accessing the system, and the date and time of each session.

We retain these access logs for seven days, and then delete them.

Data Security

Lucy Parsons Labs works diligently to protect the identities of our sources and keep the information they give us confidential.

SecureDrop servers are always under the physical control of Lucy Parsons Labs and are separated from other Lucy Parsons Labs infrastructure.

However, no one can guarantee 100% security of any system. Like all software, SecureDrop may contain bugs. Ultimately, you use the SecureDrop service at your own risk.

Please be aware that the LPL also maintains a Warrant Canary. Please pay careful attention to it.

Changes to This Policy

We may revise this Privacy Policy from time to time. The most current version of the policy will govern our collection and use of personal information and will always be at this link. If we make changes that we believe are major, we will prominently display a notice on our site after we we make those changes.

Contact

Lucy Parsons Labs welcomes questions, concerns, and feedback about this policy. If you have suggestions for us, feel free to let us know at info AT lucyparsonslabs DOT com. NEVER use this email address to contact us about a submission.