SecureDrop protects sources by centralizing trust in a news organization’s infrastructure. That infrastructure can be subpoenaed, raided, or pressured. The nonprofit can be defunded. The server might be a single point of failure dressed up as security.
GhostDrop asks a different question: what if there’s no server?
The architecture
Every step is client-side. Upload the file. Scan for metadata. Strip it — pdf-lib rewrites PDFs, Canvas redraw eliminates EXIF from images, ZIP/XML patching cleans Office documents. The stripping removes GPS coordinates, author fields, revision history, printer steganography dots, ICC profiles, XMP streams. What leaves the browser is clean.
Encrypt with ECIES using the outlet’s secp256k1 public key. The encryption happens before anything touches the network. Push to the Logos Messaging gossip layer via LightPush — your IP never reaches the outlet directly because the gossip protocol routes through multiple relay nodes. Save the 12-word ephemeral claim key. Done.
The outlet receives via Filter subscription, decrypts, reviews, uploads to Logos Storage for permanent content-addressed replication, and anchors the document hash on Logos Blockchain as a tamper-evident proof. Readers fetch from storage, verify against the anchor. The chain of custody is cryptographic at every step. No step requires trust in a person, an organization, or an infrastructure provider. At least, that’s the theory.
OpSec as design
The built-in OpSec advisor checks six vectors. Tor Browser detection — are you routing through Tor, or is your IP visible to bootstrap peers? WebRTC leak scanning — STUN servers can reveal your real IP even behind a VPN. Browser fingerprint analysis. Device security warnings against submitting from managed work devices. Printer steganography alerts — color laser printers embed invisible tracking dots that identify the specific printer and timestamp. Network timing correlation for non-Tor users — an ISP can correlate submission timing with your connection activity.
The recommended setup for high-risk sources: boot Tails OS, connect to public WiFi away from your usual location, open GhostDrop in Tor Browser. All connections route through Tor automatically. The source is protected by architecture, not by policy. That’s the idea.
A back-channel worth noting
Sources poll the Logos Messaging Store for outlet replies. No persistent connection. No call-home. Anonymous tipping works through Logos Blockchain escrow — readers lock funds, claimable only by the source’s 12-word ephemeral key. The source can collect without revealing any identity at any point.
The entire application is static files. Build once, deploy anywhere. Logos Messaging connects to the public fleet automatically. Storage and blockchain degrade gracefully to mock mode until local nodes are connected. The platform is the protocol. The protocol has no owner. If it works.