SecureDrop’s security model relies on a news organization maintaining infrastructure that can be subpoenaed, raided, or pressured. The nonprofit running it can be defunded. The server is a single point of failure that exists because someone decided to trust an institution. That trust might be well-placed today and misplaced tomorrow.
A different question: what if the protection came from the architecture itself, not from the policies of whoever runs the infrastructure?
No server to seize
GhostDrop is a prototype where every step is client-side. Upload a file. Scan for metadata. Strip it — pdf-lib for PDFs, Canvas redraw for images, ZIP/XML patching for Office documents. The stripping removes GPS coordinates, author fields, revision history, printer steganography dots. What leaves the browser is clean.
Encrypt with ECIES using the outlet’s secp256k1 public key — the encryption happens before anything touches the network. Push to the Logos Messaging gossip layer via LightPush — your IP never reaches the outlet because the gossip protocol routes through multiple relay nodes.
The outlet receives via Filter subscription, decrypts, reviews, uploads to Logos Storage for permanent content-addressed replication, and anchors the document hash on Logos Blockchain as a tamper-evident proof. No step requires trust in a person, an organization, or an infrastructure provider. At least, that’s the design.
OpSec as design material
The built-in OpSec advisor checks six vectors. Tor Browser detection — are you routing through Tor? WebRTC leak scanning — STUN servers can reveal your real IP even behind a VPN. Browser fingerprint analysis. Device security warnings. Printer steganography alerts — color laser printers embed invisible tracking dots. Network timing correlation for non-Tor users.
The recommended setup for high-risk sources: boot Tails OS, connect to public WiFi away from your usual location, open GhostDrop in Tor Browser. The source is protected by architecture, not by policy. The architecture doesn’t require trusting anyone. Whether that’s actually sufficient remains an open question.
Static files, no operator
The entire application is static files. Build once, deploy anywhere. Logos Messaging connects to the public fleet automatically. Storage and blockchain degrade gracefully to mock mode until local nodes are connected. The platform is the protocol. The protocol has no owner.
This might be the most important design decision in the project. If there’s no server, there’s nothing to seize. If there’s no organization, there’s nothing to pressure. If there’s no identity, there’s nothing to leak. Whether a platform without an operator can also be a platform without accountability is the tension that hasn’t been resolved.