Principles of a Tip Line Platform

A research-based way to evaluate whistleblower systems

Thanks to the good work of academic researchers across the globe, we have a data-driven way to evaluate the quality of whistleblower software. The papers we’ve looked to for this article include:

• Anonymous Javasript Cryptography and Cover Traffic in Whistleblowing Applications by Joakim Uddholm from the KTH Royal Institute of Technology
• A Simple and Robust End-to-End Encryption Architecture for Anonymous and Secure Whistleblowing published by Hariharan Jayakrishnan and Murali Ritwik from the Amrita School of Engineering
• CoverDrop: Blowing the Whistle Through A News App, Mansoor Ahmed-Rengers, Diana A. Vasile, Daniel Hugenroth, Alastair R. Beresford, and Ross Anderson

The authors lists the characteristics of a whistleblower submission system. They include:

1. Usability of the Software
2. Authenticity of the Receiver
3. Plausible Deniability of the Whistleblower
4. Availability of the System
5. Anonymity of the Whistleblower
6. Confidentiality and Integrity of the Disclosures

Usability of the Software

Managed Service

Usability is the linchpin of any good software system. No matter what your value proposition is — the most private, secure, or whatever — if your targeted audience cannot use the software, no amount of engineering genius will make a difference. As researcher Joakim Uddholm puts it:

“The system must be usable for both whistleblowers and journalists. Whistleblowers must be able to use the system without the protection features getting too much in the way, and journalists must be able to use the system without it interfering too much with their work routines.”

A key differentiator for Hush Line is that we’re a managed service, meaning you don’t have to host core infrastructure, operate dedicated networks, or hire specialists to start using the service. All a user needs to do to have an anonymous tip line is register an account.

UI for Hush Line Registration page

By providing a centralized service, we significantly reduce the risk of user error, making the service more consistent, predictable, and trustworthy.

Email Delivery

Hush Line can deliver messages directly to your email inbox. Users may enter their preferred SMTP information from Gmail or Riseup, for example, and any message submitted to their tip line will be delivered to their email account. Enabling users to set it and forget it makes using Hush Line effortless and integrates into the systems they’re already using.

SMTP Hush Line Settings

Clearnet and Tor Addresses

Hush Line is also available on both Clearnet and Tor Onion addresses. This approach is critical for users where Tor might be blocked or having anonymizing software on their device could be incriminating, like in the case of Ola Bini in Ecuador.

Screenshot of Ola Bini’s tweet about his conviction.

Since Hush Line can be accessed over a Clearnet address with the default browser already on your phone, your fingerprint will be the same as everyone else who just bought a new phone.

Making PGP Easy

Before, using PGP meant adopting cumbersome workflows that even stumped journalists at the heart of the Snowden disclosures. Journalist Glenn Greenwald didn’t have PGP set up, and didn’t have the time to learn how to do it, resulting in Snowden not being able to securely contact him. Even Snowden forgot to send his PGP key to journalists when initially contacting them.

Inbox view with Mailvelope browser extension.

Hush Line attempts to solve this problem through our integration of Mailvelope, a powerful open-source browser extension for Chrome and Firefox that enables users to create keys, decrypt and encrypt message directly in their browser, and export their public PGP key. For tip line owners, once adding their PGP key to Hush Line, all messages are end-to-end encrypted by default and when a tip comes in, they can read it within the Hush Line app. For whistleblowers, this means they don’t need to do anything to send a secure, anonymous message.

Authenticity of the Receiver

Verification System

Hush Line has a verification system for journalists, organizations, activists, or other public figures. Verified accounts receive a special badge on their message submission page so that people submitting messages know they’re contacting the right person. To be verified, users must submit proper information to prove their identity or approval to represent a company.

Submit Message page with a “Verified Account” badge.

Opt-In User Directory

Users may opt-in to a public directory where others can find their address. The default tab is prioritized to make it easy to find verified users. The directory is searchable, and a whistleblower can have confidence of the validity of an address.

Hush Line User Directory page

Account Reporting

The verification system and user directories are two ways to help ensure the authenticity of the receiver, but to help ensure the platform’s health, we enable users who have logged in to report spam or abuse accounts. We will address reported accounts immediately to determine the best next steps, whether deleting the account, sending a warning message, or other appropriate methods.

Plausible Deniability of the Whistleblower

No Downloads

Hush Line is accessible over a Clearnet address, so a user doesn’t have to download any new software to send an anonymous message. If someone wants to use a Tor-only tip line service on their mobile device, they must sign in to the Apple App Store or Google Play Store. To download Tor Browser, you need to provide a valid email address or phone number and possibly payment information, all considered personally identifiable information. Now that you’ve downloaded new software on your phone, your “fingerprint” has become unique to who you are. If you only have Robinhood, Tor Browser, Mastodon, Chrome, and Slack on your phone, the likelihood of someone else having only those same apps becomes less likely. If you have even 50 apps, your fingerprint will be more associated with you, possibly entirely unique. The more unique your fingerprint is, the less realistic a plausible deniability claim is.

One-Way Messaging

Most people fail to report information because they fear retaliation and the significant risks of whistleblowing. Hush Line is a one-way messenger explicitly designed to protect the individual submitting the message. If the person submitting a message feels comfortable enough to leave a contact method, they may or can submit a message without any further involvement.

Account-Free for Whistleblowers

Someone submitting a message does not need to create an account to use the app. This crucial feature allows a whistleblower to reduce the trail of information they leave behind. No credentials can be found if you have no username or password to save. And since Hush Line requires no special software, a message can be submitted from any phone or computer, from a pubic library or internet cafe, for example.

Success message after sending a message without an account.

Availability of the System

Centralized Services

By providing a centralized service, Hush Line is more reliably available by only requiring a single system to be maintained and secured. Centralizing our services protects users by removing the responsibility of managing specialized infrastructure and following complex workflows, which, if done incorrectly, could have real-world implications.

Decentralized systems help with censorship resistance (and Hush Line can also be self-hosted), but when there are tens, hundreds, or thousands of separate instances all disconnected from each other, there is no way to ensure the quality of those systems. What other software is on the server? Is it updated? Are any ports open? Who currently has or has had access? What hardware are they using? It’s impossible and foolhardy to assume that everyone will follow best practices consistently.

An analogous example of the inherent risks of decentralization is from the Mastodon network — a decentralized version of Twitter where anyone can run an instance. The database for Kolektiva.social, a service tailored to anarchist users, was compromised. In 2023, the home of its admin was raided for an unrelated event, and the FBI seized an unencrypted database backup.

Snippet from the Kolektiva admin account’s post after the raid.

Anonymity of the Whistleblower

Leaking IP Addresses

To make Hush Line accessible to as many people as possible, the app is available on a publicly accessible URL, which is what you might expect from any web service. However, when using a Clearnet URL, leaking a user’s IP address is a real possibility.

To help defend against this, we scrub IP addresses from our access logs to minimize the risk of this happening when you use our app. To remove the possibility of IP leaks in high-threat scenarios, we deploy Hush Line as a Tor Onion service.

Tor Support

Tor is a network that anonymizes your internet browsing activity. It acts as a proxy by randomly routing your request through its network of relays, hiding who is making the request. Tor also has a feature called Onion Services. An Onion service makes a website or application accessible through a special .onion address that is only available through the Tor Browser.

Message submission onion site.

When using a regular browser like Chrome or Firefox, when you enter an address like hushline.app the browser needs to know the server address for that URL. A long chain of services helps make it possible, from your ISP to DNS services, the server running the app, and more to make it possible to type something memorable like hushline.app instead of remembering and entering 64.23.155.36. Just as the browser needs to know the IP address of the target web server, your IP address is also necessary to know where to send the information.

Your IP address is essentially your customer ID for your internet service provider. All someone with the necessary authority needs to do is request the information of the owner of that IP, and your real identity is exposed.

Onion services defeat this kind of threat because they don’t operate using the same DNS and IP protocols. Tor Browser is connected to the Tor anonymizing network, and so are the Onion services that exist within it. When someone uses a .onion address, the request from the browser to the server and back never leaves the Tor network, completely sidestepping IP leakage.

To access Hush Line’s information site using our Onion address, enter `http://w25rxxn62dgix7qdbw4ot37m2y4ty7kxfrinspw4ce7jzse7pb6rhaqd.onion/`, or to access the app’s Onion site, enter `http://ghj4vviaoccj4tj2r3ss52arbnchkfvs7uft4sgtrkuvdha5zjgo6yqd.onion` in Tor Browser.

Timing Correlation

To know that two people are talking to each other, you don’t need to know the contents of their messages if you have enough metadata about the conversation. One such way to reveal important context about who might be talking to each other is to learn when the messages were sent. If there’s a flurry of activity from two accounts — one after the other, repeatedly, pausing at similar times, being active at similar times— someone analyzing the logs might assume those accounts are talking to each other.

To address this, we do not timestamp messages or relate accounts in any way. An attacker with access to the server cannot relate two messages on the platform, which is largely irrelevant as Hush Line is designed as a one-way messenger.

Confidentiality and Integrity of the Disclosures

Message Encryption

Hush Line uses PGP for message encryption, making the key owner the only one technically able to read the decrypted messages. Messages are end-to-end encrypted using OpenPGP.js, meaning our server will never see the decrypted contents.

Hush Line Inbox with an encrypted message.

We’re proactive about communicating with senders and receivers about the importance of the tip line owner adding their public PGP key, and we discourage sharing sensitive information if the receiver doesn’t encrypt their messages.

Unencrypted warning on a message submission page.

HTTPS

We use Let’s Encrypt for HTTPS certificates. When a site uses HTTPS, requests use the TLS protocol to encrypt data in transit from the browser to the server and back. This protects your activity from being monitored or tampered with while using the app.

For an attacker who can monitor network connections, instead of seeing which page you’re on or who you’re submitting a message to, the primary URL is only visible. So if a message submitter is on https://hushline.app/submit_message/artvandelay the recipient remains unobservable, and the only thing visible to a network snoop is https://hushline.app/.

Conclusion

There are many tip-line solutions on the market, and it can be intimidating to choose the right one for you. We hope this article gives you a data-driven way to evaluate the software that fits your needs.

Additional Research

• A Secure Submission System for Online Whistleblowing Platforms. Volker Roth, Benjamin Gu ̈ldenring, Eleanor Rieffel, Sven Dietrich, Lars Ries Freie Universit at Berlin, FX Palo Alto Laboratory, Stevens Institute of Technology
• Anonymous Whistleblowing over Authenticated Channels. Thomas Agrikola, Geoffroy Couteau, and Sven Maier. CNRS, IRIF, Université de Paris, France, Karlsruhe Institute of Technology, Karlsruhe, Germany
• Artifice: A Deniable Steganographic File System. Austen Barker Staunton Sample Yash Gupta Anastasia McTaggart Ethan L. Miller Darrell D. E. Long, University of California, Santa Cruz
• Anatomy of a whistleblowing system, SecureDrop

Do you have any questions, comments, or feedback? Follow us on Mastodon at @scidsg@fosstodon.org.