Type: Whistleblower submission platform
Access: Tor Browser required
Account required: No — codename system
Maintained by: Freedom of the Press Foundation
Used by: 70+ news organisations
Last verified: March 2026
Directory Onion Address
This address leads to the SecureDrop directory — a list of all participating news organisations with their individual .onion addresses. To submit to a specific newsroom, navigate to the directory and use that organisation’s unique address.
Clearnet directory: securedrop.org/directory
How It Works
For sources: Open Tor Browser, navigate to the organisation’s SecureDrop address, upload documents or write a message. No registration, no email, no account. You receive a randomly generated codename — written on paper, stored nowhere digital. Use it to return and read responses.
For journalists: Submissions are downloaded only to air-gapped computers with no internet connection. Documents never touch a networked machine until manually transferred. This isolation prevents malware in submitted files from phoning home.
What SecureDrop Protects Against
| Threat | Protected? | How |
|---|---|---|
| IP address exposure | ✅ | All traffic through Tor |
| ISP monitoring | ✅ | ISP sees Tor, not SecureDrop |
| Identity via account data | ✅ | No accounts — codename only |
| File metadata | ❌ | Must be stripped before uploading |
| Content identifying source | ❌ | Documents may contain identifying info |
Critical: Strip File Metadata Before Uploading
A Word document created on a work computer contains your name, organisation, editing timestamps and file path. A phone photo embeds GPS coordinates and device model. SecureDrop protects your network identity — it cannot protect you from metadata you leave in the files themselves.
Strip all metadata before uploading. Tools: MAT2 (built into Tails OS), ExifTool (Windows/Mac/Linux). Verify with ExifTool after stripping before the upload.
Common Questions
Is SecureDrop truly anonymous? At the network level, yes — IP is hidden, no account data exists. Metadata in files and identifying details in message content are your responsibility to manage.
What if my target organisation doesn’t use SecureDrop? Many smaller outlets use Signal or encrypted email instead. ProtonMail via .onion is a substantially better fallback than regular email — not as secure as SecureDrop but far better than nothing.