Making a Secure, Open-Source Digital Newsroom

Making a Secure, Open-Source Digital Newsroom

Follow Jason on Twitter.

North Star Post was founded in 2015 following the collaboration of the core team on uncovering the FBI’s aerial surveillance program. The core team is split between Minneapolis and Phoenix, and all of us have varying day jobs / obligations that make meeting in person a challenge. Our newspaper covers surveillance, technology, and government accountability among other issues. We seek to keep our research, notes, and communications confidential.

We choose to use self-hosted applications and avoid cloud services for a number of reasons:
Our budget is limited, so professional hosted services would rack up costs. Cheaper alternatives often involve (more) advertising and tracking.

If we host our data with a third party, we have to be concerned with the third-party doctrine and interpretations of our reasonable expectation of privacy. Law enforcement might engage in secret or public seizures of our data that we might not be able to fight with our limited financial and legal resources, assuming we are ever made aware.

Self-hosting means that authorities must serve us with warrants, and/or break into our facilities. It is far less likely that our notes can be seized without our knowledge.

We are also able to ensure our security more directly and do not need to rely on the diligence of an outside party. There are countless ways that people and organizations can cut corners on security without end-users ever knowing.

We prefer to use Free, or at least Open Source software when possible to avoid dependence on vendors. Open Source software is not perfect for security, but there is some room for outsiders to scrutinize code and development practices. We have a better idea how seriously we can trust the security of a given application / platform when the source code, issue tracking, and email lists are open to the public.

Sandstorm is a critical part of our newsroom, because it allows us to collaborate with similar if not better features than most enterprises use. We’re able to try out new applications as they become available and choose the best for our needs with minimal effort. Sandstorm is quite robust and stable in our experience, despite the “alpha” label. The platform updates itself and stages updates for apps. SSL certificates are generated automatically and rotated weekly, if you use the Sandcats dynamic DNS service. We’re also able to use a single piece of hardware with a single OS behind a single IP address to deploy a fist-full of apps almost instantly. There’s no need to manage conflicts with port numbers, configure databases, or symlink web directories.

We also rely on the Debian GNU/Linux operating system and its derivatives in various capacities.

Some of the components of our open source news room:

Real-time messaging:
Signal text messaging groups.

Email:
Tutanota

Collaboration:
Sandstorm.io
– Rocket.Chat – private chat & sharing.
– Etherpad – collaborative document editing.
– FileDrop – file sharing (images, documents).
– Draw.io – diagrams.
– WeKan – story beat & research tracking.
– TextEditor – quicker / lighter notes (Etherpad is kind of slow and feature heavy).
– Gogs – Git source control for reporting tools (we’d rather keep our research tools private until publication).

Group video conferencing:
meet.jit.si

Document review and publication:
DocumentCloud

Source communication:
GlobaLeaks – A Tor service document submission platform.

Research:
Tor, and TAILS – we prefer to research articles anonymously over the internet.

Follow Jason on Twitter.