Secure File Sharing for Journalists & Sources

Journalism work increasingly involves files. Leaked documents, recordings, screenshots, datasets. The conventional wisdom is "use SecureDrop" — and for serious investigative work, it remains the gold standard. But SecureDrop is heavy: requires Tor, dedicated hardware, an admin to maintain it. Most newsrooms can't justify it for every story.

For the gap between "casual email" and "full SecureDrop," Zippd fills a real niche.

What journalists need from file sharing

• Source protection. The vendor must not be able to identify who sent what.
• Confidentiality of contents. Documents that could harm sources if leaked must not be accessible to anyone but the journalist.
• Operational simplicity. Sources are often nervous and non-technical. The flow must be foolproof.
• Plausible deniability. No "you opened this link from this IP at this time" timestamps that map back to a source.

How Zippd handles each

Source protection

Anonymous uploads don't require an account, email, or any identifier. The only thing recorded is an HMAC of the IP address for rate limiting — not the IP itself. From our records alone, identifying a source is not possible. Combined with Tor (which we support), source identification becomes effectively impossible from network metadata.

Confidentiality of contents

Files are encrypted in the browser before upload. Our servers see ciphertext. Even if Zippd is compromised, served a legal demand, or shut down, the documents your source uploaded remain unreadable to anyone but you (the holder of the URL fragment with the decryption key).

Operational simplicity

The flow is identical to any other website. The source drags a file in. They click upload. They get a URL. They send it to you. Compare to SecureDrop, which requires:

• Installing Tor browser.
• Navigating to a .onion address.
• Memorizing or noting down a passphrase that identifies them across visits.
• Understanding the multi-step verification flow.

For a nervous first-time source, the Zippd flow is simpler. For a hardened whistleblower with operational training, SecureDrop's stronger guarantees may be worth the friction.

Plausible deniability

Server logs retain hashed identifiers and rotate within 30 days. No long-term tie from upload time to specific recipient. The share URL itself can be exchanged through any channel.

Practical workflows

Onboarding a new source

If you're inviting tips publicly:

1. Set up an article footer or social bio that includes:
   • A Signal contact (for conversation).
   • A pointer to "send documents securely via Zippd → zippd.io"
   • An optional ProtonMail address.
2. For specific stories, ask sources to send the share URL through one of those channels.
3. You decrypt by clicking the URL in your own browser.

For maximum source protection, suggest they:

• Use Tor browser when uploading.
• Don't include the share URL in any service that ties to their identity (their personal Gmail, their work email, etc.).
• Use a one-time anonymous email service or Signal to send the URL.

Receiving large document drops

A whistleblower with 5 GB of internal docs:

• Anonymous upload supports 2 GB per file — they may need to split or register.
• Registered anonymous-style account (real-looking email but not their actual identity) gets them to 20 GB per file.
• Multiple files: each gets its own share URL.

After receipt

Download to an air-gapped machine if the documents are highly sensitive. Verify integrity (the GCM tag does basic tamper detection automatically). Move the originals to your archive workflow (encrypted external drive, etc.). Delete the Zippd link if you have the option, or let it expire — anonymous links die in 7 days.

Operational security tips for sources

When advising a source on how to share files:

• Don't upload from a workplace network. Even with anonymous uploads and Tor, network-level metadata at the source's end can be observed.
• Strip metadata from documents first. PDFs, Word docs, and image files often contain author info, GPS data, edit history. Use a tool like mat2 or exiftool to scrub.
• Use a personal device on a public network if the documents are truly sensitive.
• Don't reuse identifiers. Don't use a username you've used anywhere else for the email address (if registering).

When to use SecureDrop instead

Zippd is appropriate for most journalist-source workflows. SecureDrop is better when:

• The source faces severe state-level adversaries (foreign intelligence, hostile regimes).
• The newsroom can dedicate hardware and operational staff to running it.
• The source-journalist relationship is multi-week and benefits from the persistent passphrase model.
• You need formal "no logs ever" guarantees with an air-gapped server you control.

What Zippd cannot do for journalism

Honest limits:

• We can't prevent your source from being identified by their own ISP if they don't use Tor.
• We can't prevent the document itself from containing identifying metadata that points to its origin.
• We can't stop a coerced reveal of the share URL after the fact.
• We can't prevent your own machine from being compromised after you download.

Source protection is a full operational discipline. Zippd is one tool in that discipline, not the whole answer.

FAQ

Are uploads via Tor supported?

Yes. The web flow works on Tor browser without modification.

Will Zippd cooperate with legal demands?

We comply with valid legal process for what we have, which is hashed IP + ciphertext. We cannot produce plaintext file contents because we don't have them. We retain access logs for 30 days only.

Should I tell sources to use Zippd or SecureDrop?

For most stories: Zippd plus Tor offers strong source protection with much lower friction. For state-actor adversaries: SecureDrop is the stronger choice if you have the operational capacity to run it.

Can I run my own Zippd?

Not officially supported. The architecture isn't proprietary — anyone can build a similar service. For now, the hosted version is the way to use it.

Set up a tip channel

Add zippd.io to your tip line. Sources can upload documents in 30 seconds. No account. No tracking they can't see.